Headline
Qualys Cloud Agent Arbitrary Code Execution
The Unqork Security team discovered multiple security vulnerabilities in the Qualys Cloud Agent including arbitrary code execution.
The Unqork Security team discovered multiple security vulnerabilities inthe Qualys Cloud Agent, to include arbitrary code execution.CVE-2022-29549 (Arbitrary Code Execution)https://nvd.nist.gov/vuln/detail/CVE-2022-29549CVE-2022-29550 (Sensitive Information Disclosure)https://nvd.nist.gov/vuln/detail/CVE-2022-29550Read more:https://www.unqork.com/resources/unqork-and-qualys-partner-to-resolve-zero-day-vulnerabilitieshttps://blog.qualys.com/product-tech/2022/08/15/qualys-security-updates-cloud-agent-for-linuxRelated news
** DISPUTED ** An issue was discovered in Qualys Cloud Agent 4.8.0-49. It writes "ps auxwwe" output to the /var/log/qualys/qualys-cloud-agent-scan.log file. This may, for example, unexpectedly write credentials (from environment variables) to disk in cleartext. NOTE: there are no common circumstances in which qualys-cloud-agent-scan.log can be read by a user other than root; however, the file contents could be exposed through site-specific operational practices. The vendor does NOT characterize this as a vulnerability because the ps data collection is intentional, and would only capture credentials on a machine that was already affected by the CWE-214 weakness.
** DISPUTED ** An issue was discovered in Qualys Cloud Agent 4.8.0-49. It writes "ps auxwwe" output to the /var/log/qualys/qualys-cloud-agent-scan.log file. This may, for example, unexpectedly write credentials (from environment variables) to disk in cleartext. NOTE: there are no common circumstances in which qualys-cloud-agent-scan.log can be read by a user other than root; however, the file contents could be exposed through site-specific operational practices. The vendor does NOT characterize this as a vulnerability because the ps data collection is intentional, and would only capture credentials on a machine that was already affected by the CWE-214 weakness.