Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

BlogContact Sales

Try Puppet 

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce
*   
*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

*   Why Puppet 
*   Try Puppet 

**Guidebook**

*   What is Configuration Management
*   What is IT Compliance
*   What is IT Automation

**Use Cases**

*   Application delivery & operations
*   Continuous configuration automation
*   Continuous compliance
*   Continuous delivery
*   Patch management
*   Puppet for government
*   IT process automation & orchestration
*   Windows infrastructure automation

**Get Puppet Enterprise**

First 10 nodes are free!

*   Try it now 
*   Request a demo 

**Products**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply

**Pricing & Packaging**

*   Pricing
*   Support services plans
*   Professional services

**Integrations**

*   Amazon Web Services
*   Google Cloud Platform
*   Hashicorp
*   PowerShell DSC
*   Windows Azure
*   ServiceNow
*   Splunk
*   VMware
*   All integrations

**Puppet Education**

Puppet Education is your learning portal for tools and best practices to address common business challenges.

*   Puppet Education 

**Professional services**

*   Start automating
*   Accelerate delivery
*   Integrate your toolchain
*   Harden infrastructure
*   Partner for success
*   Scale DevOps
*   All professional services

**Support**

*   Puppet support
*   Technical support packages
*   Technical account management

**Custom consulting services**

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

*   Learn more 

**Puppet Forge**

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

*   Visit Puppet Forge 

**Ecosystem**

*   Puppet developer experience
*   Trusted contributors
*   GitHub
*   Vox Pupuli

**Open Source Projects**

*   Open source Puppet
*   Bolt
*   All open source projects
*   Compare our enterprise products

**Community**

*   Community
*   Puppet Champions
*   Puppet Test Pilots
*   Community calendar
*   Community Slack
*   Pulling the Strings Podcast
*   Puppet and Perforce Community FAQ

**Contribute**

*   Contribute written content
*   Contribute to open source projects
*   Puppet Idea Portal

**State of DevOps Report**

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

*   State of DevOps retrospective
*   Scaling DevOps

*   Get the 2021 State of DevOps Report 

**Product Documentation**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply
*   Puppet Remediate
*   All documentation

**Resource library**

*   Blog
*   Ebooks
*   Reports
*   Solution briefs
*   Videos
*   Webinars
*   White papers

**Customers**

*   Our customers
*   Customer videos
*   Customer stories

**Partners**

*   Technology partners
*   Channel partners
*   Solution providers
*   Become a partner
*   Partner Portal login

**Featured Partners**

**About Us**

Puppet automates your infrastructure so you can innovate. We find, fix, and predict in order to prevent surprises and maintain your desired state.

**Puppet by Perforce**

*   Mission
*   Diversity, equity & inclusion
*   Contact Us

**Working at Puppet by Perforce**

*   Open positions

**Press & news**

*   Press room
*   Press releases
*   News mentions

**Events**

It's our community that makes Puppet great. Connect with Puppet users and employees.

*   Watch On Demand: Puppetize Digital 2021
*   All events

*   **Posted 2022-10-03**
*   **Assessed Risk Level: High**
*   **CVSS 3.1 Base Score: 8.4**

Command injection is possible in the puppetlabs-mysql module prior to version 13.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

**Status:**

**Affected software versions:**

*   Puppetlabs-mysql Module <13.0.0

**Resolved in:**

*   Puppetlabs-mysql Module 13.0.0

CVE-2022-3276: CVE-2022-3276 - Puppetlabs-mysql Command Injection

Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

BlogContact Sales

Try Puppet 

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce
*   
*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

*   Why Puppet 
*   Try Puppet 

**Guidebook**

*   What is Configuration Management
*   What is IT Compliance
*   What is IT Automation

**Use Cases**

*   Application delivery & operations
*   Continuous configuration automation
*   Continuous compliance
*   Continuous delivery
*   Patch management
*   Puppet for government
*   IT process automation & orchestration
*   Windows infrastructure automation

**Get Puppet Enterprise**

First 10 nodes are free!

*   Try it now 
*   Request a demo 

**Products**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply

**Pricing & Packaging**

*   Pricing
*   Support services plans
*   Professional services

**Integrations**

*   Amazon Web Services
*   Google Cloud Platform
*   Hashicorp
*   PowerShell DSC
*   Windows Azure
*   ServiceNow
*   Splunk
*   VMware
*   All integrations

**Puppet Education**

Puppet Education is your learning portal for tools and best practices to address common business challenges.

*   Puppet Education 

**Professional services**

*   Start automating
*   Accelerate delivery
*   Integrate your toolchain
*   Harden infrastructure
*   Partner for success
*   Scale DevOps
*   All professional services

**Support**

*   Puppet support
*   Technical support packages
*   Technical account management

**Custom consulting services**

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

*   Learn more 

**Puppet Forge**

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

*   Visit Puppet Forge 

**Ecosystem**

*   Puppet developer experience
*   Trusted contributors
*   GitHub
*   Vox Pupuli

**Open Source Projects**

*   Open source Puppet
*   Bolt
*   All open source projects
*   Compare our enterprise products

**Community**

*   Community
*   Puppet Champions
*   Puppet Test Pilots
*   Community calendar
*   Community Slack
*   Pulling the Strings Podcast
*   Puppet and Perforce Community FAQ

**Contribute**

*   Contribute written content
*   Contribute to open source projects
*   Puppet Idea Portal

**State of DevOps Report**

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

*   State of DevOps retrospective
*   Scaling DevOps

*   Get the 2021 State of DevOps Report 

**Product Documentation**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply
*   Puppet Remediate
*   All documentation

**Resource library**

*   Blog
*   Ebooks
*   Reports
*   Solution briefs
*   Videos
*   Webinars
*   White papers

**Customers**

*   Our customers
*   Customer videos
*   Customer stories

**Partners**

*   Technology partners
*   Channel partners
*   Solution providers
*   Become a partner
*   Partner Portal login

**Featured Partners**

**About Us**

Puppet automates your infrastructure so you can innovate. We find, fix, and predict in order to prevent surprises and maintain your desired state.

**Puppet by Perforce**

*   Mission
*   Diversity, equity & inclusion
*   Contact Us

**Working at Puppet by Perforce**

*   Open positions

**Press & news**

*   Press room
*   Press releases
*   News mentions

**Events**

It's our community that makes Puppet great. Connect with Puppet users and employees.

*   Watch On Demand: Puppetize Digital 2021
*   All events

*   **Posted 2022-10-03**
*   **Assessed Risk Level: High**
*   **CVSS 3.1 Base Score: 8.4**

Command injection is possible in the puppetlabs-apt module prior to version 9.0.0. A malicious actor is able to exploit this vulnerability only if they are able to provide unsanitized input to the module. This condition is rare in most deployments of Puppet and Puppet Enterprise.

**Status:**

**Affected software versions:**

*   Puppetlabs-apt module <9.0.0

**Resolved in:**

*   Puppetlabs-apt module 9.0.0

CVE-2022-3275: CVE-2022-3275 - Puppetlabs-apt Command Injection

Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 30 and Oct. 7.

Threat Roundup for September 30 to October 7

A new executive order tries to reassure Europeans that their data is safe on US soil, despite government surveillance.

The United States is not going to stop spying on Europeans’ data, but it is going to make sure that spying is “proportionate.” This was the reassurance that US President Joe Biden offered concerned citizens across the Atlantic today by signing an executive order designed to restart the easy flow of data between Europe and the US.

For years, companies have been shuttling customer information between the two regions. “Transatlantic data flows are critical to enabling the $7.1 trillion EU-US economic relationship,” the White House said today. But two years ago, the EU Court of Justice in Luxembourg ruled that Europeans’ data sent to the US risked being snooped on by intelligence agencies, such as the US National Security Agency. As a result, the agreement that allowed companies to easily transfer data between the US and Europe was ripped up. Businesses instead had to make do with a costly and complex temporary replacement.

Biden’s executive order brings a new EU-US data privacy agreement one step closer and aims to restore trust among Europeans’ concerned by US government surveillance. The order creates a new body within the US Department of Justice that will oversee how US national security agencies access both Europeans’ and Americans’ data. But privacy campaigners say the order simply copies the wording of European law (adding in terms like _proportionate_ and _necessary_) without making any real changes. “We do not see a ban on bulk surveillance and no actual limitations,” says Max Schrems, the Austrian privacy activist whose legal complaint against Facebook eventually dismantled the transatlantic data pact back in 2020.

Before then, around 5,000 businesses had been sending data back and forth across the Atlantic under a system called Privacy Shield. “The pre-Schrems system worked,” says Morgan Reed, president of the App Association, which represents small- and medium-size companies, mostly app developers. But the EU court ruling made the Privacy Shield system suddenly invalid, plunging thousands of companies into legal limbo.

Although the court decision did not stop transfers, it made them more complicated. “What the Schrems decision did was raise costs and concern for a lot of small companies that don't have giant compliance departments’ and fleets’ worth of lawyers to do what are called standard contractual clauses,” says Reed. Standard contractual clauses are time-consuming data transfer agreements that force companies to take steps to assess whether they are safely moving data around the world. 

Companies that have spent the past two years wrestling with these clauses are pleased by the order; they want to get back to business as usual. The executive order is the next step in the US and EU reaching a new privacy agreement. “We appreciate President Biden’s action to keep data flowing between the US and EU, underpinning one of our deepest and most mutually beneficial trading relationships,” says Matt Schruers, president of the Computer and Communications Industry Association (CCIA), a lobbying group that represents tech giants including Google, Amazon, and Apple.

At Workday, a California-based HR software provider with more than 2,000 customers headquartered in Europe, the mood is optimistic. Chandler Morse, vice president of corporate affairs, believes this is evidence that the US and EU can reach an agreement on more than just the privacy shield problem. “There's a number of other tech issues that are pending in the EU-US bilateral, so for many of us this is a positive sign that the EU and the US can work together,” he says, adding that the EU AI Act and Data Act could also be beneficiaries of this new cooperation.

Yet privacy campaigners are not impressed—either by greater collaboration or Biden’s offer of a so-called Data Protection Review Court, which will allow EU citizens to challenge how US security agencies use their data.

“However much the US authorities try to paper over the cracks of the original Privacy Shield, the reality is that the EU and US still have a different approach to data protection which cannot be canceled out by an executive order,” says Ursula Pachl, deputy director general of the European Consumer Organization (BEUC). “The moment EU citizens’ data travels across the Atlantic, it will not be afforded similar protections as in the EU.”

Biden’s executive order will now be sent to Brussels, where EU officials could spend up to six months scrutinizing the details. A new data agreement is expected to be ready around March 2023, although privacy activists are expected to challenge the ruling in court. “The order is never going to be enough for the privacy community in Europe,” says Tyson Barker, head of technology and global affairs at the German Council on Foreign Relations.

The European Commission believes the new agreement could survive a court challenge. But the US has been quietly hedging its bets, says Barker. At a conference in October 2021, Christopher Hoff, deputy assistant secretary for services in the Biden Administration, said he supported the global expansion of a rival privacy agreement—the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. “The United States wants to say, actually, we have an alternative and we'd like to set this as the global standard,” Barker adds.

Schrems, however, is not worried about another privacy agreement curbing the EU’s influence. “I don’t personally care what standards other countries prefer,” he says. “I know the law in the EU.”

Biden’s Privacy Order Slaps a Band-Aid on the EU-US Data Crisis

Research suggests that automation can cut down on cloud control plane compromises

Stephen Pritchard 07 October 2022 at 15:24 UTC  
Updated: 07 October 2022 at 15:26 UTC

Research suggests that automation can cut down on cloud control plane compromises

So-called ‘cloud native’ IT architectures are creating new threats for organizations, just as they look to update their technology infrastructure, security researchers have warned.

Over half of developers and security professionals expect the risks to their organizations to increase over the next year, according to research from developer security tools vendor Snyk. The drivers include cloud-native threats and, especially, control plane compromises.

Other potential problems include misconfigured cloud resources, as well as compromised credentials.

DON’T MISS CI/CD servers readily breached by abusing SCM webhooks, researchers find

Speaking at the recent International Cyber Expo in London, Ashish Rajan, principal cloud security advocate at Snyk, explained that security breaches are no longer only about data. Increasingly, criminal groups are also looking to steal or expose credentials, including cloud infrastructure credentials.

Rajan cited the recent breach at ride-hailing company Uber, which used social engineering as part of an attack that ultimately succeeded in gaining access to the company’s credentials for Amazon Web Services and Google Workspace.

“It’s not just a breach, a release of records, they also shared the AWS and Google Cloud credentials on the internet as well,” he said. “We are actually talking about data breaches creeping into our cloud environment or even broader production environments as well.”

**Credentials targeted**

Attackers are searching for credentials for cloud services by searching for ‘open S3 buckets’, blob storage or other open storage sites, as well as GitHub repositories, SSH \[Secure Shell\] and SSL vulnerabilities, and even posts by developers on sites such as Stack Overflow. “People are finding easier targets,” Rajan said.

This is forcing developers to pay more attention to both application security and cloud security, the speaker argued. Although organizations and their developers increasingly understand the need for application security, cloud security is too often treated separately rather than as part of the same problem, he asserted.

“In my previous company, we had a product security team and we had cloud people. But they weren’t on the same team. It didn't make sense. We were still protecting this one application,” said Rajan.

Developers often rely too heavily on the cloud provider’s security measures, says Snyk’s Ashish Rajan

**Cloudy with a chance of breaches**

And the situation is made more difficult still by the ‘shared responsibility’ model of cloud security. Too often, contended Rajan, developers and their managers rely on the cloud provider’s security measures, rather than ensuring that their infrastructure and code is secure.

According to Snyk’s 2022 State of Cloud Security Report, 80% of organizations experienced a “serious cloud sec incident” during the past year. Of those, 33% suffered a cloud data breach, and 26% a cloud data leak. A further 27% detected an intrusion into their environment.

Catch up on the latest DevSecOps-related news and analysis

The research also found that companies that use the cloud to host applications that had migrated from a data center were the most likely to report serious cloud security incidents: 89% did so during the past year.

That was higher than the total for organizations using the cloud to build and run in-house applications (73%) or those hosting third-party applications (78%).

**Infrastructure as code**

To counter this, Rajan suggests that developers should follow five fundamentals of cloud security. These are knowing the operating environment, focusing on prevention and secure design, empowering developers, using policy as code to align with security requirements and automate compliance, and ensuring security teams are “measuring what matters”.

To adhere to these fundamentals, organizations should be looking to ’shift left’ and build in security checks earlier in a project’s timeline. Firms should map out a cloud secure development lifecycle, using infrastructure as code (IaC) tools and CI/CD pipelines. And organizations can take this a step further by defining security policies within IaC.

This, Rajan said, removes, or at least reduces, one of the most common causes of cloud security failures: human error.

“What's the policy look like? Can I define the policy as IaC? That's where a lot of people have found that you can reduce credentials being leaked or over-privilege, or misconfiguration of resources, as well as having identity not in control,” he said. Policy as code allows organizations to apply their security rules, whether they use a single cloud platform, or two or even three, added Rajan.

RELATED Rancher stored sensitive values in plaintext, exposed Kubernetes clusters to takeover

Policy-as-code approach counters ‘cloud native’ security risks

The group has been operating for over a year, promoting their tools in hacking forums, stealing credit card information, and using typosquatting techniques to target open source software flaws.

The LofyGang threat group is using more than 200 malicious NPM packages with thousands of installations to steal credit card data, and gaming and streaming accounts, before spreading stolen credentials and loot in underground hacking forums.

According to a report from Checkmarx, the cyberattack group has been in operation since 2020, infecting open source supply chains with malicious packages in an effort to weaponize software applications.

The research team believes the group may have Brazilian origins, owing to the use of Brazilian Portuguese and a file called "brazil.js." which contained malware found in a couple of their malicious packages.

The report also details the group's tactic of leaking thousands of Disney+ and Minecraft accounts to an underground hacking community using the alias DyPolarLofy and promoting their hacking tools via GitHub.

"We saw several classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and some downloaded the malicious payload during runtime from C2 servers," the Friday report noted.

**LofyGang Operates With Impunity**

The group has deployed tactics including typosquatting, which targets typing mistakes in the open source supply chain, as well as "StarJacking," whereby the package's GitHub repo URL is linked to an unrelated legitimate GitHub project.

"The package managers do not validate the accuracy of this reference, and we see attackers take advantage of that by stating their package's Git repository is legitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity," the report stated.

The ubiquity and success of open source software has made it a ripe target for malicious actors like LofyGang, explains Jossef Harush, head of Checkmarx's supply chain security engineering group.

He sees LofyGang's key characteristics as including its ability to build a large hacker community, abusing legitimate services as command-and-control (C2) servers, and its efforts in poisoning the open source ecosystem.

This activity continues even after three different reports — from Sonatype, Securelist, and jFrog — uncovered LofyGang's malicious efforts.

"They remain active and continue to publish malicious packages in the software supply chain arena," he says.

By publishing this report, Harush says he hopes to raise awareness of the evolution of attackers, who are now building communities with open source hack tools.

"Attackers count on victims to not pay enough attention to the details," he adds. "And honestly, even I, with years of experience, would potentially fall for some of those tricks as they seem like legitimate packages to the naked eye."

**Open Source Not Built for Security**

Harush points out that unfortunately the open source ecosystem was not built for security.

"While anybody can sign up and publish an open source package, no vetting process is in place to check if the package contains malicious code," he says.

A recent report from software-security firm Snyk and the Linux Foundation revealed about half of firms have an open source software security policy in place to guide developers in the use of components and frameworks.

However, the report also found that those who have such policies in place generally exhibit better security — Google is making available its process of vetting and patching software for security issues to help close avenues to hackers.

"We see attackers take advantage of this because it's super easy to publish malicious packages," he explains. "The lack of vetting powers in disguising the packages to appear legit with stolen images, similar names, or even referencing other legitimate Git projects' websites just to see they get the other projects' stars amount on their malicious packages pages."

**Heading Toward Supply Chain Attacks?**

From Harush's perspective, we're reaching the point where attackers realize the full potential of the open source supply chain attack surface.

"I expect open source supply chain attacks to evolve further into attackers aiming to steal not only the victim's credit card, but also the victim's workplace credentials, such as a GitHub account, and from there, aim for the bigger jackpots of software supply chain attacks," he says.

This would include the ability to access a workplace's private code repositories, with the capability to contribute code while impersonating the victim, planting backdoors in enterprise grade software, and more.

"Organizations can protect themselves by properly enforcing their developers with two-factor authentication, educate their software developers to not assume popular open source packages are safe if they appear to have many downloads or stars," Harush adds, "and to be vigilant to suspicious activities in software packages."

LofyGang Uses 100s of Malicious NPM Packages to Poison Open Source Software

Red Hat Security Advisory 2022-6835-01 - This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Service Registry (container images) release and security update [2.3.0.GA]  
Advisory ID:       RHSA-2022:6835-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6835  
Issue date:        2022-10-06  
CVE Names:         CVE-2021-22569 CVE-2021-37136 CVE-2021-37137  
                   CVE-2021-41269 CVE-2022-0235 CVE-2022-0536  
                   CVE-2022-0981 CVE-2022-21724 CVE-2022-23647  
                   CVE-2022-24771 CVE-2022-24772 CVE-2022-24773  
                   CVE-2022-25647 CVE-2022-25857 CVE-2022-25858  
                   CVE-2022-26520 CVE-2022-31129 CVE-2022-37734  
====================================================================  
1. Summary:

An update to the images for Red Hat Integration Service Registry is now  
available from the Red Hat Container Catalog. The purpose of this text-only  
errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Service registry 2.3.0.GA serves as a  
replacement for 2.0.3.GA, and includes the below security fixes.

Security Fix(es):

* cron-utils: template Injection leading to unauthenticated Remote Code  
Execution (CVE-2021-41269)

* prismjs: improperly escaped output allows a XSS (CVE-2022-23647)

* snakeyaml: Denial of Service due missing to nested depth limitation for  
collections (CVE-2022-25857)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* protobuf-java: potential DoS in the parsing procedure for binary data  
(CVE-2021-22569)

* quarkus: privilege escalation vulnerability with RestEasy Reactive scope  
leakage in Quarkus (CVE-2022-0981)

* quarkus-jdbc-postgresql-deployment: jdbc-postgresql: Unchecked Class  
Instantiation when providing Plugin Classes (CVE-2022-21724)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may  
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for  
decompressed data (CVE-2021-37136)

* node-fetch: exposure of sensitive information to an unauthorized actor  
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization  
Header leak (CVE-2022-0536)

* jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability  
(CVE-2022-26520)

* node-forge: Signature verification leniency in checking `digestAlgorithm`  
structure can lead to signature forgery (CVE-2022-24771)

* node-forge: Signature verification failing to check tailing garbage bytes  
can lead to signature forgery (CVE-2022-24772)

* node-forge: Signature verification leniency in checking `DigestInfo`  
structure (CVE-2022-24773)

* com.google.code.gson-gson: Deserialization of Untrusted Data in  
com.google.code.gson-gson (CVE-2022-25647)

* terser: insecure use of regular expressions leads to ReDoS  
(CVE-2022-25858)

* graphql-java: DoS by malicious query (CVE-2022-37734)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data  
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way  
2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution  
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data  
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor  
2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes  
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak  
2056643 - CVE-2022-23647 prismjs: improperly escaped output allows a XSS  
2062520 - CVE-2022-0981 quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus  
2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability  
2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery  
2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery  
2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure  
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2126809 - CVE-2022-37734 graphql-java: DoS by malicious query

5. References:

https://access.redhat.com/security/cve/CVE-2021-22569  
https://access.redhat.com/security/cve/CVE-2021-37136  
https://access.redhat.com/security/cve/CVE-2021-37137  
https://access.redhat.com/security/cve/CVE-2021-41269  
https://access.redhat.com/security/cve/CVE-2022-0235  
https://access.redhat.com/security/cve/CVE-2022-0536  
https://access.redhat.com/security/cve/CVE-2022-0981  
https://access.redhat.com/security/cve/CVE-2022-21724  
https://access.redhat.com/security/cve/CVE-2022-23647  
https://access.redhat.com/security/cve/CVE-2022-24771  
https://access.redhat.com/security/cve/CVE-2022-24772  
https://access.redhat.com/security/cve/CVE-2022-24773  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-25858  
https://access.redhat.com/security/cve/CVE-2022-26520  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-37734  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYz7stNzjgjWX9erEAQiCEQ/+OPmlKRufUR1D+rRvhWHeBMxdJ9NMoaMm  
rV3uH/FIiBLFSYWXgTY8gb53BVsZHEPfZ6G3ol70iyOjDbXazQsYBuhg/9RMLmz9  
+J1yK5sSeE9HyisYbYdHuuGIKpEMGXp78NP1rlwBEgyFrkY8pJHSdv/Fc87f2B3Z  
VeExd/Zvdcj5M4/ZmCin1yNALPKlhnbp9+9MGvcLufJUsXxOKPrQVCYMgWVWc0Wc  
aNRm4y8FBOnYrB9FeA2BBYEpmBrRK8G8OsoebuqaBvKAvytVV/NSiOMKsdaGD9WL  
XeLPl5XE3rpEVeUEH4aEjdHe6weLk/sjst335xgWI7QHZT/gjZxmxza2TBGgIkRJ  
yBT/n63geWAkaTXUCP0oepJDPKAio6B/CFVzTZS8jqO/0rDDvHIZN94nhceqamW3  
GC5gha56Pk+qcw3sArvtu0G72wY5O/+/kxp0mV+sWczIIlbS7FlkG+sxl5uHo3+M  
DDBOMwNROI6bInBxnBD4GWMepW40cGaAXt1HN/1NVaZq0mw4cdyulOMJfPpJGQK5  
IGS+TnvZn86p3cZysR3eMuaPzFG9U8vnaAw8enRmiJ6wG3NFkklIRelO7fEF8n3R  
drGnqa8gB589c9x3QUurBytdDxYWd2T71TOTyMFdTI9NtOAeuIvX+6lDj0BOftH3  
Jnw+PamuYNcÌnF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6835-01

Categories: News
Tags: Meta

Tags:  WhatsApp

Tags:  apps

Tags:  mobile

Tags:  android

Tags:  device

Tags:  account

Tags:  credentials

Tags:  spam

Meta is suing developers for multiple credential-stealing apps found on Google Play and elsewhere.



(Read more...)




The post Meta accuses apps of stealing WhatsApp accounts appeared first on Malwarebytes Labs.

Posted: October 7, 2022 by

Meta is attempting to clamp down on rogue WhatsApp-styled applications which originate from China. Bleeping Computer reports that no fewer than one million WhatsApp accounts have been compromised, allegedly as a result of using these apps which are claimed to bundle malware.

**Dubious apps**

The apps in question were available to download from multiple sources, including the developer’s own websites and also the Google Play store itself. After installation, the apps would ask device owners to punch in user credentials, which were then stolen. From Meta’s complaint:

> Beginning no later than May 2022 and continuing until at least July 2022, the Defendants…misled over one million WhatsApp users into self-compromising their accounts as part of an account takeaover attack. The self-compromised accounts were then used to send commercial spam messages.

With around one million installs listed on just one app’s installation tally, that’s potentially quite a lot of spam messages. The complaint notes that these allegedly rogue applications were also promoted on Facebook. One bogus app was promoted as being able to “modify other versions of unofficial WhatsApp applications, including modifying the applications’ colours”. Another was conceived as an “app updater”, supposedly telling device owners about new features and updates for the other applications.

**When apps go stylin' and profilin'**

The complaint lists several detailed examples of the apps on offer. It’s quite a mixed bag, with no real single theme or unifying styling between them. As far as the spam messages go, they were directed at WhatsApp users worldwide, “including users in Hong Kong, Indonesia, Malaysia, and Singapore”.

There’s a heavy focus on modding, and changing out the basic functionality of WhatsApp. One app claimed to offer: A dynamic theme store; "chat anywhere”; additional privacy settings; backup and restore.

This seems typical of the offerings on display. At least one claimed to be “ad free”, a particularly ironic claim given the accusations of commercial spam being sent out. Unsurprisingly, the 76-page complaint includes multiple examples of bad reviews from unsuspecting Android owners.

According to Bleeping Computer, Meta and Google have worked together to get this one shut down as much as possible. Previously downloaded versions of these apps are now disabled and non-functional via Google Play Protect, with effect from the middle of April.

The message is clear: Break Meta’s developer agreement and terms of use, and there’s a good chance that a legal encounter may be in your immediate future.

**Avoiding bad apps**

Rogues do land on official stores every so often, so “only trust what you see on official stores” is good advice, but not enough by itself. The risk is low, but it is not zero. With this in mind, what else can you do?

*   **Stick to Google Play and the App Store** and don't install apps from unofficial stores, or websites. While this does indeed place you inside a walled garden, which could still contain something bad, you’ll find the scale of the threat is quite a bit lower.
*   **Keep your device and apps updated**. It’s a lot harder for people to exploit your phone when it’s running all of the latest software.
*   **Use a mobile security app**. (It won't shock you to learn that we recommend Malwarebytes Mobile Security.)
*   **Be very wary of fakes, mods, add-ons, or “bonus” apps** claiming to be WhatsApp, or related to WhatsApp. You stand a good chance of not getting what you were expecting. The official WhatsApp publisher on Google Play is WhatsApp LLC.
*   **Use your common sense**. Read the reviews, check the app permissions, and be very reluctant to type your WhatsApp password into anything that isn't WhatsApp.

If you’re looking for additional security tips and more general advice for keeping your mobile safe, check out our “10 ways to protect your Android” article which covers everything from backups to location disclosure. Stay safe out there!

**RELATED ARTICLES**

Meta accuses apps of stealing WhatsApp accounts

Some 400 mobile apps have posed as legitimate software on Google Play and the Apple App Store over the past year, and were designed to steal Facebook user credentials.

Facebook is contacting about 1 million users of its platform about their account details potentially being compromised by malicious Android or iOS applications.

In a blog post on Oct. 7, Facebook's parent company Meta said its researchers had detected 400 malicious Android and iOS apps over the past year that were designed to steal usernames and passwords belonging to Facebook users and to compromise their accounts. The poisoned apps were uploaded to Google's and Apple's app stores and masqueraded as legitimate games, VPN services, photo applications, and other utilities.

When users downloaded and attempted to use one of the malicious apps, it would prompt them to enter the user's Facebook username and password. If a user entered their credentials, attackers would gain full access to the individual's account, private information, and their friends on the social media platform, Meta said.

"This is a highly adversarial space, and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores," David Agranovich, Meta's director of threat disruption, and Ryan Victory, malware discovery and detection and engineer, wrote in the blog post. 

Meta reported the apps to Apple and Google, and the researchers noted, "We are also alerting people who may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials and are helping them to secure their accounts."

**Posed as Legitimate Apps**

Many of the iOS and Android apps that Meta detected on Apple and Google's mobile stores purported to have some fun or useful functionality, like music players and cartoon image editors. A plurality (42%) posed as photo editors, some of which claimed they could turn a user's photo into a cartoon. 

About 15% purported to be business utilities, such as VPNs that claimed to help users access blocked content and websites or to boost their Internet browsing speeds; 14% were phone utilities, such as flashlight apps that purportedly helped brighten the phone's flashlight. 

Mobile games accounted for about 11% of the 400 or so malicious apps that Meta's researchers discovered. Fake reviews might have helped boost the reputation of some of these apps and helped hide potential negative reviews of these apps, Meta said.

Facebook did not say how many of the 400 apps were Android-based. But Apple said that out of the 400 total apps mentioned in Meta's blog post, 45 were on iOS — leaving 355 for Android. 

A Google spokesman says all the apps identified in the Meta report are no longer available on Google Play. "Users are also protected by Google Play Protect, which blocks these apps on Android," he said.

Apple also confirmed that the apps were removed from the App Store.

**An Ongoing Issue

The issue of malicious apps finding their way into Google and Apple's official mobile stores is by no means new. Both companies have been dealing with the problem for years and have implemented numerous mechanisms for vetting third-party applications published to their stores. 

However, malware authors have consistently been able to sneak their apps in anyway. One tactic that attackers have commonly used to bypass Google and Apple's testing processes has been to separate the malicious capabilities of the software from the benign and using a dropper to install the malicious code later once the testing is complete.

Over the years, numerous vendors have reported discovering malicious apps disguised as legitimate software on both stores. One of the more recent examples is BitDefender's discovery of 35 malicious apps on Google Play that together had some 2 million downloads. The security vendor found some of the apps, which were designed to serve ads, renamed themselves after installation to make detection and removal harder. 

In July, Dr. Web reported discovering and reporting to Google nearly 30 adware Trojans on Google Play with combined downloads of more than 9.8 million.

While attackers have tended to target Play more heavily, there have been numerous similar instances on the Apple App Store as well. In September, Human Security's Satori research team reported on a massive ad-serving operation that involved dozens of malicious apps on Google Play and at least nine on the Apple App Store. Together, the apps were downloaded about 13 million times since at least 2019.

**

Meta Flags Malicious Android, iOS Apps Affecting 1M Facebook Users

Meta Platforms on Friday disclosed that it had identified over 400 malicious apps on Android and iOS that it said targeted online users with the goal of stealing their Facebook login information.
"These apps were listed on the Google Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them," the

Meta Platforms on Friday disclosed that it had identified over 400 malicious apps on Android and iOS that it said targeted online users with the goal of stealing their Facebook login information.

"These apps were listed on the Google Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them," the social media behemoth said in a report shared with The Hacker News.

42.6% of the rogue apps were photo editors, followed by business utilities (15.4%), phone utilities (14.1%), games (11.7%), VPNs (11.7%), and lifestyle apps (4.4%). Interestingly, a majority of the iOS apps posed as ads manager tools for Meta and its Facebook subsidiary.

Besides concealing its malicious nature as a set of seemingly harmless apps, the operators of the scheme also published fake reviews that were designed to offset the negative reviews left by users who may have previously downloaded the apps.

The apps ultimately functioned as a means to steal the credentials entered by users by displaying a "Login With Facebook" prompt.

"If the login information is stolen, attackers could potentially gain full access to a person's account and do things like message their friends or access private information," the company said.

All the apps in question have been taken down from both app stores. The list of 403 apps (356 Android and 47 iOS apps) can be accessed here.

As always with apps like these, it's essential to exercise caution before downloading apps and granting access to Facebook to access the promised functionality. This includes scrutinizing app permissions and reviews, and also verifying the authenticity of the app developers.

Meta Platforms on Friday disclosed that it had identified over 400 malicious apps on Android and iOS that it said targeted online users with the goal of stealing their Facebook login information.

"These apps were listed on the Google Play Store and Apple's App Store and disguised as photo editors, games, VPN services, business apps, and other utilities to trick people into downloading them," the social media behemoth said in a report shared with The Hacker News.

42.6% of the rogue apps were photo editors, followed by business utilities (15.4%), phone utilities (14.1%), games (11.7%), VPNs (11.7%), and lifestyle apps (4.4%). Interestingly, a majority of the iOS apps posed as ads manager tools for Meta and its Facebook subsidiary.

Besides concealing its malicious nature as a set of seemingly harmless apps, the operators of the scheme also published fake reviews that were designed to offset the negative reviews left by users who may have previously downloaded the apps.

The apps ultimately functioned as a means to steal the credentials entered by users by displaying a "Login With Facebook" prompt.

"If the login information is stolen, attackers could potentially gain full access to a person's account and do things like message their friends or access private information," the company said.

All the apps in question have been taken down from both app stores. The list of 403 apps (356 Android and 47 iOS apps) can be accessed here.

As always with apps like these, it's essential to exercise caution before downloading apps and granting access to Facebook to access the promised functionality. This includes scrutinizing app permissions and reviews, and also verifying the authenticity of the app developers.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google