A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.40.2175 that could allow configuration files to be written to non-standard locations during installation.

![](https://iknow.lenovo.com.cn/front/images/qcode.jpg)

 ![](https://iknow.lenovo.com.cn/front/images/pointright.png) 1548 | ![](https://iknow.lenovo.com.cn/front/images/pointleft.png) 198

![](https://iknow.lenovo.com.cn/front/images/recomendBak.png)

感谢您的青睐，以下知识也很棒哦

![](https://iknow.lenovo.com.cn/front/images/close.png)

联想网站提供的技术方案或与您产品的实际情况有所差异，您需在完整阅读方案并知晓其提示风险的情况下谨慎操作，避免造成任何损失。

CVE-2021-3722: 联想中国(Lenovo China)联想知识库

A denial of service vulnerability was reported in Lenovo PCManager prior to version 4.0.20.10282 that could allow an attacker with local access to trigger a blue screen error.

CVE-2021-3721: 联想中国(Lenovo China)联想知识库

A denial of service vulnerability was reported in Lenovo Thin Installer prior to version 1.3.0039 that could trigger a system crash.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Sales Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | |

CVE-2022-0636: Lenovo Thin Installer Denial of Service Vulnerability - Lenovo Support DE

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.

CVE-2021-38946: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Comcast Business mitigated 24,845 multi-vector DDoS attacks in 2021, a 47 percent increase over 2020.

**PHILADELPHIA – APRIL 20, 2022 –** Comcast Business today published results from its 2021 Comcast Business DDoS Threat Report. The report provides an overview of the Distributed Denial of Service (DDoS) attack landscape, trends experienced by Comcast Business customers and insights for measuring and mitigating risks. The report found that mulit-vector DDoS attacks targeting Layers 3, 4, and 7 simultaneously represent a 47 percent increase from the record number set in 2020.

“DDoS attacks, when they occur, can be costly and difficult to defend. The risk of losing network, server and application availability is higher than ever,” said Shena Seneca Tharnish, Vice President, Cybersecurity Products, Comcast Business. “With threat actors constantly innovating, organizations must stay vigilant to help protect their infrastructure from bad actors determined to cause financial and reputational damage."

The report indicates that 2021 was another record year for DDoS attacks, as Comcast Business DDoS Mitigation Services successfully identified and helped defend 24,845 multi-vector attacks targeting Layers 3,4, and 7 simultaneously. Overall, 69 percent of Comcast Business customers experienced DDoS attacks, a 41 percent increase over 2020, while 55 percent were targets of mulit-vector attacks, as opposed to in 2020 where most customers experienced single vector attacks.

The data also shows that DDoS attackers were indiscriminate and persistent as no verticals were spared and everyone was fair game – from tow truck drivers to churches, government, utilities, IT companies, online gambling sites, and manufacturing operations. However, the healthcare and education sectors remain favorite targets.

Seventy-three percent of all multi-vector attacks targeted the education, finance, government and healthcare sectors, likely due to vulnerabilities brought on by the COVID-19 pandemic. Threat actors also used industry-specific seasonal trends and activities to guide attacks and maximize impact.

Attacks on education customers followed the cadence of a typical school year, starting strong in January before taking a significant dip over the summer when schools were out, while the financial sector experienced a 3X uptick in attacks during November and December compared to the rest of the year.

Other key findings from the 2021 Comcast Business DDoS Threat report include:

· Attacks on information technology customers grew steadily, ending the year at 10X the January numbers.

· 98 percent of all multi-vector attacks were under 5 Gbps, as bad actors often strike at low volumes to avoid detection, degrade site performance and map out network vulnerabilities for reconnaissance.

· 69 percent of all multi-vector attacks lasted under 10 minutes, as short duration attacks are harder to detect and give IT organizations less time to respond, quickly overwhelming defenses.

· The number of vectors deployed in a single multi-vector attack increased from five to 15, while the number of amplification protocols used in multi-vector attacks increased from three to nine.

· 99 percent of customers experienced repeat attacks, while the largest and most severe attack was delivered at a rate of 242 Gbps.

The 2021 Comcast Business DDoS threat report focuses on multi-vector attacks that target Layers 3, 4, and 7 simultaneously. To download the report, please visit: https://business.comcast.com/community/browse-all/details/2021-comcast-business-ddos-threat-report

Comcast Business 2021 DDoS Threat Report:  DDoS Becomes a Bigger Priority as Multivector Attacks are on the Rise

Red Hat Security Advisory 2022-1356-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.10. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-1356-01

Red Hat Security Advisory 2022-1461-01 - Updates have been made to Logging Subsystem 5.4 - Red Hat OpenShift. Issues addressed include denial of service and man-in-the-middle vulnerabilities.

Red Hat Security Advisory 2022-1461-01

From increasing cybersecurity awareness in staff, students, and parents to practicing good security hygiene for devices, using endpoint protection, and inspecting network traffic, schools can boost cybersecurity to keep students safe.

Since the onset of the pandemic, cyberattacks on schools and educational institutions have skyrocketed. In fact, K12 Security Information Exchange, a Virginia-based nonprofit that helps schools defend against cybersecurity risk, tracked more than 1,200 cybersecurity incidents since 2016 in US public school districts, consisting of ransomware attacks, grading system breaches, and child stalkers.

Students, teachers, and parents are increasingly reliant on technology to execute virtual learning. Tech plays a role in everything from personal student information to attendance and grading records. This sensitive data is more vulnerable to breaches, demanding that educational institutions get serious about bolstering their cybersecurity strategies.

Most public schools are exactly known for having robust budgets. While many educational institutions lack the funds for a full-scale cybersecurity plan or full-time IT staff, there are things that can be done to ensure that devices managed by schools are kept safe and secure. To protect a school, it's important to understand why and how cybercriminals target schools, and to train students and employees in best practices for ensuring that school-managed devices are used properly and securely.

**Why Do Attackers Target Schools?  
**Compared with the financial stakes of corporations and critical identification information housed within government agencies, it seems odd that a hacker would target public schools. But it turns out that there is more to be stolen than just lunch money.

The fact is that K-12 schools possess _loads_ of data, especially since schools turned to remote learning. In the last three years, schools handed out millions of digital devices and mobile hotspots to students and employees. These devices are used to access an increasingly large portfolio of online programs and apps for instruction. Without proper policies or device management systems in place, students have unfettered access to the Internet and the dangers within it. Not only are hackers finding their own way in, but user-initiated risk is also a concern. With increased entry points, hackers have myriad opportunities to uncover important data that helps facilitate identity theft. Personal information such as children's Social Security numbers is exposed through a cyberattack on a school, creating a very real problem for those too young to protect themselves.

It turns out that cybercriminals know about school funding problems too. Armed with the assumption that a K-12 school doesn't have the budget to implement and maintain a sophisticated cybersecurity system, hackers find themselves with a roster of easy targets. Not even higher education institutions are immune to cyberattacks. In fact, a university or college's high tuition costs are actually a motivator. In these cases, cybercriminals can take a university's website hostage in order to receive payments.

While educational institutions might offer the best in higher learning, the level of security systems put in place can vary. Without basic training, students and teachers are especially unaware of the tactics used by cybercriminals to obtain information.

Additionally, the sustained use of legacy infrastructure combined with the use of unprotected personal devices can also make an institution more susceptible to bugs and data breaches.

**Common Ways Schools Are Being Targeted  
**Douglas Levin, national director at K12 Information Exchange, found in his research that schools are typically targeted in four major ways.

First, through ransomware. This malicious software can publish or block access to data or a computer system until the victim meets the cybercriminal's demands. Second, victims experience denial-of-service (DoS) attacks in which a cybercriminal interrupts services indefinitely and makes a network or device unavailable for use.

Third on the list is a classic DoS attack: zoombombing. This cyberattack in which an uninvited perpetrator hijacks a Zoom meeting occurred frequently during the pandemic, and became a disruption to learning. It's a concrete example of how modern education needs to evolve to achieve modern security, and a simple fix such as requiring a password to enter a Zoom meeting can help combat such disruptions. Finally, schools are often victims of phishing cyberattacks, in which the cybercriminal has the ability to steal user data like logins, personal addresses, and grading information.

**How Schools Can Protect Themselves  
**School IT teams can bolster cybersecurity with these steps:

*   **Increase cybersecurity awareness** through regular cybersecurity training and awareness campaigns. As students, parents, administrators, and teachers all face different cyber threats, it's essential that these training sessions are relevant to everyone in the system who has access to the school's network and devices.
*   **Practice good security hygiene** for devices. This includes updating software to the most current edition, backing up files, deleting redundant files, and uninstalling unwanted applications. Beyond the device, ensure websites are password protected, infrastructure is locked down, and default passwords are updated.
*   **Do regular checkups on your inventory of assets.** Compare and contrast how your current systems stack up against recommended cyber frameworks, keep a watchful eye on your inventory of assets, and invest in extra protections for legacy systems that are unable to be updated.
*   **Inspect network traffic and Internet use.** Don't allow users with school-issued devices to have free rein of the Internet. Restrict access to illegal or potentially malicious sites that don't meet safe Internet standards. Help your institution zero in on cybersecurity pain points to prioritize spending efforts when the budget is limited.
*   **Prevent unauthorized devices from operating on your networks**. This is best done by restricting administrative access and applying endpoint protection to all school-provided devices. Only IT departments should have administrative capabilities.
*   **Make your cyber policy easily accessible.** Ensure that all faculty, students, and parents are aware of the existing cyber policy, and where they can easily access it to reference. Provide security training sessions to help everyone understand the cyber policy details.

It's clear that educational institutions are at a higher risk for cyberattacks due to a lack of training and resources dedicated to cybersecurity. But savvy schools can keep their students and employees safer by understanding how attackers target schools, spreading cybersecurity awareness, and taking additional proactive steps to safeguard devices and systems.

Creating Cyberattack Resilience in Modern Education Environments

Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.

This release addresses the following issues:

1.  This release fixes 2 security issues reported by researcher Hyeong Gwan, Yi

CVE-2022-28367: AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content. https://www.cvedetails.com/cve/CVE-2022-28367. NOTE: This release only included a PARTIAL fix. It's completely fixed in the 1.6.7 release.

AntiSamy prior to 1.6.6 used the old CyberNeko HTML library v1.9.22, which is subject to https://www.cvedetails.com/cve/CVE-2022-28366 and no longer maintained. AntiSamy 1.6.6 upgraded to an active fork of CyberNeko called HtmlUnit-Neko which fixed this CVE in v2.27 of that library. AntiSamy 1.6.6 upgraded to version 2.60.0 of HtmlUnit-Neko.

2.  Enhancement #147: Add require-closing-tags to default AntiSamy policy file
    
3.  Bug #151: Change in behavior between 1.6.4 and 1.6.5 for getErrorMessages
    

We accidentally stopped propagating an errorMessages parameter in 1 API. This is now fixed.

NOTIFICATION 1: This 1.6.6 release has 2 dependencies which require Java 8, although the AntiSamy source code itself still only requires Java 7.

NOTIFICATION 2: The 1.7.0 release will drop support for several things deprecated in the 1.6.x series of releases.

a) AntiSamy 1.6.0 introduced XML schema validation for AntiSamy policy files to address issue #58. In all the 1.6.X releases, enforcement of schema validation is optional, with warnings generated to indicate it should be enforced. Starting with AntiSamy 1.7.0 this will no longer be optional.

To support this new feature, but keep it optional, 2 new Policy class methods were created, and immediately deprecated:

public static boolean getSchemaValidation()  
public static void setSchemaValidation(boolean enable)

These two methods will be dropped in the 1.7.0 release, and any AntiSamy policy files that fail schema validation will result in an error and have to be fixed.

b) AntiSamy 1.6.5 changed some APIs. Specifically:

These constructors are now @deprecated:

public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, ResourceBundle messages)  
public CssHandler(Policy policy, LinkedList embeddedStyleSheets, List errorMessages, String tagName, ResourceBundle messages)

And are being replaced with:

public CssHandler(Policy policy, List errorMessages, ResourceBundle messages)  
public CssHandler(Policy policy, List errorMessages, ResourceBundle messages, String tagName) <-- Notice that the tagName is now the last parameter in the new API.

Both constructors drop the 2nd parameter (the queue of stylesheets imported), as that queue is now created inside this constructor. A reference to this queue (if needed) can be retrieved by using the new method:

public LinkedList getImportedStylesheetsURIList()

c) This 1.6.6 release deprecates support for Xhtml. As such, the following are deprecated:

The constant: Policy.USE\_XHTML = "useXHTML";  
The method: InternalPolicy.isXhtml()  
The entire class: org/owasp/validator/html/scan/ASXHTMLSerializer.java

We plan to remove everything deprecated in the 1.7.0 release.

Tag

#dos