Automox Agent before 32 on Windows incorrectly sets permissions on a temporary directory.

**Articles**

What's New in Documentation

Documentation Revision History Record of notable documentation updates or additions. Date Description 12-07-2021 We now support non-Latin characters for Windows patches and system details. You should no longer see the placeholder charact...

Release Notes for Week Ending 12/10/2021

Enhancements Added support for UTF-8 character encoding on Windows. System details and patch entries using non-Latin character sets will now display correctly in the Automox Console. Devices must be running PowerShell 3.0 or higher. Historically i...

Release Notes for Week Ending 09/17/2021

Enhancements A maximum file size of 1GB is now being enforced for uploaded files.

Release Notes for Week Ending 07/30/2021

Enhancements Adding agent version as a selectable column on the Devices page.

Release Notes for Week Ending 07/09/2021

Enhancements Device page now only shows impacted devices when filtered by policy. (7/6) Bug Fixes Once a user removes a policy using the action menu, the policy should no longer present as a row in the policy table. (7/6) ...

Release Notes for Week Ending 06/18/2021

Bug Fixes Fixed an issue with creating Data extracts in Firefox.

Release Notes for Week Ending 05/28/2021

Enhancements A new Data Extracts option is available on the Reports page that allows customers to export detailed device information data and historical patching activity. More info: https://support.automox.com/help/automox-data-extract ...

Release Notes For Week Ending 05/07/2021

Enhancements Added primary navigation to the top of the user interface.  This provides more screen real estate and also sets the stage for future changes to account and profile management.  Sub-navigation drop-downs can now be accessed f...

Release Notes for Week Ending 04/23/2021

Bug Fixes Resolved an issue in detecting the device reboot status on RHEL 8.3.

Release Notes for Week Ending 04/16/2021

Bug Fixes Performance increase and bug fix for larger Activity Log report runs.

Release Notes for Week Ending 04/09/2021

Enhancements Release of this will prepare us for slow-roll upgrade of Agent 31 deployment, however agent downloads will now point to Agent 31. Policies using uploaded files will now use more secure presigned URLs for downloads. The deduplicatio...

Release Notes for Week Ending 04/02/2021

Enhancements Change policy file links sent to the agent to use pre-signed URLs. The deduplication algorithm on the Activity Log report has been improved for both speed and accuracy, you should see fewer duplicates and a much more responsive inter...

Release Notes for Week Ending 03/26/2021

Bug Fixes The Device ID sort on the Devices page will now work as intended. Sorting by group name now works correctly, with the special case of the Default Group always being first by name. Users will see status of expired if a previously comple...

Release Notes for Week Ending 07/16/2021

Enhancements Updated the Policies table to support new flexible device targeting feature. Policies with device targeting will no longer show a device count in the table but will still link to the devices page with the policy filter applied so the ...

Release Notes for Week Ending 03/12/2021

Bug Fixes Resolved an issue with the Device ID sorting on the new Devices page.

Release Notes for Week Ending 03/05/2021

Enhancements A new or existing user invited to an organization is no longer automatically logged in on acceptance, they must log into an organization first. (03/05) Bug Fixes Worklets run with the Execute Now feature will only execute on the c...

Release Notes for Week Ending 02/19/2021

Enhancements In the console navigation bar's Help menu, a link to the Automox Community site was added (02/17)

Release Notes for Week Ending 01/29/2021

Enhancements A new design for the Device Details page Details available Here ...

Release Notes for Week Ending 01/15/2021

Enhancements Two Factor Authentication (2FA) can now be applied across an organization.   More information can be found here: Enforce Organization-Wide Two-factor Authentication Managing User Accounts and Two-factor Authentication Update...

Release Notes for Week Ending 01/08/2021

Bug Fixes Fixed a bug with the Activity Log Report that could sometimes limit results shown (1/8)

CVE-2021-43326: Release Notes | Automox Knowledge Base

The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files

Hi. In this writeup, i will show you a bug that i found. Allowing an Authenticated user to delete any file in the system in the Support Board 3.3.4 and also will show you a possible exploit scenario with it. Even though this is an authenticated bug, there is no csrf protection on it so we can chain it with csrf.

While reversing the functions, i found a function called delete-file

![](https://miro.medium.com/max/1362/1*LjVNhye2PiZY5VZO6i_RPQ.png)

It accepts the post parameter path as an argument.

![](https://miro.medium.com/max/1326/1*h5tHgXyz8xok-DygeznovA.png)

You can see that if the path parameter has http on it, it will delete the file in the SB\_PATH\\uploads . This implementation is pretty safe since we can only delete files in the /uploads directory which doesnt have that much impact

![](https://miro.medium.com/max/1400/1*g_MdK5uwV53Cg-ehdvFw9g.png)

However, if you look at the code again.

![](https://miro.medium.com/max/1366/1*WA9l7oi-yT2L6TMkpFgbbg.png)

It will only delete files in the /uploads directory if the path contains the string http. If not, it will directly use our input in $path into the unlink. So if we supplied a file without the http, it will get deleted. For reproduction purpose, i made a file called test.txt in C:\\xampp\\htdocs\\wordpress\\wp-content

![](https://miro.medium.com/max/1342/1*eMS_pBtM2f6ejJHAQ82hPA.png)

Now back to burpsuite, if we supply the location of this file, this file should be deleted.

![](https://miro.medium.com/max/1400/1*KCyx9XxO4XdeHjdSmVTWZg.png)

We can see that it succeed and our file is now deleted

![](https://miro.medium.com/max/1376/1*_N8j0J6MurQNvy0s2cKRQA.png)

So we got a bug now. Now like i said earlier, i will show you a possible exploit scenario with this. In a wordpress installation, there is a file called wp-config.php . It contains the config of a wordpress installation. When we delete this file, we can then reinstall the whole wordpress application. So lets try it out. Normally, this wp-config.php is commonly found in the root directory of wordpress. So i tried deleting it and it succeed

![](https://miro.medium.com/max/1400/1*ysaQqRFOHqckX1hZnOu16w.png)

Now if we go to the site. We can reinstall the wordpress installation. In there, we can easily achieve rce

![](https://miro.medium.com/max/1400/1*7qnTFndidibiN2_GeWeL-g.png)

This is the end of my writeup, thanks for reading.

**Update:**

It is fixed now in the version 3.3.6.

![](https://miro.medium.com/max/1238/1*CLs6APmDMLk8gd5oMY6YoQ.png)

Thanks for reading

CVE-2021-24823: Support Board 3.3.4 Arbitrary File Deletion to Remote Code Execution

Joomla Sexy Polling extension versions 2.1.7 and below suffer from a remote SQL injection vulnerability.

``SexyPolling SQL Injection  ====================  | Identifier: | AIT-SA-20220208-01|   | Target: | Sexy Polling ( Joomla Extension) |   | Vendor: | 2glux |   | Version: | all versions below version 2.1.8 |   | CVE: | Not yet |   | Accessibility: | Remote |   | Severity: | Critical |   | Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |  Summary  ========  [Sexy Polling is a Joomla Extension for votes.](https://2glux.com/projects/sexypolling). In all versions below 2.1.8 an unauthenticated attacker could execute arbitrary SQL commands by sending crafted POST-parameters to poll.php.  Vulnerability Description  ====================  In the vote.php file, the POST parameters min_date and max_date are insufficiently checked and sanitized. An attacker can use these parameters to send payloads for sql injections.  In lines 74 and 75 in the *site/vote.php* code, the parameters are assigned without being checked:  ```   $min_date_sent = isset($_POST['min_date']) ? $_POST['min_date'].' 00:00:00' : '';   $max_date_sent = isset($_POST['max_date']) ? $_POST['max_date'].' 23:59:59' : '';   ```  These are later used unfiltered by the WHERE clause:  ```   $query_toal = "SELECT   COUNT(sv.`id_answer`) total_count,   MAX(sv.`date`) max_date,   MIN(sv.`date`) min_date   FROM   `#__sexy_votes` sv   JOIN   `#__sexy_answers` sa ON sa.id_poll = '$polling_id'   AND   sa.published = '1'   WHERE   sv.`id_answer` = sa.id";  //if dates are sent, add them to query   if ($min_date_sended != '' && $max_date_sended != '')   $query_toal .= " AND sv.`date` >= '$min_date_sended' AND sv.`date` <= '$max_date_sended' ";   ```  Proof Of Concept  ==============  To check a system for vulnerability, modify the POST request so that the min_date parameter contains a single apostrophe.  HTTP-Request:   ```   POST /components/com_sexypolling/vote.php HTTP/1.1  Host: joomla-server.local   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0   Accept: application/json, text/javascript, */*; q=0.01   Accept-Language: en-US,en;q=0.5   Accept-Encoding: gzip, deflate   Content-Type: application/x-www-form-urlencoded; charset=UTF-8   X-Requested-With: XMLHttpRequest   HTTP_X_REAL_IP: 1.1.1.1   Content-Length: 193   Origin: joomla-server.local   Connection: close   Referer: joomla-server.local/index.php/component/search/   Cookie: 3f7d6b4d84916c70a46aaf5501d04983=iuddgl57g75v5gruopdqh0cgd6  polling_id=1&answer_id[]=3&dateformat=digits&min_date=2021-12-07'&max_date=2021-12-14&country_name=-&country_code=-&city_name=-&region_name=-&voting_period=24&ae9a061e2170d406fb817b9ec0c42918=1   ```  The HTTP-Resoonse contains a mysql error:  ```   HTTP/1.1 500 Internal Server Error   Date: Wed, 15 Dec 2021 10:27:40 GMT   Server: Apache/2.4.41 (Ubuntu)   Set-Cookie: PHPSESSID=39p4ql2oj0b45opsf6p105tfcf; path=/   Expires: Thu, 19 Nov 1981 08:52:00 GMT   Cache-Control: no-cache   Pragma: no-cache   Set-Cookie: sexy_poll_1=1639564060; expires=Thu, 16-Dec-2021 10:27:40 GMT; Max-Age=86400; path=/   Content-Length: 4768   Connection: close   Content-Type: application/json  <!DOCTYPE html>   <html lang="en-gb" dir="ltr">   <head>   <meta charset="utf-8" />   <title>Error: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '00:00:00' AND sv.`date` <= '2021-12-14 23:59:59'' at line 12</title>   <meta name="viewport" content="width=device-width, initial-scale=1.0">   <link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet" />   ```  Vulnerable Versions   ================   All versions below version 2.1.8  Tested Versions   =============   Sexy Polling ( Joomla Extension) 2.1.7  Impact   ======   An unauthenticated attacker could inject and execute SQL commands on the database.  Mitigation   =========   Sexy Polling 2.1.8 fixed that issue  Vendor Contact Timeline   ====================   | 2021-12-14 | Unable to find a contact of the vendor |   | 2021-12-15 | Contacting Joomla Security Strike Team |   | 2021-12-29 | Answer from the Joomla Security Strike Team that they will investigate the problem. |   | 2022-01-01 | Sexy Polling releases 2.1.8 |   | 2022-04-08 | Public Disclosure |  *We would like to note that the communication about this issue was weak. The contact-form of the maintainer of sexy_polling was broken and there was no other contact published. The Joomla Security Strike Team let us know that they will investigate, but they did not send any updates about the progress.*  Advisory URL   ===========   [https://www.ait.ac.at/ait-sa-20220208-01-sexypolling](https://www.ait.ac.at/ait-sa-20220208-01-sexypolling)  ``

Joomla Sexy Polling 2.1.7 SQL Injection

SAP Focused Run Simple Diagnostics Agent version 1.0 suffers from a missing authentication vulnerability.

    # Onapsis Security Advisory 2022-0004: Missing Authentication check in SAPFocused Run (Simple Diagnostics Agent 1.0)## Impact on BusinessBecause the Simple Diagnostic Agent (SDA) handles several importantconfiguration and critical credential information, a successful attackcould lead to the control of the SDA, and therefore affect:  * Integrity, by modifying the configuration.  * Availability, by stopping the service.  * Confidentiality and Scope changing, by decrypting all storedcredentials. Thenaccessing the SAP Focused Run system as well as the SAP system managed bytheSDA.## Advisory Information- Public Release Date: 06/21/2022- Security Advisory ID: ONAPSIS-2022-0004- Researcher(s): Yvan Genuer## Vulnerability Information- Vendor: SAP- Affected Components:  - SIMPLE\_DIAGNOSTICS\_AGENT 1.0  (Check SAP Note 3145987 for detailed information on affected releases)- Vulnerability Class: CWE-306- CVSS v3 score: 9.3 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Risk Level: Critical- Assigned CVE: CVE-2022-24396- Vendor patch Information: SAP Security NOTE 3145987## Affected Components DescriptionSAP Focused Run is a spin-off from SAP Solution Manager concentrating on thespecific needs of high volume system and application monitoring, alertingandanalytics needs.(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)## Vulnerability DetailsVulnerability 1:No authentication is required to interact with the Simple Diagnostic Agenthttpservice on port 3005 by default. Therefore, unauthenticated attackers willhavefull access to either administrative or other privileged functionalities.Leveragingthis access, they would be able to read, modify or delete sensitiveinformation andconfigurations with sapadm OS user privileges.Vulnerability 2:A path traversal exists in the Simple Diagnostic Agent service listening, bydefault, on localhost port 3005. A local attacker, without particularprivileges,can abuse this flaw in order to display the content of any OS directorywhich ```sapadm```has access to. Leading to information disclosure of potentially sensitivedata.## SolutionSAP has released SAP Note 3145987 which provide patched versions of theaffected components.The patches can be downloaded fromhttps://launchpad.support.sap.com/#/notes/3145987.Onapsis strongly recommends SAP customers to download the relatedsecurity fixes and apply them to the affected components in order toreduce business risks.## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published.## References- Onapsis blogpost:https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affected-several-vulnerabilities- CVE Mitre:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24396- Vendor Patch:https://launchpad.support.sap.com/#/notes/3145987## About Onapsis Research LabsOnapsis Research Labs provides the industry analysis of key securityissues that impact business-critical systems and applications.Delivering frequent and timely security and compliance advisories withassociated risk levels, Onapsis Research Labs combine in-depth knowledgeand experience to deliver technical and business-context with soundsecurity judgment to the broader information security community.Find all reported vulnerabilities athttps://github.com/Onapsis/vulnerability_advisories## About Onapsis, Inc.Onapsis protects the mission-critical applications that run the globaleconomy,from the core to the cloud. The Onapsis Platform uniquely deliversactionableinsight, secure change, automated governance and continuous monitoring forcriticalsystems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendorssuch as SAP,Oracle, Salesforce and others, while keeping them protected and compliant.For more information, connect with us on Twitter or LinkedIn, or visit us athttps://www.onapsis.com.-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

SAP FRUN Simple Diagnostics Agent 1.0 Missing Authentication

CVE-2021-25461

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

@@ -419,6 +419,21 @@ class elFinder \*/ protected $removeContentSaveIds = array();  
/\*\* \* LAN class allowed when uploading via URL \* \* Array keys are 'local', 'private\_a', 'private\_b', 'private\_c' and 'link' \* \* local: 127.0.0.0/8 \* private\_a: 10.0.0.0/8 \* private\_b: 172.16.0.0/12 \* private\_c: 192.168.0.0/16 \* link: 169.254.0.0/16 \* \* @var array \*/ protected $uploadAllowedLanIpClasses = array();  
/\*\* \* Flag of throw Error on exec() \* @@ -713,6 +728,10 @@ public function \_\_construct($opts) $this\->itemLockExpire = intval($opts\['itemLockExpire'\]); }  
if (!empty($opts\['uploadAllowedLanIpClasses'\])) { $this\->uploadAllowedLanIpClasses = array\_flip($opts\['uploadAllowedLanIpClasses'\]); }  
// deprecated settings $this\->netVolumesSessionKey = !empty($opts\['netVolumesSessionKey'\]) ? $opts\['netVolumesSessionKey'\] : 'elFinderNetVolumes'; self::$sessionCacheKey = !empty($opts\['sessionCacheKey'\]) ? $opts\['sessionCacheKey'\] : 'elFinderCaches'; @@ -2524,16 +2543,87 @@ protected function abort($args = array()) } $flagFile = elFinder::$connectionFlagsPath . DIRECTORY\_SEPARATOR . 'elfreq%s'; if (!empty($args\['makeFile'\])) { self::$abortCheckFile = sprintf($flagFile, $args\['makeFile'\]); self::$abortCheckFile = sprintf($flagFile, self::filenameDecontaminate($args\['makeFile'\])); touch(self::$abortCheckFile); $GLOBALS\['elFinderTempFiles'\]\[self::$abortCheckFile\] = true; return; }  
$file = !empty($args\['id'\]) ? sprintf($flagFile, $args\['id'\]) : self::$abortCheckFile; $file = !empty($args\['id'\]) ? sprintf($flagFile, self::filenameDecontaminate($args\['id'\])) : self::$abortCheckFile; $file && is\_file($file) && unlink($file); }  
/\*\* \* Validate an URL to prevent SSRF attacks. \* \* To prevent any risk of DNS rebinding, always use the IP address resolved by \* this method, as returned in the array entry \`ip\`. \* \* @param string $url \* \* @return false|array \*/ protected function validate\_address($url) { $info = parse\_url($url); $host = trim(strtolower($info\['host'\]), '.'); // do not support IPv6 address if (preg\_match('/^\\\[.\*\\\]$/', $host)) { return false; } // do not support non dot host if (strpos($host, '.') === false) { return false; } // do not support URL-encoded host if (strpos($host, '%') !== false) { return false; } // disallow including "localhost" and "localdomain" if (preg\_match('/\\b(?:localhost|localdomain)\\b/', $host)) { return false; } // check IPv4 local loopback, private network and link local $ip = gethostbyname($host); if (preg\_match('/^0x\[0-9a-f\]+|\[0-9\]+(?:\\.(?:0x\[0-9a-f\]+|\[0-9\]+)){1,3}$/', $ip, $m)) { $long = (int)sprintf('%u', ip2long($ip)); if (!$long) { return false; } $local = (int)sprintf('%u', ip2long('127.255.255.255')) >> 24; $prv1 = (int)sprintf('%u', ip2long('10.255.255.255')) >> 24; $prv2 = (int)sprintf('%u', ip2long('172.31.255.255')) >> 20; $prv3 = (int)sprintf('%u', ip2long('192.168.255.255')) >> 16; $link = (int)sprintf('%u', ip2long('169.254.255.255')) >> 16;  
if (!isset($this\->uploadAllowedLanIpClasses\['local'\]) && $long >> 24 === $local) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['private\_a'\]) && $long >> 24 === $prv1) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['private\_b'\]) && $long >> 20 === $prv2) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['private\_c'\]) && $long >> 16 === $prv3) { return false; } if (!isset($this\->uploadAllowedLanIpClasses\['link'\]) && $long >> 16 === $link) { return false; } $info\['ip'\] = long2ip($long); if (!isset($info\['port'\])) { $info\['port'\] = $info\['scheme'\] === 'https' ? 443 : 80; } if (!isset($info\['path'\])) { $info\['path'\] = '/'; } return $info; } else { return false; } }  
/\*\* \* Get remote contents \* @@ -2552,54 +2642,20 @@ protected function abort($args = array()) protected function get\_remote\_contents(&$url, $timeout = 30, $redirect\_max = 5, $ua = 'Mozilla/5.0', $fp = null) { if (preg\_match('~^(?:ht|f)tps?://\[-\_.!\\~\*\\'()a-z0-9;/?:\\@&=+\\$,%#\\\*\\\[\\\]\]+~i', $url)) { $info = parse\_url($url); $host = trim(strtolower($info\['host'\]), '.'); // do not support IPv6 address if (preg\_match('/^\\\[.\*\\\]$/', $host)) { return false; } // do not support non dot host if (strpos($host, '.') === false) { return false; } // do not support URL-encoded host if (strpos($host, '%') !== false) { $info = $this\->validate\_address($url); if ($info === false) { return false; } // disallow including "localhost" and "localdomain" if (preg\_match('/\\b(?:localhost|localdomain)\\b/', $host)) { return false; } // wildcard DNS (e.g xip.io) if (preg\_match('/0x\[0-9a-f\]+|\[0-9\]+(?:\\.(?:0x\[0-9a-f\]+|\[0-9\]+)){1,3}/', $host)) { $host = gethostbyname($host); } // check IPv4 local loopback, private network and link local if (preg\_match('/^0x\[0-9a-f\]+|\[0-9\]+(?:\\.(?:0x\[0-9a-f\]+|\[0-9\]+)){1,3}$/', $host, $m)) { $long = (int)sprintf('%u', ip2long($host)); if (!$long) { return false; } $local = (int)sprintf('%u', ip2long('127.255.255.255')) >> 24; $prv1 = (int)sprintf('%u', ip2long('10.255.255.255')) >> 24; $prv2 = (int)sprintf('%u', ip2long('172.31.255.255')) >> 20; $prv3 = (int)sprintf('%u', ip2long('192.168.255.255')) >> 16; $link = (int)sprintf('%u', ip2long('169.254.255.255')) >> 16;  
if ($long >> 24 === $local || $long >> 24 === $prv1 || $long >> 20 === $prv2 || $long >> 16 === $prv3 || $long >> 16 === $link) { return false; } } // dose not support 'user' and 'pass' for security reasons $url = $info\['scheme'\].'://'.$host.(!empty($info\['port'\])? (':'.$info\['port'\]) : '').$info\['path'\].(!empty($info\['query'\])? ('?'.$info\['query'\]) : '').(!empty($info\['fragment'\])? ('#'.$info\['fragment'\]) : ''); $url = $info\['scheme'\].'://'.$info\['host'\].(!empty($info\['port'\])? (':'.$info\['port'\]) : '').$info\['path'\].(!empty($info\['query'\])? ('?'.$info\['query'\]) : '').(!empty($info\['fragment'\])? ('#'.$info\['fragment'\]) : ''); // check by URL upload filter if ($this\->urlUploadFilter && is\_callable($this\->urlUploadFilter)) { if (!call\_user\_func\_array($this\->urlUploadFilter, array($url, $this))) { return false; } } $method = (function\_exists('curl\_exec') && !ini\_get('safe\_mode') && !ini\_get('open\_basedir')) ? 'curl\_get\_contents' : 'fsock\_get\_contents'; return $this\->$method($url, $timeout, $redirect\_max, $ua, $fp); $method = (function\_exists('curl\_exec')) ? 'curl\_get\_contents' : 'fsock\_get\_contents'; return $this\->$method($url, $timeout, $redirect\_max, $ua, $fp, $info); } return false; } @@ -2619,8 +2675,11 @@ protected function get\_remote\_contents(&$url, $timeout = 30, $redirect\_max = 5, \* @retval false error \* @author Naoki Sawada \*\*/ protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp) protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp, $info) { if ($redirect\_max == 0) { return false; } $ch = curl\_init(); curl\_setopt($ch, CURLOPT\_URL, $url); curl\_setopt($ch, CURLOPT\_HEADER, false); @@ -2633,11 +2692,19 @@ protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp curl\_setopt($ch, CURLOPT\_LOW\_SPEED\_LIMIT, 1); curl\_setopt($ch, CURLOPT\_LOW\_SPEED\_TIME, $timeout); curl\_setopt($ch, CURLOPT\_SSL\_VERIFYPEER, false); curl\_setopt($ch, CURLOPT\_FOLLOWLOCATION, 1); curl\_setopt($ch, CURLOPT\_MAXREDIRS, $redirect\_max); curl\_setopt($ch, CURLOPT\_FOLLOWLOCATION, false); curl\_setopt($ch, CURLOPT\_USERAGENT, $ua); curl\_setopt($ch, CURLOPT\_RESOLVE, \[$info\['host'\] . ':' . $info\['port'\] . ':' . $info\['ip'\]\]); $result = curl\_exec($ch); $url = curl\_getinfo($ch, CURLINFO\_EFFECTIVE\_URL); $http\_code = curl\_getinfo($ch, CURLINFO\_HTTP\_CODE); if ($http\_code == 301 || $http\_code == 302) { $new\_url = curl\_getinfo($ch, CURLINFO\_REDIRECT\_URL); $info = $this\->validate\_address($new\_url); if ($info === false) { return false; } return $this\->curl\_get\_contents($new\_url, $timeout, $redirect\_max - 1, $ua, $outfp, $info); } curl\_close($ch); return $outfp ? $outfp : $result; } @@ -2658,7 +2725,7 @@ protected function curl\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp \* @throws elFinderAbortException \* @author Naoki Sawada \*/ protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp) protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outfp, $info) { $connect\_timeout = 3; $connect\_try = 3; @@ -2669,22 +2736,15 @@ protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outf $getSize = null; $headers = '';  
$arr = parse\_url($url); if (!$arr) { // Bad request return false; } $arr = $info; if ($arr\['scheme'\] === 'https') { $ssl = 'ssl://'; }  
// query $arr\['query'\] = isset($arr\['query'\]) ? '?' . $arr\['query'\] : ''; // port $port = isset($arr\['port'\]) ? $arr\['port'\] : ''; $arr\['port'\] = $port ? $port : ($ssl ? 443 : 80);  
$url\_base = $arr\['scheme'\] . '://' . $arr\['host'\] . ($port ? (':' . $port) : ''); $url\_base = $arr\['scheme'\] . '://' . $info\['host'\] . ':' . $info\['port'\]; $url\_path = isset($arr\['path'\]) ? $arr\['path'\] : '/'; $uri = $url\_path . $arr\['query'\];  
@@ -2765,7 +2825,11 @@ protected function fsock\_get\_contents(&$url, $timeout, $redirect\_max, $ua, $outf sleep(1); } fclose($fp); return $this\->fsock\_get\_contents($url, $timeout, $redirect\_max, $ua, $outfp); $info = $this\->validate\_address($url); if ($info === false) { return false; } return $this\->fsock\_get\_contents($url, $timeout, $redirect\_max, $ua, $outfp, $info); } break; case 200: @@ -3831,7 +3895,8 @@ protected function archive($args) $targets = isset($args\['targets'\]) && is\_array($args\['targets'\]) ? $args\['targets'\] : array(); $name = isset($args\['name'\]) ? $args\['name'\] : '';  
if (($volume = $this\->volume($targets\[0\])) == false) { $targets = array\_filter($targets, array($this, 'volume')); if (!$targets || ($volume = $this\->volume($targets\[0\])) === false) { return $this\->error(self::ERROR\_ARCHIVE, self::ERROR\_TRGDIR\_NOT\_FOUND); }  
@@ -4339,7 +4404,7 @@ protected function itemLocked($hash) if (!elFinder::$commonTempPath) { return false; } $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . $hash . '.lock'; $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . self::filenameDecontaminate($hash) . '.lock'; if (file\_exists($lock)) { if (filemtime($lock) + $this\->itemLockExpire < time()) { unlink($lock); @@ -4368,7 +4433,7 @@ protected function itemLock($hashes, $autoUnlock = true) $hashes = array($hashes); } foreach ($hashes as $hash) { $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . $hash . '.lock'; $lock = elFinder::$commonTempPath . DIRECTORY\_SEPARATOR . self::filenameDecontaminate($hash) . '.lock'; if ($this\->itemLocked($hash)) { $cnt = file\_get\_contents($lock) + 1; } else { @@ -4519,6 +4584,16 @@ public static function getApiFullVersion() return (string)self::$ApiVersion . '.' . (string)self::$ApiRevision; }  
/\*\* \* Return self::$commonTempPath \* \* @return string The common temporary path. \*/ public static function getCommonTempPath() { return self::$commonTempPath; }  
/\*\* \* Return Is Animation Gif \* @@ -5104,6 +5179,24 @@ public static function expandMemoryForGD($imgInfos) } }  
/\*\* \* Decontaminate of filename \* \* @param String $name The name \* \* @return String Decontaminated filename \*/ public static function filenameDecontaminate($name) { // Directory traversal defense if (DIRECTORY\_SEPARATOR === '\\\\') { $name = str\_replace('\\\\', '/', $name); } $parts = explode('/', trim($name, '/')); $name = array\_pop($parts); return $name; }  
/\*\* \* Execute shell command \* @@ -5279,4 +5372,4 @@ class elFinderAbortException extends Exception  
class elFinderTriggerException extends Exception { } }

CVE-2021-32682: Merge pull request from GHSA-wph3-44rj-92pr · Studio-42/elFinder@a106c35

With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts.

Security Advisory

28\. Oktober 2021 · Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

**Security Advisory Details**

*   ID: ZAA-2021-20
*   Date: 10/28/2021
*   Title: Unauthorized Access
*   Severity: high
*   Product: Zammad 5.0.1
*   Fixed in: Zammad 5.0.2
*   References:  
    \--> \[pending CVE assignment\]

**Vulnerability Descriptions****Unauthorized Access**

With certain LDAP configurations, Zammad was found to be vulnerable to unauthorized access with existing user accounts.

Special 🙏 and 🤘 and ❤️ to:

*   C: Deutscher Caritasverband e. V.
*   W: https://www.caritas.de/

**Recommended Resolution**

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

*   https://zammad.org/
*   https://ftp.zammad.com/  
    Or just update your Zammad if installed via OS package manager.

**Additional information**

Online version of this advisory: https://zammad.com/en/advisories/zaa-2021-20

Send all remarks to security issues to security@zammad.com.

CVE-2021-43145: Security Advisory ZAA-2021-20 | Zammad

Are ransomware groups shifting attention to Europe? Or just expanding into new territories?

Categories: Malwarebytes news

Tags: angling direct conti European Graff hive lockean mediamarkt phishing ransomware retailers saturn web shops

*( Read more... ( https://blog.malwarebytes.com/malwarebytes-news/2021/11/are-cybercriminals-turning-away-from-the-us-and-targeting-europe-instead/ ) )*

The post Are cybercriminals turning away from the US and targeting Europe instead? appeared first on Malwarebytes Labs.

Are cybercriminals turning away from the US and targeting Europe instead?

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

step to reproduce:

CREATE TEMPORARY TABLE v0 ( v1 TEXT ( 15 ) CHAR SET BINARY NOT NULL NOT NULL UNIQUE CHECK ( v1 ) ) REPLACE SELECT NULL AS v3 , 74 AS v2 ;

 SELECT SQL\_CALC\_FOUND\_ROWS \* FROM v0 WHERE v1 IN ( SELECT v3 FROM v0 ) LIMIT 16 ;

 DROP PROCEDURE v0 ;

 CREATE TABLE v4 ( v6 INT , v5 INT DEFAULT 27 ) ;

 ROLLBACK TO SAVEPOINT v4 ;

 INSERT INTO v4 VALUES ( + 84 , + 32 , 48 ) ;

report (compiled with ASAN):

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7fb65ba7c850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7fb67b328c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55df46af9747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55df45ac1120\]

sigaction.c:0(\_\_restore\_rt)\[0x7fb67ad12870\]

:0(\_\_GI\_raise)\[0x7fb67a7f1d22\]

:0(\_\_GI\_abort)\[0x7fb67a7db862\]

include/ut0ut.h:319(ib::logger& ib::logger::operator<< <int>(int const&))\[0x55df44f00246\]

dict/dict0dict.cc:1258(dict\_sys\_t::evict\_table\_LRU(bool) \[clone .cold\])\[0x55df44f2296e\]

include/dict0dict.h:1578(dict\_sys\_t::unlock())\[0x55df463d955f\]

sql/handler.cc:577(hton\_drop\_table(handlerton\*, char const\*))\[0x55df45ad0145\]

sql/temporary\_tables.cc:703(THD::rm\_temporary\_table(handlerton\*, char const\*))\[0x55df4594c2c8\]

sql/temporary\_tables.cc:1464(THD::free\_tmp\_table\_share(TMP\_TABLE\_SHARE\*, bool))\[0x55df4594d237\]

sql/temporary\_tables.cc:672(THD::drop\_temporary\_table(TABLE\*, bool\*, bool))\[0x55df459513f5\]

sql/sql\_insert.cc:5203(select\_create::abort\_result\_set())\[0x55df452837f5\]

sql/sql\_select.cc:563(handle\_select(THD\*, LEX\*, select\_result\*, unsigned long))\[0x55df454f48a5\]

sql/sql\_table.cc:11732(Sql\_cmd\_create\_table\_like::execute(THD\*))\[0x55df455d8e27\]

sql/sql\_parse.cc:5997(mysql\_execute\_command(THD\*, bool))\[0x55df45359180\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55df453665a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55df4536c60c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55df4537173d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55df4572ce57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55df4572d33d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55df461bdc2c\]

pthread\_create.c:0(start\_thread)\[0x7fb67ad08259\]

:0(\_\_GI\_\_\_clone)\[0x7fb67a8b35e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x6290000873d0): CREATE TEMPORARY TABLE v0 ( v1 TEXT ( 15 ) CHAR SET BINARY NOT NULL NOT NULL UNIQUE CHECK ( v1 ) ) REPLACE SELECT NULL AS v3 , 74 AS v2

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/18

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

gdb bt:

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10018 --datadir=/home/fuboat/mariadb-tmp/18'.

Program terminated with signal SIGABRT, Aborted.

#0  0x00007fb67ad0f808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055df45ac106b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x00007fb67a7f1d22 in raise () from /usr/lib/libc.so.6

#4  0x00007fb67a7db862 in abort () from /usr/lib/libc.so.6

#5  0x000055df44f00246 in ut\_dbg\_assertion\_failed (expr=expr@entry=0x55df4700bd40 "table->get\_ref\_count() == 0", file=file@entry=0x55df4700ae60 "/experiment/mariadb-server/storage/innobase/dict/dict0dict.cc", line=line@entry=1890) at /experiment/mariadb-server/storage/innobase/ut/ut0dbg.cc:60

#6  0x000055df44f2296e in dict\_sys\_t::remove (this=<optimized out>, this@entry=0x55df478238c0 <dict\_sys>, table=0x61700003ff08, lru=<optimized out>, lru@entry=false, keep=<optimized out>, keep@entry=true) at /experiment/mariadb-server/storage/innobase/dict/dict0dict.cc:1890

#7  0x000055df463d955f in ha\_innobase::delete\_table (this=<optimized out>, name=<optimized out>) at /experiment/mariadb-server/storage/innobase/handler/ha\_innodb.cc:13360

#8  0x000055df45ad0145 in hton\_drop\_table (hton=<optimized out>, path=<optimized out>) at /experiment/mariadb-server/sql/handler.cc:576

#9  0x000055df4594c2c8 in THD::rm\_temporary\_table (this=<optimized out>, base=<optimized out>, path=0x61a000061d48 "/tmp/#sql-temptable-3021ca-4-0") at /experiment/mariadb-server/sql/temporary\_tables.cc:703

#10 0x000055df4594d237 in THD::free\_tmp\_table\_share (this=<optimized out>, share=0x61a000061898, delete\_table=<optimized out>) at /experiment/mariadb-server/sql/temporary\_tables.cc:1462

#11 0x000055df459513f5 in THD::drop\_temporary\_table (this=0x62b0000bd218, table=<optimized out>, is\_trans=is\_trans@entry=0x0, delete\_table=delete\_table@entry=true) at /experiment/mariadb-server/sql/temporary\_tables.cc:669

#12 0x000055df451da338 in drop\_open\_table (thd=<optimized out>, table=<optimized out>, db\_name=<optimized out>, table\_name=<optimized out>) at /experiment/mariadb-server/sql/sql\_base.cc:1355

#13 0x000055df452837f5 in select\_create::abort\_result\_set (this=0x6290000890c8) at /experiment/mariadb-server/sql/sql\_insert.cc:5202

#14 0x000055df454f48a5 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890c8, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=0) at /experiment/mariadb-server/sql/sql\_select.cc:563

#15 0x000055df455d8e27 in Sql\_cmd\_create\_table\_like::execute (this=<optimized out>, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_table.cc:11732

#16 0x000055df45359180 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:5997

#17 0x000055df453665a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#18 0x000055df4536c60c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#19 0x000055df4537173d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#20 0x000055df4572ce57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#21 0x000055df4572d33d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#22 0x000055df461bdc2c in pfs\_spawn\_thread (arg=0x617000005b98) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#23 0x00007fb67ad08259 in start\_thread () from /usr/lib/libpthread.so.0

#24 0x00007fb67a8b35e3 in clone () from /usr/lib/libc.so.6

CVE-2022-32082: [MDEV-26433] assertion: table->get_ref_count() == 0 in dict0dict.cc line 1915

A blind SQL injection vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote authenticated attacker to potentially obtain information from the ePO database. The data obtained is dependent on the privileges the attacker has and to obtain sensitive data the attacker would require administrator privileges.

**First Published:** March 22, 2022

**Product:**

**Impacted Versions:**

**CVE ID:**

**Impact of Vulnerabilities:**

**Severity Ratings:**

**CVSS v3.1  
Base/Temporal Scores:**

ePolicy Orchestrator (ePO)

5.10 prior to CU 13

CVE-2022-0842     

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Medium

5.4 / 4.9

CVE-2022-0857       

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Medium

5.4 / 4.9

CVE-2022-0858    

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')    

Medium

4.3 / 3.9

CVE-2022-0859          

CWE-522: Insufficiently Protected Credentials

Medium

6.5 / 5.9

CVE-2022-0861       

CWE-611: Improper Restriction of XML External Entity Reference

Low

3.5 / 3.2

CVE-2022-0862      

CWE-522: Insufficiently Protected Credentials

Low

3.1 / 2.8

Tomcat CVE-2021-42340      

CWE-772: Missing Release of Resource after Effective Lifetime  

Medium

5.3 / 4.8

Apache HTTP Server CVE-2021-34798

Apache HTTP Server  
CVE-2020-13938  

CWE-476: NULL Pointer Dereference

CWE-862: Missing Authorization 

High

Medium 

7.5

5.5

Java multiple CVEs

See Java CVEs Security Advisory link below.

 **Recommendations:**

Install or update to ePO 5.10.0 CU 13.

 **Security Bulletin Replacement:**

None

 **Location of updated software:**

Product Downloads site

To receive email notification when this Security Bulletin is updated, click **Subscribe** on the right side of the page. You must be logged on to subscribe.

**Article contents:**

*   Vulnerability Description
*   Remediation
*   Acknowledgments
*   Frequently Asked Questions (FAQs)
*   Resources
*   Disclaimer

**Vulnerability Description**  
This release addresses one blind SQL injection vulnerability in ePO and updates three libraries used by ePO.

Below are the **third-party libraries** updated in this release, along with details about CVEs that impacted ePO.

1.  **Java** has been updated to the January 2022 update.
    
    Reference: Java SE Risk Matrix
    
2.  **Apache HTTP Server** has been updated to 2.4.51 from 2.4.38.   
    CVE-2021-34798  
    CVE-2020-13938
    
    Reference: Apache HTTP Server 2.4 vulnerabilities  
    For other Apache HTTP Server CVE responses for ePO, see: KB94982 - ePolicy Orchestrator documentation for Apache CVEs.
    
3.  **Tomcat** has been updated to 9.0.54 from 9.0.52.  
    CVE-2021-42340
    
    Reference: Tomcat 9.x vulnerabilities
    

**McAfee Enterprise code vulnerabilities**

1.  **CVE-2022-0842**  
    A blind SQL injection vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote authenticated attacker to potentially obtain information from the ePO database. The data obtained is dependent on the privileges the attacker has and to obtain sensitive data the attacker would require administrator privileges.  
    NIST CVE-2022-0842  
    MITRE CVE-2022-0842  
     
2.  **CVE-2022-0857**  
    A reflected cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited access to sensitive information and limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.  
    NIST CVE-2022-0857  
    MITRE CVE-2022-0857  
     
3.  **CVE-2022-0858**  
    A cross-site scripting (XSS) vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to potentially obtain access to an ePO administrator's session by convincing the attacker to click on a carefully crafted link. This would lead to limited ability to alter some information in ePO due to the area of the User Interface the vulnerability is present in.  
    NIST CVE-2022-0858  
    MITRE CVE-2022-0858  
     
4.  **CVE-2022-0859**  
    McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a local attacker to point an ePO server to an arbitrary SQL server during the restoration of the ePO server. To achieve this the attacker would have to be logged onto the server hosting the ePO server (restricted to administrators) and to know the SQL server password.
    
    Although this is rated as a relatively high CVSS, McAfee Enterprise does not expect this to be a common scenario as both credentials are expected to be known only to a few members of staff and the attacker must have access to the system hosting the ePO server.  
    NIST CVE-2022-0859  
    MITRE CVE-2022-0859
    
5.  **CVE-2022-0861**  
    A XML Extended entity vulnerability in McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote administrator attacker to upload a malicious XML file through the extension import functionality. The impact is limited to some access to confidential information and some ability to alter data.
    
    Should the remote attacker already have administrator privileges they are likely to be able to perform other malicious activities which exceed the impact of this issue.  
    NIST CVE-2022-0861  
    MITRE CVE-2022-0861
    
6.  **CVE-2022-0862**  
    A lack of password change protection vulnerability in a depreciated API of McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 allows a remote attacker to change the password of a compromised session without knowing the existing user's password. This functionality was removed from the User Interface in ePO 10 and the API has now been disabled. Other protection is in place to reduce the likelihood of this being successful through sending a link to a logged in user.  
    NIST CVE-2022-0862  
    MITRE CVE-2022-0862

**Remediation**  
To remediate this issue, customers using ePO 5.10 should update to ePO 5.10.0 Update 13.

Go to the Product Downloads site, and download the applicable product update file:

**Product**

**Version**

**Type**

**Release Date**

ePO       

5.10.0 CU 13

Update

March 22, 2022

 

**Download and Installation Instructions**  
For instructions to download product updates and hotfixes, see: KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available at our Product Documentation site.  
**Acknowledgments**  
McAfee Enterprise credits **SCRT Research Lab** for responsibly reporting these flaws:  
CVE-2022-0842, CVE-2022-0857, CVE-2022-0858, CVE-2022-0859, CVE-2022-0861, CVE-2022-0862  
**Frequently Asked Questions (FAQs)**  
**How do I know if my product is vulnerable or not?**

For ePO/server products:

Use the following instructions for server-based products:

*   Check the version and build of ePO that is installed. For instructions, see: KB52634 - How to determine what hotfix is installed for ePO.
*   Create a query in ePO for the product version of the product installed within your organization.

**What is CVSS?**  
Common Vulnerability Scoring System (CVSS) is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website.

  When calculating CVSS scores, McAfee Enterprise has adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We don't factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored.

  **What are the CVSS scoring metrics?**

1.  **CVE-2022-0842: ePO blind SQL Injection vulnerability**  
     
    
    **Base Score**
    
    **5.4**
    
    Attack Vector (AV)
    
    Network (N)
    
    Attack Complexity (AC)
    
    High (H)
    
    Privileges Required (PR)
    
    High (H)
    
    User Interaction (UI)
    
    Required (R)
    
    Scope (S)
    
    Changed (C)
    
    Confidentiality (C)
    
    High (H)
    
    Integrity (I)
    
    None (N)
    
    Availability (A)
    
    None (N)
    
    **Temporal Score (Overall)**
    
    **4.9**
    
    Exploitability (E)
    
    Proof-of-Concept (P)
    
    Remediation Level (RL)
    
    Official Fix (O)
    
    Report Confidence (RC)
    
    Confirmed (C)
    
       
    **NOTE:** This CVSS version 3.1 vector was used to generate this score.  
     
2.  **CVE-2022-0857: ePO Reflected Cross-site scripting vulnerability**  
     
    
    **Base Score**
    
    **5.4**
    
    Attack Vector (AV)
    
    Network (N)
    
    Attack Complexity (AC)
    
    Low (L)
    
    Privileges Required (PR)
    
    None (N)
    
    User Interaction (UI)
    
    Required (R)
    
    Scope (S)
    
    Unchanged (U)
    
    Confidentiality (C)
    
    Low (L)
    
    Integrity (I)
    
    Low (L)
    
    Availability (A)
    
    None (N)
    
    **Temporal Score (Overall)**
    
    **4.9**
    
    Exploitability (E)
    
    Proof-of-Concept (P)
    
    Remediation Level (RL)
    
    Official Fix (O)
    
    Report Confidence (RC)
    
    Confirmed (C)
    
       
    **NOTE:** This CVSS version 3.1 vector was used to generate this score.  
     
3.  **CVE-2022-0858: Cross-site scripting vulnerability in ePO**  
     
    
    **Base Score**
    
    **4.3**
    
    Attack Vector (AV)
    
    Network (N)
    
    Attack Complexity (AC)
    
    Low (L)
    
    Privileges Required (PR)
    
    None (N)
    
    User Interaction (UI)
    
    Required (R)
    
    Scope (S)
    
    Unchanged (U)
    
    Confidentiality (C)
    
    None (N)
    
    Integrity (I)
    
    Low (L)
    
    Availability (A)
    
    None (N)
    
    **Temporal Score (Overall)**
    
    **3.9**
    
    Exploitability (E)
    
    Proof-of-Concept (P)
    
    Remediation Level (RL)
    
    Official Fix (O)
    
    Report Confidence (RC)
    
    Confirmed (C)
    
       
    **NOTE:** This CVSS version 3.1 vector was used to generate this score.  
     
4.  **CVE-2022-0859: ePO database restoration vulnerability**  
     
    
    **Base Score**
    
    **6.5**
    
    Attack Vector (AV)
    
    Local (L)
    
    Attack Complexity (AC)
    
    Low (L)
    
    Privileges Required (PR)
    
    High (H)
    
    User Interaction (UI)
    
    Required (R)
    
    Scope (S)
    
    Unchanged (U)
    
    Confidentiality (C)
    
    High (H)
    
    Integrity (I)
    
    High (H)
    
    Availability (A)
    
    High (H)
    
    **Temporal Score (Overall)**
    
    **5.9**
    
    Exploitability (E)
    
    Proof-of-Concept (P)
    
    Remediation Level (RL)
    
    Official Fix (O)
    
    Report Confidence (RC)
    
    Confirmed (C)
    
       
    **NOTE:** This CVSS version 3.1 vector was used to generate this score.  
     
5.  **CVE-2022-0861: ePO XML extended entity vulnerability**  
     
    
    **Base Score**
    
    **3.5**
    
    Attack Vector (AV)
    
    Network (N)
    
    Attack Complexity (AC)
    
    Low (L)
    
    Privileges Required (PR)
    
    High (H)
    
    User Interaction (UI)
    
    Required (R)
    
    Scope (S)
    
    Unchanged (U)
    
    Confidentiality (C)
    
    Low (L)
    
    Integrity (I)
    
    Low (L)
    
    Availability (A)
    
    None (N)
    
    **Temporal Score (Overall)**
    
    **3.2**
    
    Exploitability (E)
    
    Proof-of-Concept (P)
    
    Remediation Level (RL)
    
    Official Fix (O)
    
    Report Confidence (RC)
    
    Confirmed (C)
    
       
    **NOTE:** This CVSS version 3.1 vector was used to generate this score.  
     
6.  **CVE-2022-0862: ePO password change vulnerability**  
     
    
    **Base Score**
    
    **3.1**
    
    Attack Vector (AV)
    
    Network (N)
    
    Attack Complexity (AC)
    
    High (H)
    
    Privileges Required (PR)
    
    Low (L)
    
    User Interaction (UI)
    
    None (N)
    
    Scope (S)
    
    Unchanged (U)
    
    Confidentiality (C)
    
    None (N)
    
    Integrity (I)
    
    Low (L)
    
    Availability (A)
    
    None (N)
    
    **Temporal Score (Overall)**
    
    **2.8**
    
    Exploitability (E)
    
    Proof-of-Concept (P)
    
    Remediation Level (RL)
    
    Official Fix (O)
    
    Report Confidence (RC)
    
    Confirmed (C)
    
       
    **NOTE:** This CVSS version 3.1 vector was used to generate this score.  
     
7.  **CVE-2021-42340: ePO and Tomcat**  
     
    
    **Base Score**
    
    **5.3**
    
    Attack Vector (AV)
    
    Network (N)
    
    Attack Complexity (AC)
    
    High (H)
    
    Privileges Required (PR)
    
    None (N)
    
    User Interaction (UI)
    
    Required (R)
    
    Scope (S)
    
    Unchanged (U)
    
    Confidentiality (C)
    
    None (N)
    
    Integrity (I)
    
    None (N)
    
    Availability (A)
    
    High (H)
    
    **Temporal Score (Overall)**
    
    **4.8**
    
    Exploitability (E)
    
    Proof-of-Concept (P)
    
    Remediation Level (RL)
    
    Official Fix (O)
    
    Report Confidence (RC)
    
    Confirmed (C)
    
       
    **NOTE:** This CVSS version 3.1 vector was used to generate this score.

**Where can I find a list of all Security Bulletins?**  
All Security Bulletins are published on our external PSIRT website. To see Security Bulletins for McAfee Enterprise products on this website, click **Enterprise Security Bulletins**. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).

  **How do I report a product vulnerability to McAfee Enterprise?**  
If you have information about a security issue or vulnerability with a McAfee Enterprise product, go to the PSIRT website, click **Report a Security Vulnerability**, and follow the instructions.

  **How does McAfee Enterprise respond to this and any other reported security flaws?**  
Our key priority is the security of our customers. If a vulnerability is found within any McAfee Enterprise software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.

  McAfee Enterprise only publishes Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.

  View our PSIRT policy on the PSIRT website by clicking **About PSIRT**.  
**Resources**

*   If you are a registered user, type your User ID and Password, and then click **Log In**.
*   If you are not a registered user, click **Register** and complete the fields to have your password and instructions emailed to you.

**Disclaimer**  
The information provided in this Security Bulletin is provided as is without warranty of any kind. McAfee Enterprise disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall McAfee Enterprise or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if McAfee Enterprise or its suppliers have been advised of the possibility of such damages. Some states don't allow the exclusion or limitation of liability for consequential or incidental damages so the preceding limitation may not apply.

  Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at our sole discretion and may be changed or canceled at any time.

CVE-2022-0842: Security Bulletin - ePolicy Orchestrator update addresses multiple product vulnerabilities (CVE-2022-0842, CVE-2022-0857, CVE-2022-0858, CVE-2022-0859, CVE-2022-0861, CVE-2022-0862) and updates Java, 

Search

lenovo warranty check/lookup | check warranty status | lenovo support us