Headline
CVE-2022-29405: Archiva Documentation – Release Notes for Archiva 2.2.8
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
The Apache Archiva team is pleased to announce the release of Archiva 2.2.8. Archiva is available for download from the web site.
Archiva is an application for managing one or more remote repositories, including administration, artifact handling, browsing and searching.
This is a security fix release. Users are advised to update their systems to the new version as soon as possible.
For further information see: https://archiva.apache.org/security.html
If you have any questions, please consult:
- the web site: https://archiva.apache.org/
- the archiva-user mailing list: https://archiva.apache.org/mailing-lists.html
New in Archiva 2.2.8
Apache Archiva 2.2.8 is a security fix release:
Compatibility Changes
- There are no compatibility changes
New Feature
- There are no new features in this release.
Improvements
- There are no improvements
Bug/Security Fix
- CVE-2022-29405 Apache Archiva Arbitrary user password reset vulnerability
Previous Release Notes
Release Notes for Archiva 2.2.7
Apache Archiva 2.2.7 is a security fix release:
Released: 2022-12-22
Compatibility Changes
- [MRM-2021] There is a new flag ‘literalVersion=true/false’ for service archivaServices/searchService/artifact which allows to change the behaviour for v=LATEST search.
New Feature
- There are no new features in this release.
Improvements
- There are no improvements
Bug/Security Fix
- [MRM-2027] Update of the log4j2 version to 2.17.0
- [MRM-2020] Fixed the behaviour of the startup script, if ARCHIVA_BASE is set (separating installation and data directory)
- [MRM-2022] Fixed the handling of X-XSRF-TOKEN header in Javascript calls
Release Notes for Archiva 2.2.6
Apache Archiva 2.2.6 is a security fix release:
Released: 2021-12-15
Compatibility Changes
- No API changes or known side effects.
New Feature
- There are no new features in this release.
Improvements
- There are no improvements
Bug/Security Fix
- Update of the log4j2 version to mitigate the log4j2 vulnerability (CVE-2021-44228)
- Deactivated directory listings by the file servlet
Release Notes for Archiva 2.2.5
Apache Archiva 2.2.5 is a bug fix release:
Released: 2020-06-19
Compatibility Changes
- No API changes or known side effects.
New Feature
- There are no new features in this release.
Improvements
- There are no improvements
Bug Fix
- [MRM-2008] Fix for group names with slashes
- Better handling of LDAP filter
Release Notes for Archiva 2.2.4
Apache Archiva 2.2.4 is a bug fix release:
- Fixes for handling of artifacts
- Improved validation of REST calls
Compatibility Changes
No API changes or known side effects.
Released: 2019-04-30
New Feature
- There are no new features in this release.
Improvements
- Adding additional validation to REST service calls for artifact upload
Bug Fix
- [MRM-1972] Stored XSS in Web UI Organization Name
- [MRM-1966] Repository-purge not working
- [MRM-1958] Purge by retention count deletes files but leaves history on website.
- [MRM-1929] Repository purge is not reflected in index
Release Notes for Archiva 2.2.3
New in Archiva 2.2.3
Apache Archiva 2.2.3 is a bug fix release:
- Some fixes for the REST API were added to detect requests from unknown origin
- Some bugfixes were added
Compatibility Changes
The REST services are now checking for the origin of the requests by analysing Origin and Referer header of the HTTP requests and adding an validation token to the Header. This prevents requests from malicious sites if they are open in the same browser. If you use the REST services from other clients you may change the behaviour with the new configuration properties for the redback security (rest.csrffilter.*, rest.baseUrl). For more information see Archiva Security Configuration and the Redback REST documentation .
Note: If your archiva installation is behind a reverse proxy or load balancer, it may be possible that the Archiva Web UI does not load after the upgrade. If this is the case you may access the WebUI via localhost or edit archiva.xml manually. In the “Redback Runtime Configuration” properties you have to enter the base URLs of your archiva installation to the rest.baseUrl field.
Archiva uses redback for authentication and authorization in version 2.6
Change List
Released: 2017-05-13
New Feature
Improvement
- [MRM-1925] - Make User-Agent header configurable for HTTP requests
- [MRM-1861], [MRM-1924] - Increasing timeouts for repository check
- [MRM-1937] - Prevent creating initial admin user with wrong name.
- Adding origin header validation checks for REST requests
Bug Fix
- [MRM-1859] - Error upon viewing ‘Artifacts’ tab when browsing an artifact
- [MRM-1874] - Login Dialog triggers multiple events (+messages)
- [MRM-1908] - Logged on users can write any repository
- [MRM-1909] - Remote repository check fails for https://repo.maven.apache.org/maven2
- [MRM-1923] - Fixing bind issue with certain ldap servers, when user not found
- [MRM-1926] - Invalid checksum files in Archiva repository after download from remote repository
- [MRM-1928] - Bad redirect URL when using Archiva through HTTP reverse proxy
- [MRM-1933] - No message body writer has been found for class org.apache.archiva.rest.services.ArchivaRestError
- [MRM-1940] - Slashes appended to remote repo url
Release Notes for Archiva 2.2.1
New in Archiva 2.2.1
Apache Archiva 2.2.1 is a bugs fix release:
NOTE: jdk 1.7 is now prerequisite with Apache Archiva 2.2.1
Compatibility Changes
If using the Cassandra backend, the metadatafacet column ‘key’ has been renamed to ‘facetKey’ in 2.2.0 so you should copy the data to the new column manually. If upgrading from earlier versions of Archiva, the list of libraries in wrapper.conf has changed. If you have customized your copy of wrapper.conf, please update it for compatibility with the version distributed with the current release. As the database storage has been removed, you can remove the JNDI entry for jdbc/archiva.
Refer to the Upgrading Archiva guide for more information.
List of Changes
Improvement
- [MRM-1201] - Artifact upload success message should mention the classifier
- [MRM-1906] - Allowing filtering of LDAP groups
Bug Fix
- [MRM-1873] - archiva doesn’t recognise ldap-group to ldap-users mapping
- [MRM-1877] - Checksum files always recreated
- [MRM-1879] - Bug in create-missing-checksum consumer
- [MRM-1886] - View Artifact Content Action does not Work
- [MRM-1887] - Syntax error in DOAP file release section; wrong bug- database URL
- [MRM-1892] - Only One Page of Proxy Connector Rules Shown
- [MRM-1893] - Please delete old releases from mirroring system
- [MRM-1896] - Invalid link to license
- [MRM-1914] - Maven cannot find dependency
Release Notes for Archiva 2.2.0
New in Archiva 2.2.0
Apache Archiva 2.2.0 is a bugs fix release:
NOTE: jdk 1.7 is now prerequisite with Apache Archiva 2.2.0
Compatibility Changes
If using the Cassandra backend, the metadatafacet column ‘key’ has been renamed to ‘facetKey’ in 2.2.0 so you should copy the data to the new column manually. If upgrading from earlier versions of Archiva, the list of libraries in wrapper.conf has changed. If you have customized your copy of wrapper.conf, please update it for compatibility with the version distributed with the current release. As the database storage has been removed, you can remove the JNDI entry for jdbc/archiva. After upgrading from a previous version, you will have to run a full scan to populate the new JCR Repository. This will be done on first start of Archiva.
Refer to the Upgrading Archiva guide for more information.
List of Changes in Archiva 2.2.0
New Feature
- [MRM-1867] - Adding a find jar by checksum functionality to the REST api
Improvement
- [MRM-1390] - Generic metadata should be searcheable in Archiva search
- [MRM-1844] - Allow LDAP groupOfNames
Bug Fix
- [MRM-770] - Archiva web client does not recognize classifier
- [MRM-813] - Audit log is reporting "Modify File (proxied)" when no proxy connectors exist and the file has not changed
- [MRM-837] - Cannot download SNAPSHOT version
- [MRM-935] - Archiva doesn’t supports artifact with version_SNAPSHOT/version_
- [MRM-1145] - RSS tests do not correctly check responses
- [MRM-1311] - Logging in ArtifactMissingChecksumsConsumer does not appear in the logs even if configured properly
- [MRM-1486] - ldap.config.mapper.attribute.user.filter using ldap not working correctly with commas.
- [MRM-1767] - When selecting a specific repository to browse, I get an error that I don’t have sufficient privileges.
- [MRM-1807] - Archiva wrapper fail to start
- [MRM-1810] - LDAP - groups config not available in Users Runtime Configuration - Properties
- [MRM-1811] - Users - Manage section: pagination needs to change
- [MRM-1846] - Regression in 2.0.1 : uniqueVersion false not supported
- [MRM-1848] - download links for files mult-dot extensions incorrect in Browse view
- [MRM-1851] - generic metadata GUI broken
- [MRM-1860] - ClassNotFound exception with JBoss
- [MRM-1863] - RepositoryGroup URL is not build using the Application URL
- [MRM-1864] - Default configuration for central should now use SSL
- [MRM-1871] - ConcurrentModificationException in DefaultRepositoryProxyConnectors
- [MRM-1873] - archiva doesn’t recognise ldap-group to ldap-users mapping
Task
- [MRM-1359] - Remove Maven 1.x functionality
- [MRM-1865] - remove isPermanent from Consumer API
History
Archiva was started in November 2005, building a simple framework on top of some existing repository conversion tools within the Maven project. Initial development focused on repository conversion, error reporting, and indexing. From January 2006 a web application was started to visualise the information and to start incorporating functionality from the unmaintained maven-proxy project.
Development continued through many stops and starts. Initial versions of Archiva were built from source by contributors, and the first alpha version was not released until April 2007. Some significant changes were made to improve performance and functionality in June 2007 and over the next 6 months and a series of alpha and beta releases, a concerted effort was made to release the 1.0 version.
Archiva became an Apache “top level project” in March 2008.
Related news
Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.Is this a CVE?First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to comp
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.
The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands. "The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the
Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.
By Waqas The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB). This is a post from HackRead.com Read the original post: Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network
Linus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: "given enough eyeballs, all bugs are shallow." This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying "all bugs are shallow" only true for
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
Open source utility exposes payloads without running vulnerable Java code
MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
What are container image vulnerabilities?
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses. The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
Couchbase Server before 7.1.0 has Incorrect Access Control.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
Calibre-Web before 0.6.18 allows user table SQL Injection.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
The Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.1-13 didn’t mimic the permissions of the JVM being patched, allowing it to escalate privileges.
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.