Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. If a gateway client application sends a malformed request to a gateway peer it may crash the peer node. Version 2.4.6 checks for the malformed gateway request and returns an error to the gateway client. There are no known workarounds, users must upgrade to version 2.4.6.

**v2.4.6 Release Notes - August 8, 2022****Fixes**

**orderer - Fix active nodes metric**

Fix active nodes metrics for etcdraft ordering service when a node is evicted.

**peer - Handle malformed gateway request**

If a gateway client sends a malformed request to a peer it may crash the peer node.  
This fix checks for the malformed request and returns an error to the gateway client.

**Improvements**

**Make chaincode-as-a-service (ccaas) builder available in all release distributions**

The chaincode-as-a-service (ccaas) builder executables for build, detect, and release are now available in the Fabric release tar at builders/ccaas/bin.

**Dependencies**

Fabric v2.4.6 has been tested with the following dependencies:

*   Go 1.18.2
*   CouchDB v3.2.2

Fabric docker images on dockerhub utilize Alpine 3.16.

**Deprecations (existing)**

**Ordering service system channel is deprecated**

v2.3 introduced the ability to manage an ordering service without a system channel.  
Managing an ordering service without a system channel has privacy, scalability,  
and operational benefits. The use of a system channel is deprecated and may be removed in a future release.  
For information about removal of the system channel, see the Create a channel without system channel documentation.

**FAB-15754: The 'Solo' consensus type is deprecated.**

The 'Solo' consensus type has always been marked non-production and should be in  
use only in test environments, however for compatibility it is still available,  
but may be removed entirely in a future release.

**FAB-16408: The 'Kafka' consensus type is deprecated.**

The 'Raft' consensus type was introduced in v1.4.1 and has become the preferred  
production consensus type. There is a documented and tested migration path from  
Kafka to Raft, and existing users should migrate to the newer Raft consensus type.  
For compatibility with existing deployments, Kafka is still supported,  
but may be removed entirely in a future release.  
Additionally, the fabric-kafka and fabric-zookeeper docker images are no longer updated, maintained, or published.

**Fabric CouchDB image is deprecated**

v2.2.0 added support for CouchDB 3.1.0 as the recommended and tested version of CouchDB.  
If prior versions are utilized, a Warning will appear in peer log.  
Note that CouchDB 3.1.0 requires that an admin username and password be set,  
while this was optional in CouchDB v2.x. See the  
Fabric CouchDB documentation  
for configuration details.  
Also note that CouchDB 3.1.0 default max\_document\_size is reduced to 8MB. Set a higher value if needed in your environment.  
Finally, the fabric-couchdb docker image will not be updated to v3.1.0 and will no longer be updated, maintained, or published.  
Users can utilize the official CouchDB docker image maintained by the Apache CouchDB project instead.

**FAB-7559: Support for specifying orderer endpoints at the global level in channel configuration is deprecated.**

Utilize the new 'OrdererEndpoints' stanza within the channel configuration of an organization instead.  
Configuring orderer endpoints at the organization level accommodates  
scenarios where orderers are run by different organizations. Using  
this configuration ensures that only the TLS CA certificates of that organization  
are used for orderer communications, in contrast to the global channel level endpoints which  
would cause an aggregation of all orderer TLS CA certificates across  
all orderer organizations to be used for orderer communications.

**FAB-17428: Support for configtxgen flag --outputAnchorPeersUpdate is deprecated.**

The --outputAnchorPeersUpdate mechanism for updating anchor peers has always had  
limitations (for instance, it only works the first time anchor peers are updated).  
Instead, anchor peer updates should be performed through the normal config update flow.

**FAB-15406: The fabric-tools docker image is deprecated**

The fabric-tools docker image will not be published in future Fabric releases.  
Instead of using the fabric-tools docker image, users should utilize the  
published Fabric binaries. The Fabric binaries can be used to make client calls  
to Fabric runtime components, regardless of where the Fabric components are running.

**FAB-15317: Block dissemination via gossip is deprecated**

Block dissemination via gossip is deprecated and may be removed in a future release.  
Fabric peers can be configured to receive blocks directly from an ordering service  
node and not gossip blocks by using the following configuration:

    peer.gossip.orgLeader: true
    peer.gossip.useLeaderElection: false
    peer.gossip.state.enabled: false
    peer.deliveryclient.blockGossipEnabled: false
    

**FAB-15061: Legacy chaincode lifecycle is deprecated**

The legacy chaincode lifecycle from v1.x is deprecated and will be removed  
in a future release. To prepare for the eventual removal, utilize the v2.x  
chaincode lifecycle instead, by enabling V2\_0 application capability on all  
channels, and redeploying all chaincodes using the v2.x lifecycle. The new  
chaincode lifecycle provides a more flexible and robust governance model  
for chaincodes. For more details see the  
documentation for enabling the new lifecycle.

**Changes:**

*   8359607 Fix binary package creation
*   c9c60fd Release commit for v2.4.6.
*   468332c Prevent peer from failure on malformed proposal
*   7c12fa6 Extra checks for invalid args in gateway api
*   84e8b3b fix path for make dir CCAAS Builders
*   eb6b172 Add -buildvcs=false for ccaasbuilder (#3556) \[ #3315 \]
*   aa2aaa6 CCAAS Builders
*   0d584c4 Fixed active nodes metrics for etcdraft when a node is evicted. Instead of being frozen we set it to 0 once halt is called. Tests. (#3536)
*   7e2a6b9 Release commit for v2.4.5 (#3505)
*   0f18359 Check if inner consensus message is missing

**See More**

*   1473eca Release commit for v2.4.4 (#3487)
*   6f4282b Fix gossip unit test flake (#3215)
*   a914ec3 Bump Alpine to 3.16 (release-2.4) (#3472)
*   8ffd334 Locate correct block number for transaction ID in ChaincodeEvents (#3289)
*   f64eea2 Refactor of ChaincodeEvents service implementation to support resume (#3283)
*   02d63c3 Add -buildvcs=false for building binaries
*   60638b5 Improved gateway error for transient data failure \[ #3328 \]
*   a6947fa Use any peer to evaluate system chaincode transactions (#3447)
*   135c268 Improve response mismatch logging
*   29fea4f Log proposal response differences (backport #3420)
*   4c6ef91 Bump CouchDB to 3.2.2 (#3369)
*   c8f83e4 caas review comments
*   3c2c2f8 no mdash char supported
*   24e6f34 new caas page
*   6588ed2 Bump Go to 1.18.2 (#3423)
*   e5ad0ef Update chaincode language parameter name
*   ffbd37b Fix hyperlink
*   566a1a6 Fix warning log printing
*   ae316aa Properly handle concurrent building of chaincode packages
*   37cca19 Update cc\_service.md (#3355) (#3366)
*   1c97ab1 Node 16 and v1.4 libraries (#3357)
*   f6e8336 certs mgmt guide (#3307)
*   f614fb5 Additional TLS troubleshooting information (#3346)
*   1fb499a Handle empty policies when traversing the policy tree in discovery policy analysis (#3335)
*   0396bf9 Ignore channel double creation during replication. \[ #2931 \]
*   458345a Add in the CCAAS builders to the tgz package
*   9711fb5 Release commit for v2.4.3
*   47dd17a Ignore expired CA/TLS CA certs on msp init (#3238) (#3249) (#3252)
*   c89ba60 Gateway support for mutual TLS networks (#3235)
*   602f4c6 remove commercial paper references
*   80dbf8e Add Intermediate CA certs to dial options (#3225) (#3226)
*   fad7f69 Release commit for v2.4.2
*   0e9cdb2 Address windows platform in documentation \[ #2993 \]
*   63a7779 Bump Go to 1.17.5 (release-2.4) (#3182) \[ #3114 \]
*   e24c332 Refactor gateway Endorse() method
*   e7cb726 Close connections to stale ordering nodes
*   e1ed78f - Fix failure to generate all possible combinations (#3132)
*   af5d5df v2.4.1 release commit
*   ef5ac00 Update 'Running a Fabric Application' tutorial for Fabric Gateway
*   3580b4e Reduce CPU&memory cost of collecting endorsements
*   fbfdc1d Enable gateway concurrency limits
*   1f87709 Remove discovery.acl principal warning \[ #3006 \]
*   e0bb139 Adding a dedicated external builder
*   654a02b Fix channel config callback in gateway
*   abf5d30 Final peer for gateway (#3091) (#3095)
*   2d8d7f4 Randomize endorsement layouts
*   29d1e21 Network and Orderers for gateway
*   a95a8e7 latest PR review comments
*   41b6586 v2.4.0 release commit (#3078)
*   4f4e096 Update v2.4.0 release notes
*   f15b4ee Add command reference doc for ledgerutil
*   45707ac Add read version to the example in read-write set
*   b0de139 Add logging for identity, policy, and signature troubleshooting
*   1266978 Clarify v2.x upgrade docs (#3083)
*   6a7cdd0 Refine Gateway gRPC error status codes (#3075)
*   40fea67 goimports updates to prepare for Go 1.17 (#3070)
*   c14239c Add gateway ref to private data doc topic
*   a6a9fde EndorsementTimeout should apply to each endorser
*   bd1aaae Reference current application APIs in peer event service docs
*   91951d0 Log the transactionID in all log messages
*   2abb074 Remove redundant SDK documentation page
*   a1c13d8 Updates to endorser and gateway logging
*   34dcb8d Update protobuf definitions
*   5c2e358 Enhance gateway error logic
*   5014709 docs: fixing some typos
*   dee44d9 Don't use EndorseResponse.Result field (#3051)
*   c463b32 Fix CI script syntax
*   44faa13 Enable unaware threshold signature endorsement
*   8a4c7f3 Update Contract and Application API docs for Fabric Gateway (#3048)
*   91d7b7c Updates to Gateway doc topic (#3047)
*   6a415ee collection singular
*   e3abd66 use member of a collection
*   da935d7 Gateway overview edited
*   9c5e1df Clarify ProcessProposal error handling (#3044)
*   f089b24 Reword evaluate() error message
*   688d4d2 Add extra info to error message
*   6926cc1 no gateway via cli - tutorials (#3037)
*   cdc342e Add gateway architecture page to docs
*   534b1c1 Use correct timeout option (#3032)
*   d67d421 Show what do not match (#3012)
*   5113aa9 Better gRPC error on context error from CommitStatus service
*   62fb4c0 Update transaction flow doc for peer gateway
*   40f90c1 Fix typo in comment (#3016)
*   45f4dcb Add chaincode err message to Evaluate err message
*   42c99e0 Add documents for new options of calculatepackageid
*   b1c9d43 Add -O json option to calculatepackageid
*   ee18f9d Return package ID without any prefix by default for calculatepackageid
*   843ff14 Update Sphinx to v1.8.2
*   70ace58 Add integration tests for calculatepackageid command
*   abdb330 Add explanation of stringArray
*   89da86e Reword duplicate error message
*   d8ee1b4 Don’t close connection if already closing
*   31bc120 Retry logic for evaluate
*   7ebb704 Add documents for calculatepackageid command
*   3e433d4 Add calculatepackageid command
*   9ef778a Move to better IsAbs Implementation (#3000)
*   0f08904 Gateway endorsement retry logic
*   b4c2731 fix windows SyncDir issue
*   c90d50a Bump babel from 2.3.4 to 2.9.1 in /docs
*   0f904bb Adjusted from review comments
*   3914549 install-fabric.sh script - updated version of bootstrap.
*   3574d8b Check the package name on core/ledger/kvledger UT (#2987)
*   2ede756 Extra info in log message (#2982)
*   755ba79 set TestBlockPullerBadBlocks pullblock wait time (#2975)
*   b3cf25e Improve health checker docs
*   6897c80 Update developer environment (#2977)
*   21e4914 Rename EndpointError to ErrorDetail (#2974)
*   b52f776 Add clarifications to dev env versions in doc
*   7d51df1 docs: Use html\_style property instead of add\_stylesheet()
*   6656f72 Evaluate() error response for node chaincode
*   0625b10 Rename persistent\_msgs to persistance to avoid protobuf conflict
*   c8a6c43 Sort chaincode interests in tests (#2966)
*   7124587 Add unittest of writting multiple blocks for BlockWriter
*   d0b32ed Add unittest of writting config block synchronously for BlockWriter
*   295853b Write config blocks synchronously in Orderer
*   9636332 Refactor idemix implementation (#2955)
*   4b9ef57 Fix the project status to 'Graduated' instead of 'Active'
*   de9a64d docs: Add the path of softhsm2.conf for macOS
*   e66c951 Improve error messages when no endorsers found (#2963)
*   c62034e Add Information about AWS HSM
*   0d13aa6 Update links for Jira to GitHub issue transition in README
*   cf341ee Improve an error message in InstallChaincode
*   3a93662 Randomize selection of orderer nodes with retry (#2951)
*   210d20f Improve wording of log message
*   83cabf2 correct logger labels after cloning block puller.
*   f97177c Cache channel orderers in registry
*   f9027a4 docs: Don't apply the syntax highlighting of python
*   70ff46a Unit test flake when rpc server stream not closed (#2935)
*   0545ac8 Fixed Found Typos
*   aa8d06b Do not create new chain of type etcdraft.Chain if such exists in map of chains. This can happen when in Raft protocol a channel was created, but not marked as done in WAL logs, so at orderer startup it will try to rerun creation tx and panic because the channel already exists.
*   8999ce7 Apply the style only the key in readwrite.rst (#2933)
*   1243e99 Fix the result message in test\_network.md \[ #394 \]
*   8767ced Fix broken links for international workgroups (#2920)
*   85a67f8 Implement DisregardNamespacePolicy for gateway
*   3594a3b Update docs for Jira to GitHub issue transition
*   a395f3b updated chaincode4ade.rst("Writing your first chaincode") showing good practise on how to achieve determinism in json
*   b735309 Updates in main for v2.3.3
*   e55a388 Minor code clean-up in Gateway ChaincodeEvents handling (#2899)
*   beb8f5d Implement chaincode event replay for Fabric Gateway (#2896)
*   dd539d3 Refactor ChaincodeEvents to use ledger iterator (#2891)
*   b1d7538 Private Data Comparison \[ #2818 \]
*   cbe7d44 Nominate Andrew Coleman as Fabric maintainer
*   b563b08 Fixed a typo in private\_data\_tutorial
*   4875635 Update alpine base image to 3.14 (#2881)
*   7cb82ee Clean up Go modules (main) (#2878)
*   aa76c70 \[Document\] typo fix
*   6ec8d72 Stop spamming for wait channel acquirement in orderer integration test
*   f62e877 Clarify bootstrap.sh message when fabric-samples tag not found
*   868166d Gateway integration tests - adv. endorsement
*   9788c9b Early Differences Flag
*   394fb86 Prepare for next release v2.4.0
*   b0e0c4f fix typo
*   1fbdc18 Update Go to v1.16.7
*   38348fb \[FAB-11334\] - Adds a functional / integration test for peer unjoin channel
*   bc1898e Gateway Evaluate() with transient data
*   540fff8 FAB18529 added nil check in channel header parsing
*   36884f0 Add documentation for AbsoluteMaxBytes
*   98973a8 Options for GRPC message size configurable
*   b64d362 Update bootstrap.sh download script for Fabric CA v1.5.1
*   a330b66 Add release notes for v2.4.0-beta release
*   dac896a Add slash command for invalid issue
*   474badd Better error messages from Gateway
*   497a177 Fix FAB-18528: remove panic in ifConfig func (#2828)
*   c41ffff Fix small doc errors (#2816)
*   99d2e32 Output File Exists Error
*   ea48474 \[FAB-11334\] Adds a 'peer node unjoin' CLI entrypoint to unjoin a peer from a channel (#2769)
*   87ea070 Gateway enabled by default
*   5331bbc FAB-18067 Discovery support Implicit Collections (#2784)
*   240cf0e Merge and enhance coding guidelines across github and wiki
*   bb8bada \[FAB-11334\] Adds a function to purge a ledger's transient storage (#2769)
*   f662d98 FABGW-25 Endorse using generated ChaincodeInterest (#2773)
*   71037f3 Update CHANGELOG.md
*   95fb683 Hardening raft catchup IT
*   463271e FAB 18365 evictionsuspicion failing when osn failed (#2780)
*   fe71474 Additional documentation for implicit private data collections
*   fa3960b FABGW-25 Test for system chaincode (#2771) \[ #2767 \]
*   52b12dc Update private data docs - remove SDK reference (#2770)
*   26ec54a FABGW-25 Build ChaincodeInterest in TX simulator (#2767)
*   e5e623d \[FAB-18527\] Discovery supports DisregardNamespacePolicy hint from client (#2768)
*   9a922fd \[FAB-18527\] Discovery supports state based endorsement queries (#2764)
*   84c1270 \[FABGW-25\] Move chaincode interest to proposal response proto (#2763)
*   ffe7d36 \[FAB-18521\] Fixing flaky IT, send remove tx to another node (#2761) \[ #2748 \]
*   44ab2bf \[FAB-18521\] Replicate block metadata with block while OSN catching up (#2748)
*   2c69863 Update test network tutorial for new profile
*   e4b66f9 Update boostrap.sh for test network
*   cf263b0 \[FAB-11334\] Scrubs partially constructed/deleted ledgers at peer init (#2754)
*   62cd59c fixed peer documents
*   f7f77af fixed peer sample config
*   fda47c5 Renamed Ledger Binary To Ledgerutil (#2746)
*   9736485 \[FAB-11334\] Adds a new 'peer node unjoin' feature (#2732)
*   73c46a1 Updated enrollUser function in write\_first\_app Doc (#2713)
*   965664f Update docs to clarify that an implicit collection can not have an index
*   1249da2 \[FAB-18509\] Stop panic of collection index path is wrong (#2726)
*   9c3d459 \[FAB-18508\] ledger utility always outputs txNum (#2724)
*   4c4e58c File Location Flag (#2709)
*   b5e0d27 Added a possibility to override chaincode.externalBuilders via env variable (#2643)
*   1f1c303 fix typo
*   b034225 \[Doc-Update\] + What is a commercial paper section
*   1ee03b3 Add function to delete the ledger data for a channel (#2722)
*   7151302 Fixed grammatical errors
*   4e2f86e Fix a typo in CouchDB tutorial
*   3a75b65 Use protoc-gen-go 1.3.3 for generating protos \[ #2113 \]
*   8ce450e Fix typo
*   4422a19 Fix peerchaincode.md as well
*   4e67cbe Add explanation of --ctor JSON string
*   cdd5a04 Compare Snapshots Utility
*   d80cd2a Clarify Verify behaviour in PKCS11 Impl
*   d55dc8e fix typo (#2695)
*   8689771 Retire Will Lahti as maintainer (#2704)
*   16259ed Mandate TLS 1.2 or higher in fabhttp package
*   b5a4fe9 Address PR comments in Gateway integration tests
*   52c09b6 Clarify orderers seeing the transaction data
*   aa0b33f Retire Brett Logan as maintainer
*   00910ba Handle missing endpoints from discovery
*   dc09b6e Cherry pick deploy CC fixes to main branch
*   fd218eb Clarify "identity expired" error messages (#2685)
*   d9e850d Fix spelling mistakes in the Github Contributions page
*   3c7fa86 \[FAB-18484\] Return transaction forwarding result back to the client synchronously
*   6fbca49 Update Artem Barger email address (#2671)
*   c81f265 Link fixes detailed in FAB-18494
*   266497f Typo fix in peer deployment guide in main (#2660)
*   b4cd030 Link fixes in create channel tutorial (#2661)
*   dde41d9 Fix link in orderer deployment guide in main
*   b2f7292 Improve mvcc log warnings (#2649)
*   04796e6 Use protobuf Getters to avoid nil reference (#2646)
*   07808a0 Clarify doc for readset validations (#2647)
*   a8dbb68 FABGW-20 Implement TargetOrgs for Evaluate() (#2642)
*   85ae90c Added RetrieveBlockByNumber into blockledger (#2635)
*   1ad4422 Update secured\_private\_asset\_transfer\_tutorial.md
*   1f89be9 FABGW-21: Realtime implementation of ChaincodeEvents service (#2604)
*   34a4186 Fix minor code comment
*   9170fea Return block number along with validation code (#2614)
*   e8e39e6 \[FAB-18479\] Log error if orderer can't forward SubmitRequest to Raft leader
*   f1fc499 fix duplicate entry in code snippet
*   17dc11c Update Building docs to reflect UI changes
*   0334d52 replace brew cask install --appdir='/Applications' docker with brew install --cask docker
*   4e201af Optionally disable gossip block forwarding (#2606)
*   b4efe85 FABGW-20 Specify endorsing organizations (#2578)
*   6f0bef1 Bump vmImage to Ubuntu-20.04
*   f8070ec Maintain order of transactions in the commit notification

This list of changes was auto generated.

CVE-2022-36023: Release v2.4.6 · hyperledger/fabric

Pentesting and vulnerability scanning are often confused for the same service. The problem is, business owners often use one when they really need the other. Let's dive in and explain the differences.
People frequently confuse penetration testing and vulnerability scanning, and it's easy to see why. Both look for weaknesses in your IT infrastructure by exploring your systems in the same way an

Pentesting and vulnerability scanning are often confused for the same service. The problem is, business owners often use one when they really need the other. Let's dive in and explain the differences.

People frequently confuse penetration testing and vulnerability scanning, and it's easy to see why. Both look for weaknesses in your IT infrastructure by exploring your systems in the same way an actual hacker would. However, there is a very important distinction between the two - and when each is the better option.

****Manual or automated?****

Penetration testing is a **_manual_** security assessment where cyber security professional attempts to find a way to break into your systems. It's a hands-on, in-depth test to evaluate security controls across a variety of systems, including web application, network and cloud environments. This kind of testing could take several weeks to complete, and due to its complexity and cost, is commonly carried out once a year.

Vulnerability scanning, on the other hand, is **_automated_** and performed by tools which can be either installed directly on your network or accessed online. Vulnerability scanners run thousands of security checks across your systems, producing a list of vulnerabilities with remediation advice. So it's possible to run continuous security checks even without having a full-time cyber security expert on your team.

****One-off or regular?****

Penetration tests have long been an essential part of many organization's strategy to protect themselves from cyber attack, and an excellent way to find flaws at a certain point in time. But penetration testing alone can leave organizations defenceless inbetween testing.

Performing annual penetration tests as a primary defence against attackers has long been an essential part of many organisation's strategy to protect themselves from cyber attack, for good reason. And while it is certainly better than doing nothing, it does have a fairly significant drawback — what happens between tests?

For example, what happens when a critical new vulnerability is discovered in the Apache web server operating a sensitive customer portal during that long year between their annual pentesting? Or a security misconfiguration is made by a junior developer? What if a network engineer temporarily opens up a port on a firewall exposing a database to the internet, and forgets to close it? Whose job is it to notice these issues which, if left unchecked, could result in a data breach or compromise?

****Pentesting is not enough****

Without continuous monitoring of issues such as these, they wouldn't be identified and fixed before attackers got the chance to exploit them.

Companies that need robust physical security often boast of having 24/7 automated solutions to deter attackers 365 days a year. So why do some treat cyber security any differently? Especially when on average 20 new vulnerabilities get discovered every single day.

So you can see why infrequently scheduled pentesting alone is not enough. Here's a simple analogy: it's like checking the locks of your high-security premises once a year, but leaving it unmanned or not checking if it's secure until your next annual once over. Sounds crazy, right? Who's checking that the door's locked?

****Around the clock coverage****

While some companies still use annual pentesting as their only line of defence, many are starting to see how frequently new threats arise and the value of continuous, automated threat scanning.

Scanning on a regular basis with a vulnerability scanner like Intruder complements manual testing by providing organisations with ongoing security coverage _between_ manual penetration tests. Intruder's automated scanner runs around the clock alerting users to new vulnerabilities as soon as they appear.

Vulnerability scanning is already the first port of call for companies of all sizes, with expert manual penetration testing included in solutions like Intruder's Vanguard employed as a powerful backup.

It's not enough to simply do one or the other. Thankfully, awareness is increasing of the need for a strategy which provides protection all year round.

_Intruder's continuous vulnerability scanning service helps you keep on top of the latest vulnerabilities and alerts you to emerging threats which affect your most-exposed systems. Get started with a_ _free trial today__._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Penetration Testing or Vulnerability Scanning? What's the Difference?

Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.


**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-38362

An issue was discovered in rageframe2 2.6.37. There is a XSS vulnerability in the user agent related parameters of the info.php page.

**RageFrame 2.0**

重量级全栖框架，为二次开发而生

**前言**

这是一款现代化、快速、高效、便捷、灵活、方便扩展的应用开发骨架。

RageFrame 创建于 2016 年 4 月 16 日，一个基于 Yii2 高级框架的快速开发引擎，目前正在成长中，目的是为了集成更多的基础功能，不再为相同的基础功能重复制造轮子，开箱即用，让开发变得更加简单。  
2018 年 9 月 10 日 2.0 版本正式上线，经过 1.0 版本一年多的开源反馈磨合，以更加优秀的形态出现。对 1.0 的版本进行了重构优化完善，更好的面向开发者进行二次开发。2.3.x 版本更是优化了底层突出了服务层，分离业务逻辑，支持多商户。

**特色**

*   极强的可扩展性，应用化，模块化，插件化机制敏捷开发。
*   极致的插件机制，微核架构，良好的功能延伸性，功能之间是隔离，可定制性高，可以渐进式地开发，逐步增加功能，安装和卸载不会对原来的系统产生影响,强大的功能完全满足各阶段的需求，支持用户多端访问(后台、微信、Api、前台等)。
*   极完善的 RBAC 权限控制管理、无限父子级权限分组、可自由分配子级权限，且按钮/链接/自定义内容/插件等都可加入权限控制。
*   只做基础底层内容，不会在上面开发过多的业务内容，满足绝大多数的系统二次开发。
*   多入口模式，多入口分为 Backend (后台)、Merchant (商户端)、Frontend (PC前端)、Html5 (手机端)、Console (控制台)、Api (对内接口)、OAuth2 Server (对外接口)、MerApi (商户接口)、Storage (静态资源)，不同的业务，不同的设备，进入不同的入口。
*   对接微信公众号且支持小程序，使用了一款优秀的微信非官方 SDK Easywechat 4.x，开箱即用，预置了绝大部分功能，大幅度的提升了微信开发效率。
*   整合了第三方登录，目前有 QQ、微信、微博、GitHub 等等。
*   整合了第三方支付，目前有微信支付、支付宝支付、银联支付，二次封装为网关多个支付一个入口一个出口。
*   整合了 RESTful API，支持前后端分离接口开发和 App 接口开发，可直接上手开发业务。
*   一键切换云存储，本地存储、腾讯 COS、阿里云 OSS、七牛云存储都可一键切换，且增加其他第三方存储也非常方便。
*   全面监控系统报错，报错日志写入数据库，方便定位错误信息。支持直接钉钉提醒。
*   快速高效的 Servises (服务层)，遵循 Yii2 的懒加载方式，只初始化使用到的组件服务。
*   丰富的表单控件(时间、日期、时间日期、日期范围选择、颜色选择器、省市区三级联动、省市区勾选、单图上传、多图上传、单文件上传、多文件上传、百度编辑器、百度图表、多文本编辑框、地图经纬度选择器、图片裁剪上传、TreeGrid、JsTree、Markdown 编辑器)和组件(二维码生成、Curl、IP地址转地区)，快速开发，不必再为基础组件而担忧。
*   快速生成 CURD ,无需编写代码，只需创建表设置路径就能出现一个完善的 CURD ,其中所需表单控件也是勾选即可直接生成。
*   正常开发只需要开发商户端，没有 Saas 的时候商户端就是总后台，有了 Saas，商户端就是子后台
*   完善的文档和辅助类，方便二次开发与集成。

**思维导图**

**应用架构流程**

**系统快照**

【系统 - 首页】  【系统 - 配置管理】  【系统 - 角色编辑】  【系统 - 日志统计】  【会员 - 信息】  【微信 - 自定义菜单】  【插件模块 - 列表】  【插件模块 - 文章模块】  【插件模块 - 系统监控】 

**开始之前**

*   具备 PHP 基础知识
*   具备 Yii2 基础开发知识
*   具备 开发环境的搭建
*   仔细阅读文档，一般常见的报错可以自行先解决，解决不了再来提问
*   如果要做小程序或微信开发需要明白微信接口的组成，自有服务器、微信服务器、公众号（还有其它各种号）、测试号、以及通信原理（交互过程）
*   如果需要做接口开发(RESTful API)了解基本的 HTTP 协议，Header 头、请求方式（GET\POST\PUT\PATCH\DELETE）等
*   能查看日志和 Debug 技能
*   一定要仔细走一遍文档

**Demo**

地址：http://demo2.rageframe.com/backend  
账号：demo  
密码：123456

**官网**

http://www.rageframe.com

**文档**

安装文档 · 本地文档 · 更新历史 · 常见问题

**插件**

*   微商城：https://github.com/jianyan74/TinyShop
*   微信公众号：https://github.com/jianyan74/Wechat
*   商家管理：https://github.com/jianyan74/Merchants
*   在线文档：https://github.com/jianyan74/RfOnlineDoc

**问题反馈**

在使用中有任何问题，欢迎反馈给我，可以用以下联系方式跟我交流

QQ群1：655084090 (2000人快满)  
QQ群2：1148015133 (新群)

GitHub：https://github.com/jianyan74/rageframe2/issues

**特别鸣谢**

感谢以下的项目，排名不分先后

Yii：http://www.yiiframework.com

EasyWechat：https://www.easywechat.com

Bootstrap：http://getbootstrap.com

AdminLTE：https://adminlte.io

...

**版权信息**

RageFrame 遵循 Apache2 开源协议发布，并提供免费使用。

本项目包含的第三方源码和二进制文件之版权信息另行标注。

版权所有Copyright © 2016-2020 by RageFrame www.rageframe.com

All rights reserved。

CVE-2022-36530: GitHub - jianyan74/rageframe2: 一个基于Yii2高级框架的快速开发应用引擎

In Eclipse Sphinxâ„¢ before version 0.13.1, Apache Xerces XML Parser was used without disabling processing of referenced external entities allowing the injection of arbitrary definitions which is able to access local files and expose their contents via HTTP requests.

**Related documentation**

*   Creating an account

You are not authorized to access bug #580542. To see this bug, you must first log in to an account with the appropriate permissions.

Please press **Back** and try again.

CVE-2022-2838: Bug Access Denied

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

CVE-2020-21642: ManageEngine Analytics Plus | Release Notes

Gentoo Linux Security Advisory 202208-20 - Multiple vulnerabilities have been discovered in Apache Webserver, the worst of which could result in remote code execution. Versions less than 2.4.54 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202208-20  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Apache HTTPD: Multiple Vulnerabilities  
     Date: August 14, 2022  
     Bugs: #813429, #816399, #816864, #829722, #835131, #850622  
       ID: 202208-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Apache Webserver, the  
worst of which could result in remote code execution.

Background  
=========  
The Apache HTTP server is one of the most popular web servers on the  
Internet.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-admin/apache-tools     < 2.4.54                    >= 2.4.54  
  2  www-servers/apache         < 2.4.54                    >= 2.4.54

Description  
==========  
Multiple vulnerabilities have been discovered in Apache HTTPD. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Apache HTTPD users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=www-servers/apache-2.4.54"

All Apache HTTPD tools users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-admin/apache-tools-2.4.54"

References  
=========  
[ 1 ] CVE-2021-33193  
      https://nvd.nist.gov/vuln/detail/CVE-2021-33193  
[ 2 ] CVE-2021-34798  
      https://nvd.nist.gov/vuln/detail/CVE-2021-34798  
[ 3 ] CVE-2021-36160  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36160  
[ 4 ] CVE-2021-39275  
      https://nvd.nist.gov/vuln/detail/CVE-2021-39275  
[ 5 ] CVE-2021-40438  
      https://nvd.nist.gov/vuln/detail/CVE-2021-40438  
[ 6 ] CVE-2021-41524  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41524  
[ 7 ] CVE-2021-41773  
      https://nvd.nist.gov/vuln/detail/CVE-2021-41773  
[ 8 ] CVE-2021-42013  
      https://nvd.nist.gov/vuln/detail/CVE-2021-42013  
[ 9 ] CVE-2021-44224  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44224  
[ 10 ] CVE-2021-44790  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44790  
[ 11 ] CVE-2022-22719  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22719  
[ 12 ] CVE-2022-22720  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22720  
[ 13 ] CVE-2022-22721  
      https://nvd.nist.gov/vuln/detail/CVE-2022-22721  
[ 14 ] CVE-2022-23943  
      https://nvd.nist.gov/vuln/detail/CVE-2022-23943  
[ 15 ] CVE-2022-26377  
      https://nvd.nist.gov/vuln/detail/CVE-2022-26377  
[ 16 ] CVE-2022-28614  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28614  
[ 17 ] CVE-2022-28615  
      https://nvd.nist.gov/vuln/detail/CVE-2022-28615  
[ 18 ] CVE-2022-29404  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29404  
[ 19 ] CVE-2022-30522  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30522  
[ 20 ] CVE-2022-30556  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30556  
[ 21 ] CVE-2022-31813  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31813

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202208-20

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202208-20

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.

‘Summer Camp’ for hackers features a compromised satellite, a homecoming for hackers and cyberwarfare warnings.

There was nothing typical this year at BSides LV, Black Hat USA and DEF CON – also known collectively as Hacker Summer Camp. The weeklong collection of cybersecurity conferences featured an eclectic mix of attendees to learn, network, hack and have fun. The week even included a rare Las Vegas flash flood (not a new DDoS technique) on Thursday creating chaos in one casinos.

The past week, while not ‘typical’, was a nod to normalcy for attendees. Attendance for events was up from the previous year, which in 2021 was muted by lower attendance and COVID fears. Here is a roundup of leading research, themes and buzz from this year’s shows.  

****Research of Note****

Video conferencing darling Zoom was highlighted at DEF CON by Patrick Wardle, founder of the Objective-See Foundation, for a hacking technique that allowed him, using the macOS version of Zoom, to elevated privileges and gain access to the entire macOS operating system.

Pen Test Partners revealed a flaw in the Electronic Flight Bag tablets used by some Boeing aircraft pilots that could have allowed an adversary to modify data “and cause pilots to make dangerous miscalculations,” according to a Reuters report.

Starlink, the satellite operated by SpaceX that provides internet access to over 36 countries, was shown vulnerable to a hack via a $25 modchip. Belgian researcher Lennert Wouters revealed at Black Hat how he mounted a successful fault injection attack on a user terminal used to manage the satellite.

Researcher James Kettle debuted a new class of HTTP request smuggling attack that allowed him to compromise Amazon and Akamai, break TLS, and exploit Apache servers, according to reporting from Portswigger’s The Daily Swig.

Journalist Eduard Kovacs reported on a high-severity Realtek bug in the company’s eCos SDK. Found by Faraday Security and discussed at DEF CON, the eCos SDK is used in a variety of routers, access points and network repeaters, according to his report.

For fans of FUD, PC Magazine has a nice rundown of “The 14 Scariest Things We Saw at Black Hat 2022“. Things keeping them up are SMS codes flunk MFA, an “invisible finger to take control” of your touchscreen device and a Microsoft hiccup when launching its Early Launch Antimalware (ELAM).

****Topics of Discussion****

The main Black Hat keynote was from Chris Krebs, former Cybersecurity and Infrastructure Security Agency (CISA), who shared his optimism when it comes to the US approach to information security. However, he did express pessimism that US cyber-defenses were too focused on nation state attackers versus more mundane and pressing concerns, in his estimation, such as ransomware.

Ukraine war and Log4j also were major themes at each of the conferences. ESET provided Black Hat attendees with an update on cyberattacks against Ukraine. Firms such as CyCognito warned that we aren’t out of the Log4j woods. A report by SiliconAngle  quotes Robert Silvers, undersecretary for policy at the Department of Homeland Security, echoed those concerns telling attendees that “\[Log4j\] is most likely that organizations are going to deal with Log4j issues for at least a decade and maybe longer.”

Victor Zhora, deputy head of Ukraine’s State Special Communications Service, told Black Hat attendees that his country’s infrastructure has experienced a 300 percent uptick in cyber incidents since Russia’s invasion of the country. The visit was unannounced, according to a Voice of America report.

Meanwhile current White House Cyber Director Chris Inglis told journalist Kim Zetter, during a DEF CON session, that he was focused on “‘three waves of attacks’ that have progressed in recent years,” according a Nextgov report.

_The first wave “focused on adversaries holding data and systems at risk.” In the second, the attackers “still held data and systems at risk, but they then abstracted that into holding critical functions at risk.” The third is an attack on confidence, as exemplified by the attack on the Colonial Pipeline. –_ Nextgov.

For DEF CON, it was the event’s 30th anniversary, which events organizers billed as not a birthday but a Hacker Homecoming.

“This has been a crazy couple of years,” according to an official DEF CON forum post.

“A global pandemic turned DEF CON 28 into DEF CON Safe Mode. Some easing of the restrictions and some strict attendance rules gave us a hybrid con for DC29. An improvement, to be sure, but something short of a full DEF CON experience… We want DEF CON 30 to have the energy of a reunion… In honor of all that, we’re calling DEF CON 30 ‘Hacker Homecoming’.”

Black Hat and DEF CON Roundup

Authentication Bypass by Primary Weakness in GitHub repository cockpit-hq/cockpit prior to 2.2.2.

**Description**

2FA secret is disclosed in JWT token after user logs into his account in Cockpit Content Platform ≤ v2.2.1 allowing attacker to bypass the 2FA code.

**Proof of Concept**

1.Login with your admin account and enable 2FA in your account and logout.

2.Go to http://yourserver.com/cockpit221/auth/login and enter your username and password and intercept the request in BurpSuite or Owasp Zap.

3.Now, Click perform following action "Right click > Do intercept > Response to this request" and forward the request.

4.Now you will get a response like this from http://yourserver.com/cockpit221/auth/check.

HTTP/1.0 200 OK

Date: Thu, 11 Aug 2022 11:24:32 GMT

Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod\_perl/2.0.12 Perl/v5.34.1

X-Powered-By: PHP/8.1.6

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 520

Connection: close

Content-Type: application/json

{"success":true,"user":{"name":"Suvam","user":"suvam","email":"admin@suvam.com","twofa":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoic3V2YW0iLCJlbWFpbCI6ImFkbWluQHN1dmFtLmNvbSIsImFjdGl2ZSI6dHJ1ZSwibmFtZSI6IlN1dmFtIiwiaTE4biI6ImVuIiwicm9sZSI6ImFkbWluIiwidGhlbWUiOiJhdXRvIiwiX21vZGlmaWVkIjoxNjYwMjE2OTczLCJfY3JlYXRlZCI6MTY2MDIxNDU5OSwiX2lkIjoiN2QwM2FhZWI2MjM1NjVkZGM3MDAwMzRlIiwidHdvZmEiOnsiZW5hYmxlZCI6dHJ1ZSwic2VjcmV0IjoiMjdPWUNJSVpJQ1JER0JUVUFPVUVTQzNHM1BXNUU2Q04ifX0.Q5DL1pZv4bYI8909luvRZse4FnszLFOGIVCvGVcqbDk"}}

5.Now, copy the payload of JWT token and decode it. The structure of JWT token is like this header.payload.signature .

6.Decode the payload. You will notice that the Authentication Secret token is disclosed in the payload JWT token.

7.Copy the Authenticator Secret token and provide it to Google Authenticator . @2FA is bypassed.

8.Attacker can exploit this vulnerability to bypass 2FA.

**Proof Of Concept Video : https://drive.google.com/file/d/1rKCtY5W7XyIuApHtVAdWOusHJpw8b8OF/view?usp=sharing****Impact**

Account Takeover

CVE-2022-2818: 2FA Bypass in Cockpit Content Platform ≤ v2.2.1 in cockpit

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config. This issue affects: Apache OpenOffice versions prior to 4.1.13. Reference: CVE-2022-26307 - LibreOffice

CVE-2022-37401

Apache OpenOffice Advisory

**Weak Master Keys**

**Fixed in Apache OpenOffice 4.1.13**

**Description**

Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulnerable to a brute force attack if an attacker has access to the users stored config.

**Severity: Moderate**

There are no known exploits of this vulnerability.  
A proof-of-concept demonstration exists.

Thanks to the reporter for discovering this issue.

**Vendor: The Apache Software Foundation**

**Versions Affected**

All Apache OpenOffice versions 4.1.12 and older are affected.  
OpenOffice.org versions may also be affected.

**Mitigation**

Install Apache OpenOffice 4.1.13 for the latest maintenance and cumulative security fixes. Use the Apache OpenOffice download page.

**Acknowledgments**

The Apache OpenOffice Security Team would like to thank Selma Jabour, OpenSource Security GmbH, Germany on behalf of the German Federal Office for Information Security, for discovering and reporting this attack vector

**Further Information**

For additional information and assistance, consult the Apache OpenOffice Community Forums or make requests to the users@openoffice.apache.org public mailing list.

The latest information on Apache OpenOffice security bulletins can be found at the Bulletin Archive page.

Security Home\-> Bulletin\-> CVE-2022-37401

Tag

#apache