Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32552: Security Advisory for security-bundle-2022-04-04

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.

CVE
#vulnerability#pdf#log4j#ssh#ssl
  1. Last updated

  2. Save as PDF

  3. Product Specific Resources

  4. Summary

  5. Details

  6. General Mitigation Best Practices

  7. Corrective Action

    1. Option 1: Recommended where applicable. (Please see caveats below)
    2. Option 2:
    3. Option 3:
  8. Severity

  9. Fixed Versions & Mitigation Options

  10. Version Status

  11. Support Escalation - How To Escalate a Case

  12. Acknowledgments

****Product Specific Resources****

****Summary****

On 2022-06-20, Pure Storage released a cumulative patch to remediate four vulnerabilities. The issues described in this bulletin affect only FlashArray and FlashBlade products. No other Pure Storage products or services are affected.

****Details****

  • CVE-2022-32552 describes privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) to this issue.

  • CVE-2022-32553 describes privilege escalation via the manipulation of environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) to this issue.

  • CVE-2022-32554 describes possible exposed credentials for accessing the product’s management interface. The password may be known outside Pure Storage and could be used on an affected system, if reachable, to execute arbitrary instructions with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.1 HIGH (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) to this issue.

  • The remaining issue is the previously developed patch for the Log4Shell incident (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). If this patch has already been applied on the target, then re-application of the patch has no effect. Please see Pure’s pre-existing security advisory for additional details and CVSS Base scores.

****General Mitigation Best Practices****

Pure Storage recommends following security best practices to minimize the risk of compromise:

  • Use named user accounts. Do not share passwords. Define a password policy

  • Secure “pureuser” login credentials by changing the default password for “pureuser”. Also see information relating to Alert 194 (default password for “pureuser” remains unchanged).

  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting – if not blocking altogether – Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

    • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

    • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection.

  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

****Corrective Action****

****Option 1: Recommended where applicable. (Please see caveats below)****

  • Pure1 customers can remediate these flaws via online patch application. The fastest option is to request the “self-serve” opt-in method via Pure1. Please see FlashArray Security Update and FlashBlade Security Update for further information. Please also see the comprehensive FAQ document. The banner for Security Update patching will be available if your array is using a version of Purity that integrates patch fixes, and/or has also been patched for Log4j. Arrays using <//FA Purity lower than 5.3.x, or //FA Purity lower than 3.0.x do not support patch application and must be upgraded to first fixed releases or later. “Dark Site” customers can only remediate these issues via an upgrade to an unaffected Purity release

****Option 2:****

  • Manual Patch application. If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support. Arrays using <//FA Purity lower than 5.3.x, or //FA Purity lower than 3.0.x do not support patch application and must be upgraded to first fixed releases or later. “Dark Site” customers can only remediate these issues via an upgrade to an unaffected Purity release. Please see FlashArray Security Update and FlashBlade Security Update for further information

****Option 3:****

  • For FlashArray, the first-fixed releases of Purity that remediate the issues in this bundle are 5.3.18, 6.0.9, 6.1.13, 6.2.4 and 6.3.0.
  • For FlashBlade, the first-fixed Purity releases are 3.1.13, 3.2.5 and 3.3.1.

Note that “first-fixed releases” are the earliest releases in each train that remediate all of the issues; they may not be “recommended releases”. Customers should consult their support organization to determine a recommended release appropriate to their needs and circumstances.

****Severity****

Issue

CVSS Base Score and Vector

CVE-2022-32552

8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2022-32553

8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2022-32554

8.1 HIGH (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Fixed Versions & Mitigation Options

The following methods for applying fixes are available. “+” indicates that later versions in the same release train also contain the fixes.

Product & Method

Fixed Version

Notes

Option 1: FlashArray Self-Service “Opt-In” Patch. Recommended Option

Can be applied to a FlashArray using 5.3.x or later. Prior to 5.3.0 is not supported

Online non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via Pure1.

For more information, see FlashArray security-bundle-2022-04-04

Option 2: FlashArray Manual Patch (engagement with Pure Storage Technical Support Services)

Can be applied to a FlashArray using 5.3.0 or later. Prior to 5.3.0 is not supported

Manually applied non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff

For more information, see FlashArray security-bundle-2022-04-04

OPTION 3: FlashArray Purity Upgrade (full software release upgrade). This is the only option for dark sites.

First Fixed Releases

Purity//FA 6.3.0+
Purity//FA 6.2.4+
Purity//FA 6.1.13+
Purity//FA 6.0.9+
Purity//FA 5.3.18+

Online non-disruptive software upgrade addressing the issues in security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff

For more information, see FlashArray security-bundle-2022-04-04

Option 1: FlashBlade Self-Service “Opt-In” Patch. Recommended Option

Can be applied to a FlashBlade using 3.0.0 or later. Prior to 3.0.0 is not supported

Online non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via Pure1.

For more information, see FlashBlade security-bundle-2022-04-04

Option 2: FlashBlade Manual Patch (engagement with Pure Storage Technical Support Services)

Can be applied to a FlashBlade using 3.0.0 or later. Prior to 3.0.0 is not supported

Manually applied non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff

For more information, see FlashBlade security-bundle-2022-04-04

Option 3: FlashBlade Purity Upgrade (full software release upgrade). This is the only option for dark sites

First Fixed Releases

Purity//FB 3.3.1+
Purity//FB 3.2.5+
Purity//FB 3.1.13+

Online non-disruptive software upgrade addressing the issues in security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff

For more information, see FlashBlade security-bundle-2022-04-04

****Version Status****

Product

Affected Versions

First-Fixed Release

FlashArray

Purity//FA 6.2.0 - 6.2.3
Purity//FA 6.1.0 - 6.1.12
Purity//FA 6.0.0 - 6.0.8
Purity//FA 5.3.0 - 5.3.17
Purity//FA 5.2.x and all prior releases

Purity//FA 6.3.0
Purity//FA 6.2.4
Purity//FA 6.1.13
Purity//FA 6.0.9
Purity//FA 5.3.18
(5.2.x and earlier require an upgrade)

FlashBlade

Purity//FB 3.3.0
Purity//FB 3.2.0 - 3.2.4
Purity//FB 3.1.0 - 3.1.12
Purity//FB 3.0.x and all prior releases

Purity//FB 3.3.1
Purity//FB 3.2.5
Purity//FB 3.1.13
(3.0.x and earlier require an upgrade)

****Support Escalation - How To Escalate a Case** **

If you believe that you may have been actively exploited, please call +1(866) 244-7121 and request for a Severity 1 case to be created.

For all other requests for assistance that are not an active Severity 1 / outage/ critical issue, please contact Pure Storage Technical Services for assistance.

If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support. Pure Storage customers can escalate cases in the following ways:

  • Call Pure Storage Support and ask to speak with the Support Manager on Duty.

  • PHONE (US) +1 (866) 244-7121 or +1 (650) 729-4088

  • PHONE (INTERNATIONAL) support.purestorage.com/pure1/support

  • Click the escalation link on one of the case emails. Every email from Pure Storage Support displays the following question near the bottom, including a dynamic link: “Not satisfied with the handling of this case? Click here to escalate.”

  • In the upper right-hand Pure1 Case Portal, click Escalate:

Please also see: Customer Escalation Procedures for additional information.

Acknowledgments

  • Pure Storage thanks Chris Anders for his collaboration and assistance with resolving these issues.

Back to top

Related news

Old Vulnerability Rated 9.9 Impacts All GNU/Linux Systems, Researcher Claims

A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers…

How CVSS 4.0 changes (or doesn’t) the way we see vulnerability severity

While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context.

Gentoo Linux Security Advisory 202310-16

Gentoo Linux Security Advisory 202310-16 - A vulnerability has been discovered in unifi where bundled log4j can facilitate a remote code execution Versions greater than or equal to 6.5.55 are affected.

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant). "This financially motivated

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited”

Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.

CVE-2022-47501: The Apache OFBiz® Project - Security

Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

CVE-2023-26462: ThingsBoard Release Notes

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)

CVE-2022-38775: Security issues

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2022-46769: Apache Sling :: News

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4

CVE-2022-38765: Canon Medical Software Security Updates

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

CVE-2022-38123: Cybersecurity Advisory - Secomea

Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.

Quarterly Report: Incident Response Trends in Q3 2022

Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter.   It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...

Joint Advisory AA22-279A and Vulristics

Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]

Chinese APT's favorite vulnerabilities revealed

Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.

CVE-2022-34917: Apache Kafka

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.

U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked

CVE-2022-34102: Crestron Electronics, Inc.

Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

MobileIron Log4Shell Remote Command Execution

MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.

Quarterly Report: Incident Response Trends in Q2 2022

Commodity malware usage surpasses ransomware by narrow margin  By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments.  Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...

CVE-2022-33923: DSA-2022-159: Dell PowerStore Family Security Update for Multiple Vulnerabilities

Dell PowerStore, versions prior to 3.0.0.0, contains an OS Command Injection vulnerability in PowerStore T environment. A locally authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS command on the PowerStore underlying OS. Exploiting may lead to a system take over by an attacker.

DHS Review Board Deems Log4j an 'Endemic' Cyber Threat

Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.

Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,

Avos ransomware group expands with new attack arsenal

By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Avos ransomware group expands with new attack arsenal

By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Avos ransomware group expands with new attack arsenal

By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]

CVE-2022-33915: ALAS-2022-1601

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.

CVE-2022-33915: ALAS-2022-1601

Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.

CVE-2022-29862: Security - OPC Foundation

An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.

CVE-2022-23712: Security issues

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

CVE-2022-23712: Security issues

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

CVE-2022-26869: DSA-2022-014: Dell EMC PowerStore Family Security Update for Multiple Vulnerabilities

Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

CVE-2022-29405: Archiva Documentation – Release Notes for Archiva 2.2.8

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-29855: Security Advisories

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2022-21363: Oracle Critical Patch Update Advisory - January 2022

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVE-2021-44548: Solr™ Security News

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.

CVE-2021-22057: VMSA-2021-0030

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.

CVE-2021-45046: security - CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.

CVE-2021-44228: Log4j – Apache Log4j Security Vulnerabilities

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVE-2021-44228: Log4j – Apache Log4j Security Vulnerabilities

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVE-2021-42117: Release Notes - TopEase Documentation

Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.

CVE-2021-32002: Cybersecurity Advisory - Secomea

Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.

CVE-2021-32002: Cybersecurity Advisory - Secomea

Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.

CVE-2020-35198: Wind River

An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2020-35198: Wind River

An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2016-8735: Apache Tomcat® - Apache Tomcat 9 vulnerabilities

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907