The WordPress WP YouTube Live Plugin is vulnerable to Reflected Cross-Site Scripting via POST data found in the ~/inc/admin.php file which allows unauthenticated attackers to inject arbitrary web scripts in versions up to, and including, 1.7.21.

Timestamp:

03/31/2022 01:35:01 PM (4 weeks ago)

macbookandrew

Message:

Update to version 1.7.22 from GitHub  

Location:

wp-youtube-live

Files:

  

*   tags/1.7.22 _(copied from wp-youtube-live/trunk)_
*   tags/1.7.22/inc/admin.php (1 diff)
*   tags/1.7.22/readme.txt (2 diffs)
*   tags/1.7.22/wp-youtube-live.php (2 diffs)
*   trunk/inc/admin.php (1 diff)
*   trunk/readme.txt (2 diffs)
*   trunk/wp-youtube-live.php (2 diffs)

**Legend:**

Unmodified

Added

Removed

*   **wp-youtube-live/tags/1.7.22/inc/admin.php**
    
    r2488454
    
    r2702715
    
     
    
    346
    
    346
    
    347
    
    347
    
        if ( ! wp\_verify\_nonce( $nonce, 'wpYTcache\_nonce' ) ) {
    
    348
    
     
    
            die( 'Invalid nonce.' . var\_export( $\_POST, true ) );
    
     
    
    348
    
            die( 'Invalid nonce.' );
    
    349
    
    349
    
        }
    
    350
    
    350
    
*   **wp-youtube-live/tags/1.7.22/readme.txt**
    
    r2659419
    
    r2702715
    
     
    
    5
    
    5
    
    Requires at least: 3.6
    
    6
    
    6
    
    Tested up to:      5.7
    
    7
    
     
    
    Stable tag:        1.7.21
    
     
    
    7
    
    Stable tag:        1.7.22
    
    8
    
    8
    
    License:           GPLv2 or later
    
    9
    
    9
    
    License URI:       http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    179
    
    179
    
    \== Changelog ==
    
    180
    
    180
    
     
    
    181
    
    \= 1.7.22 =
    
     
    
    182
    
    \- Fix reflected cross-site scripting vulnerability
    
     
    
    183
    
    181
    
    184
    
    \= 1.7.21 =
    
    182
    
    185
    
    \- Fix error on activation
    
*   **wp-youtube-live/tags/1.7.22/wp-youtube-live.php**
    
    r2659419
    
    r2702715
    
     
    
    4
    
    4
    
     \* Plugin URI: https://github.com/macbookandrew/wp-youtube-live
    
    5
    
    5
    
     \* Description: Displays the current YouTube live video from a specified channel
    
    6
    
     
    
     \* Version: 1.7.21
    
     
    
    6
    
     \* Version: 1.7.22
    
    7
    
    7
    
     \* Author: Andrew Minion
    
    8
    
    8
    
     \* Author URI: https://andrewrminion.com/
    
    …
    
    …
    
     
    
    13
    
    13
    
    }
    
    14
    
    14
    
    15
    
     
    
    define( 'WP\_YOUTUBE\_LIVE\_VERSION', '1.7.21' );
    
     
    
    15
    
    define( 'WP\_YOUTUBE\_LIVE\_VERSION', '1.7.22' );
    
    16
    
    16
    
    17
    
    17
    
    /\*\*
    
*   **wp-youtube-live/trunk/inc/admin.php**
    
    r2488454
    
    r2702715
    
     
    
    346
    
    346
    
    347
    
    347
    
        if ( ! wp\_verify\_nonce( $nonce, 'wpYTcache\_nonce' ) ) {
    
    348
    
     
    
            die( 'Invalid nonce.' . var\_export( $\_POST, true ) );
    
     
    
    348
    
            die( 'Invalid nonce.' );
    
    349
    
    349
    
        }
    
    350
    
    350
    
*   **wp-youtube-live/trunk/readme.txt**
    
    r2659419
    
    r2702715
    
     
    
    5
    
    5
    
    Requires at least: 3.6
    
    6
    
    6
    
    Tested up to:      5.7
    
    7
    
     
    
    Stable tag:        1.7.21
    
     
    
    7
    
    Stable tag:        1.7.22
    
    8
    
    8
    
    License:           GPLv2 or later
    
    9
    
    9
    
    License URI:       http://www.gnu.org/licenses/gpl-2.0.html
    
    …
    
    …
    
     
    
    179
    
    179
    
    \== Changelog ==
    
    180
    
    180
    
     
    
    181
    
    \= 1.7.22 =
    
     
    
    182
    
    \- Fix reflected cross-site scripting vulnerability
    
     
    
    183
    
    181
    
    184
    
    \= 1.7.21 =
    
    182
    
    185
    
    \- Fix error on activation
    
*   **wp-youtube-live/trunk/wp-youtube-live.php**
    
    r2659419
    
    r2702715
    
     
    
    4
    
    4
    
     \* Plugin URI: https://github.com/macbookandrew/wp-youtube-live
    
    5
    
    5
    
     \* Description: Displays the current YouTube live video from a specified channel
    
    6
    
     
    
     \* Version: 1.7.21
    
     
    
    6
    
     \* Version: 1.7.22
    
    7
    
    7
    
     \* Author: Andrew Minion
    
    8
    
    8
    
     \* Author URI: https://andrewrminion.com/
    
    …
    
    …
    
     
    
    13
    
    13
    
    }
    
    14
    
    14
    
    15
    
     
    
    define( 'WP\_YOUTUBE\_LIVE\_VERSION', '1.7.21' );
    
     
    
    15
    
    define( 'WP\_YOUTUBE\_LIVE\_VERSION', '1.7.22' );
    
    16
    
    16
    
    17
    
    17
    
    /\*\*
    

**Note:** See TracChangeset for help on using the changeset viewer.

CVE-2022-1187: Changeset 2702715 for wp-youtube-live – WordPress Plugin Repository

Mandiant data also shows a dramatic drop in attacker dwell time on victim networks in the Asia-Pacific region — to 21 days in 2021 from 76 days in 2020.

The length of time attackers remained undetected on a victim's network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant.

Mandiant in its IR cases found that companies have tuned their detection capabilities to find the most dangerous attacks quickly, with ransomware detected within five days on average; non-ransomware attacks remained active for 36 days in 2021, down from 45 days in 2020. But the quicker detection of ransomware attacks may not necessarily be positive, instead being due to the activation of the payload, says Steven Stone, senior director of adversary operations for Mandiant.

In general, however, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms, and government agencies and security firms often notify victims of attacks, leading to faster detection, he says.

"We think the combination of factors like these contributes to what we already see as year-over-year improvements in these regions," Stone says. "Ultimately, initial threat vectors come down to attacker choices and the availability of different vulnerabilities. Overall, we see some attack groups use different methods concurrently, likely showing a preference per target efforts."

Companies have improved their detection times dramatically over the past decade, reducing the time to detect attackers by nearly a factor of 20, from 418 days in 2011 to 21 days in 2021, according to the Mandiant M-Trends 2022 report.

    

Source: Mandiant

The improvement in company's detection capabilities varied significantly by region, with firms in the Asia-Pacific region seeing a dramatic drop in so-called "dwell time" to 21 days in 2021, from 76 days in 2020. European companies also saw a significant decrease to 48 days, from 66 days in 2020, while North American companies' detection did not change, staying level at 17 days.

**Attackers Love Cobalt Strike**  
The most popular attack tool remained the Beacon backdoor, which accounted for 28% of all identified malware families. Beacon is a component of the Cobalt Strike penetration testing tool, which is also popular with malicious attackers. Other attack tools quickly dropped off in frequency and include the Sunburst backdoor for .NET environments, the Metasploit penetration testing platform, and SystemBC, a proxy toolkit.

Overall, two methods of initial compromise — exploiting vulnerabilities and attacks through the supply chain — accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020, according to Mandiant. The changing tactics underscore that companies need to keep informed of attackers' techniques, Jurgen Kutscher, executive vice president for service delivery at Mandiant, said in a statement announcing the report.

"In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals — such as asset, risk, and patch management," he said. "The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations."

**Active Directory in the Bullseye**  
In another trend, attackers are increasingly taking aim at hybrid Active Directory (AD) installations, because misconfigurations in the hybrid identity model — where credentials and keys are synchronized between on-premises AD services and Azure Active Directory in the cloud — lead to compromises, Mandiant stated in the report.

Companies should treat hybrid Active Directory servers as the most sensitive level of assets, tier 0, and only allow access from privileged workstation from a segmented network. Along with monitoring, these steps should make exploitation much more difficult, says Evan Pena, managing director of Mandiant's global red team.

Luckily, implementing best security practices for hybrid AD servers is not hard to get right, he says.

"As companies move their resources to the cloud while using hybrid models, attackers will target these hybrid servers to achieve both domain and cloud compromise," he says. "It is common for these hybrid servers to have high-level privileges to on-premises servers — \[such as\] domain controllers — and cloud resources."

Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks, says Pena.

More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises

An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3.

**Cloud Cyber Security PlatformEuropean Cyber Research TeamThreat Intelligence PlatformThe Cyber Security Partner**

La piattaforma di Security Testing e Threat Intelligence e il Cyber Competence Center di Swascan per il Cyber Security Framework Aziendale.  
Sicurezza Predittiva. Sicurezza Preventiva. Sicurezza Proattiva.

Prova il Free Trial

![](https://www.swascan.com/wp-content/uploads/2022/03/awards.png)

**In evidenza**

**Webinar - Cloud Security: dalla teoria alla pratica**

La Cloud security nel framework aziendale. Non perderti il prossimo Webinar Swascan il prossimo 27 aprile dalle 12:00 alle 13:00

Iscriviti

**Cyber Defense: Security e Data Protection in azienda**

Un Corso, affidato ai migliori esperti cyber, che sposa casi reali e LAB tecnici d’eccellenza, con l’obiettivo di supportare i corsisti nella gestione della Sicurezza Informatica. Registrati al corso e frequenta le lezioni a partire dal 03 Giugno 2022.

Scopri di più

**Cyber Risk Indicators: Infrastrutture critiche Italia**

ll servizio di Cyber Risk Indicators determina e misura il potenziale rischio cyber del settore oggetto di analisi, per il mese di febbraio abbiamo preso in esame il livello di esposizione al rischio cyber delle infrastrutture critiche italiane.

Scopri di più

![](https://www.swascan.com/wp-content/uploads/2022/03/CyberSecurity-Framwork-ita.png)

**Cyber Security Framework**

Il Cyber Security Framework è il fondamento della postura di sicurezza della tua azienda. Un insieme di processi e tecnologie che operano all’unisono per ridurre al minimo l’esposizione al rischio cyber. Si fonda sulla sicurezza predittiva, preventiva e proattiva.

**Sicurezza Predittiva**

La Sicurezza Predittiva opera a livello di Threat Intelligence. Attraverso l’analisi di fonti OSINT e CLOSINT, a livello di Web, Dark Web e Deep Web identifica minacce, rischi e informazioni relativi all’azienda target. La Sicurezza Predittiva permette di anticipare le criticità impostando correttamente la sicurezza preventiva e proattiva.

**Sicurezza Preventiva**

La Sicurezza Preventiva agisce in termini di Analisi del Rischio tecnologico, umano e di processo. Attività che rientrano negli obblighi legislativi e in termini di best practice internazionale. Le attività fanno riferimento a penetration test, vulnerability assessment, ransomware attack simulation, phishing simulation, formazione, CIS, NIST, ISO27001, GDPR Assessment.

**Sicurezza Proattiva**

La Sicurezza Proattiva permette l’adozione degli approcci relativi alla security by detection e alla security by reaction. Attraverso l’adozione di security operation center (SOC) permette di monitorare, identificare, analizzare, gestire e bloccare eventuali minacce in essere all’interno dell’azienda. La componente incident response management garantisce la corretta gestione degli incidenti aziendali attraverso l’utilizzo di Team specializzati e competenti.

Scopri i nostri servizi

![](https://www.swascan.com/wp-content/uploads/2022/03/home1.png)

**La Piattaforma di Swascan**

Swascan è la prima suite interamente in Cloud di Security Testing e Threat Intelligence: scopri tutti i servizi disponibili ora!

Domain Threat Intelligence

Cyber Threat Intelligence

Phishing Attack Simulation

Smishing Attack Simulation

Prova il Free Trial

**Cyber Security Competence Center**

**Cyber Incident Response**

Un Cyber team dedicato di pronto intervento Cyber per la gestione di Cyber Incident, attacchi DDOS, Data Breach e Attacchi Ransomware.

**Soc as a Service**

Il servizio dedicato di Monitoring & Early Warning di Swascan per la corretta gestione della sicurezza proattiva e sicurezza preventiva.

**Penetration Test**

Le attività di Penetration Test sono svolte Penetration Tester certificati e in linea con gli standard internazionali OWASP, PTES e OSSTMM.

**GRC Management**

Servizi di Security Advisory  a livello consulenziale e a livello operativo per supportare i clienti nei piani di remediation, gestione della Cyber Security, Compliance Management e Risk Management.

**Cyber Academy**

Corsi di formazione dedicati di Cybersecurity in aula o tramite Webinar. Attività di Awareness per il personale tecnico, per i dipendenti e per i Top Manager.

**Cloud Security**

Un Cyber Competence Center dedicato al mondo Cloud per le attività di governance, supporto e tutela dell’ intero insieme di tecnologie, protocolli e best practice degli ambienti cloud computing.

![](https://www.swascan.com/wp-content/uploads/2022/03/home2.png)

**24/7 Cyber Security Operation Center**

Un team dedicato nell’attività di Sicurezza Proattiva e Reattiva delle minacce informatiche sulle reti locali, ambienti cloud, applicazioni ed endpoint aziendali. Il nostro team di Security Analyst monitora i dati e le risorse, H24, 7 giorni su 7 per 365 giorni all’anno.

Threat Detection & Analysis

Valutazione minacce e vulnerabilità

Endpoint detection and response (EDR)

Network detection response

Event Correlation / Log Management

**Penetration Testing**

Il team offensive di Swascan è certificato ISO27001 e ISO9001  
Tutte le attività rispettano gli standard OWASP, PTES e OSSTMM.

![](https://www.swascan.com/wp-content/uploads/2022/03/home3.png)

**Cyber Academy**

Nella sicurezza informatica sono indubbiamente i comportamenti umani a fare la differenza, prima ancora che la tecnologia.  
La nostra Cyber Academy offre una vasta gamma di percorsi formativi strutturati per rispondere a differenti livelli di esperienza e di specializzazione tecnica.

Scopri i nostri Corsi

![](https://www.swascan.com/wp-content/uploads/2022/03/home4.png)

**Cyber Threat Intelligence**

Il servizio di Cyber Threat Intelligence di Swascan ha lo scopo e l’obiettivo di individuare le eventuali informazioni pubbliche disponibili a livello Web, Dark Web e Deep Web relative ad un determinato target. L’attività prevede la raccolta e l’analisi delle informazioni relative ad una serie di macro aree critiche quali:

Domain Threat Intelligence

**Diventa Partner Swascan**

Scopri di più sullo Swascan Partner Program, grazie al quale i nostri partner servono al meglio i clienti, forniscono soluzioni rapide e ne promuovono la crescita.

Scopri il Partner Program

CVE-2022-27104: Home - Swascan

In Citrix XenMobile Server through 10.12 RP9, there is an Authenticated Directory Traversal vulnerability, leading to remote code execution.

The following table describes important changes to the XenMobile Server product documentation. To receive notifications about these updates, subscribe to the RSS feed.

Date

Change

Description

15 Sep 2021

Updated articles for the XenMobile Server 10.14 release

For a summary of new and changed features, see What’s new in XenMobile Server 10.14.

27 Apr 2021

Updated description of the Locate security action

See Security actions.

23 Apr 2021

Added an action example

See Automated actions.

01 Apr 2021

Added description of per-app VPN requirements

See VPN device policy.

24 Feb 2021

Added announcment about preparation needed before upgrading endpoints to iOS 14.5

See Before upgrading endpoints to iOS 14.5.

17 Dec 2020

New device policy for controlling how installed managed apps get updated on Android Enterprise

See Automatically update managed apps device policy

18 Nov 2020

Added a workaround for a single sign-on issue related to on-premises Citrix ADC

See Before you upgrade an on-premises Citrix ADC.

26 Oct 2020

Updated articles for the XenMobile Server 10.13 release

For a summary of new and changed features, see What’s new in XenMobile Server 10.13.

02 Jul 2020

Added a timeline and action plan for the deprecation of MDX encryption

See Prepare your Android devices for upcoming changes.

19 Jun 2020

Addressed the terms “blacklist” and “whitelist” in the documentation. Changed to “block list” and “allow list”.

The Endpoint Management console currently includes the terms “blacklist” and “whitelist”. We updated the documentation. We are in the process of changing the terms in the product console for an upcoming release.

04 May 2020

Added a note about new TLS certificate requirements for trusted certificates in iOS, iPadOS, and macOS.

See Certificates.

18 Feb 2020

Updated terminology

Throughout the documentation, updated the NetScaler, NetScaler Gateway, ShareFile, and StorageZones Controller terminology. Some console components might still show the older names.

06 Feb 2020

Updated articles for the XenMobile Server 10.12 release

For a summary of new and changed features, see What’s new in XenMobile Server 10.12.

06 Nov 2019

Added a section about migrating from Apple VPP to ABM or ASM

See Apple Volume Purchase Program migration to Apple Business Manager (ABM) and Apple School Manager (ASM).

04 Sep 2019

Updated articles for the XenMobile Server 10.11 release

For a summary of new and changed features, see What’s new in XenMobile Server 10.11.

15 May 2019

Updated iOS device enrollment section

Added video and updated steps for iOS 12 device enrollment. See Enroll iOS devices.

10 May 2019

New section about Entrust PKI

Added section to the “PKI Entities” article: PKI Entities.

03 Apr 2019

New section for Apple DEP renewal steps

Added section to “Deploy devices through Apple DEP”: Renew your enrollment in the Apple Deployment Program.

02 Apr 2019

Updated articles for the Gateway connector for Exchange ActiveSync 8.5.3 release

For a summary of new and changed features, see What’s new in version 8.5.3.

26 Mar 2019

Updated Secure Hub store name syntax

Added note about the alphanumeric requirement for Store name in App store and Citrix Secure Hub branding.

06 Mar 2019

Updated articles for the Endpoint Management connector for Exchange ActiveSync 10.1.9 release

For a summary of new and changed features, see What’s new in version 10.1.9.

01 Feb 2019

Updated articles for the Endpoint Management connector for Exchange ActiveSync 10.1.8 release

For a summary of new and changed features, see What’s new in version 10.1.8.

23 Jan 2019

Updated Secure Browse terminology

Throughout the documentation, renamed the MDX setting “Secure Browse” to “Tunneled Web SSO”. For information, see App Network Access for iOS and App Network Access for Android.

CVE-2021-44519: Citrix XenMobile Server Document History

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[day\] \[month\] \[year\] \[list\]

Date: Fri, 22 Apr 2022 17:49:37 +0000
From: "Myers, Christopher" <Christopher.Myers@...or.edu>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2022-29464 :: WSO2 Unrestricted arbitrary file upload, and remote
 code to execution vulnerability.

I have not seen this come across the oss-sec/CISA/DHS emails at this point, but anyone using WSO2 or a derivative needs to check this out right away.

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738

https://nvd.nist.gov/vuln/detail/CVE-2022-29464

Good writeup and PoC code here: https://github.com/hakivvi/CVE-2022-29464

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-29464: security - CVE-2022-29464 :: WSO2 Unrestricted arbitrary file upload, and remote code to execution vulnerability.

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

The increased adoption of cloud infrastructure by companies looking to improve agility and support a hybrid workforce has led to more development teams adopting security-as-code as a way to build security into software and products.

Over the past year, for example, Google has pushed security-as-code as a fundamental component of its cloud offerings, identifying in January "software-defined infrastructure" as one of the eight megatrends driving the security of the cloud. Encoding security configuration as code that can be an input into development and deployment processes lets organizations analyze their security configuration, change and redeploy easily, and continuously monitor the state of their security configuration to evaluate whether it matches policies.

The result is analyzable security configuration and continuously verifiable controls, says Phil Venables, vice president at Google and CISO for Google Cloud.

"The great thing about security-as-code is that you know the configuration that you have deployed exactly corresponds to what you had specified and analyzed as meeting your security requirements," he says. "Many breaches out there are not necessarily the result of an unknown risk, but are usually the result of some control that the organization thought they had not being deployed and operating when they needed it the most."

Security-as-code is an extension of the infrastructure-as-code movement that has come about as software-defined networks and systems have become more popular. DevOps teams have adopted infrastructure-as-code as the de facto standard for building and deploying software, containers, and virtual machines, but now companies are betting that the shift to cloud-native infrastructure will make security-as-code a key part of a sustainable approach to security.

**How Security-as-Code Works**  
In 2021, consulting firm McKinsey and Company identified security-as-code as perhaps the only way to secure cloud application and infrastructure at the speed at which modern businesses move.

"Capturing value in the cloud requires most companies to build a transformation engine ... to integrate cloud into business and technologies, drive adoption in priority business domains, and establish the foundational capabilities required to scale cloud usage safely and economically," the consulting firm wrote in a position paper. "SaC is the mechanism for developing foundational capabilities in cloud security and risk management."

Google intends to make the concept much more functional and part of any cloud infrastructure. In November, the company's Cybersecurity Action Team announced a Risk and Compliance as Code (RCaC) solution.

Companies that have embraced DevOps know that repeatable software builds rely on being able to specify the configuration of infrastructure elements — whether software applications, pipeline builds, or containers — as code in a file. This infrastructure-as-code approach allows developers and operations specialists to express and analyze the configuration before it is deployed.

Security-as-code aims to do the same thing for security, in an approach that many have called DevSecOps. Security-as-code expresses the security configuration of a variety of elements, including what security testing should be performed, the criteria for vulnerability scanning, encryption requirements, and access controls.

**How Does it Affect SBOMs?**  
Google sees the current efforts to make software bills of materials (SBOMs) more explicit and functional as a key component of the future of software-as-code. The components of a software program could be analyzed during any build and the policies described in the security-as-code file would be applied. Using a component that is vulnerable to a specific threat, such as Log4j, could stop the build. Other requirements, such as a high level in the Supply Chain Levels for Software Artifacts (SLSA), could also be specified, Google's Venable says.

"This mechanism allows you to start making richer decisions," he says. "This programmability of the environment to enforce security policy is pretty transformational compared to what any of us used to be able to do in traditional on-premise environments."

Google is joined by others blazing a trail into the security-as-code arena. The growing movement to encode security as a configuration file that can be incrementally improved led security firm Tenable Network Security to acquire Accurics, a maker of security-as-code technology.

"It's far more effective to find and fix the issues at the point of creation in code, rather than where they manifest in the cloud," Renaud Deraison, chief technology officer for Tenable Network Security, said in a blog announcing the acquisition. "In this way, we can ensure that what is deployed is secure by default and that any fixes are a simple merge request rather than a patch or operational afterthought."

Not everyone is convinced that security configurations will be ensconced in code anytime soon. While configuration files traveling along with software-defined infrastructure components could bring significant benefits — such as the audit ability and improved change management — companies are still too reactionary to adopt the technology, says Brian Fox, chief technology officer and co-founder of Sonatype, a software-management and security firm.

Software composition analysis (SCA) services that can automate the identification of risky software components — a service that Sonatype provides — provides some of the automated benefits of security-as-code. Most businesses have no idea of even what components make up their software, Fox says.

"We are super early in the adoption cycle with this," he says. "All the reasons that infrastructure-as-code made sense will make sense with security-as-code, but the industry is not quite there yet, because so many people do not have the mechanisms to even do this, never mind doing it as code."

Security-as-Code Gains More Support, but Still Nascent

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

IT departments must account for the business impact and security risks such applications introduce.

Last month, Dark Reading released an enterprise application security survey that raised serious concerns by IT and security teams about the state of low-code/no-code applications. The survey exposed a deep lack of visibility, control, and knowledge necessary to maintain the level of security maturity expected in the enterprise. Here we will look at concrete concerns raised by the survey, examine their root causes, and offer recommendations on ways to address them today.

The following concerns were raised under the question, "What security concerns do you have regarding low-code/no-code applications?"

**Concern No. 1: Governance**  
According to 32% of respondents, "There is no governance over how these applications are accessing and using our data."

Indeed, many useful low-code/no-code applications rely on storing data either in managed storage provided by the platform or in another platform via a connector. The tricky part is that low-code/no-code platforms make it extremely easy for makers to essentially bake their identity into the applications, so that every application user ends up triggering operations on behalf of the maker. Within enterprise environments, it is not uncommon for useful business applications to store their data in the maker's Dropbox or OneDrive account. Baked-in accounts can become an even bigger issue when an honest mistake causes data to be stored in a personal rather than business account.

Another popular use of low-code/no-code are data-movers or operation-stitchers. They connect source and destination, either by moving data between multiple points or by linking together an operation in one system to another in a different system.

As an example, a popular automation flow in enterprise scenarios is email forwarding. Users build an application that monitors their professional inbox for new emails, copies their content, and pastes it in their personal email for various reasons. Note that by copying the data, users are easily able to bypass DLP controls that would have prevented email forwarding.

**Concern No. 2: Trust**  
According to 26% of respondents, "I don't trust the platforms used to create the applications."

Low-code/no-code platform vendors are increasingly directing their attention to provide strong security assurance for their platforms, but there is a long way to go. While enterprise customers have become used to the security benefits provided by public cloud vendors, with their mature security teams, vulnerability disclosure programs, and state-of-the-art SOCs, low-code/no-code platforms are just getting used to the fact that they are now business-critical systems.

Of course, vendors investing in the security of their platform is not enough. Customers have to hold their part of the shared responsibility model, too. While platform vendors are improving their security posture, enterprises using low-code/no-code platforms must figure out how to approach these applications with the same level of security vigor as they would their pro-code applications. After all, the impact of both types of applications on data, identity, and the enterprise as a whole is the same.

Take security testing, for example. To catch security issues early, pro-code applications are typically built with code and configuration scanning tools in place, as part of the CI/CD. There are a host of tools to help detect issues throughout the SDLC, including SAST, DAST, and SCA, which has become very popular in recent years with the rise in open source security issues. Low-code/no-code applications are prone to the same problems that these tools detect, such as injection-based attacks, security misconfiguration, and untrusted dependencies. However, these applications typically rely on manual processes for security assurance or try to use pro-code tools to scan artifacts generated with low-code; unfortunately, pro-code tools fail to understand the business logic of low-code/no-code applications and therefore provide little value.

**Concern No. 3: AppSec**  
According to 26% of respondents, "I don't know how to check for security vulnerabilities in these applications."

How do I make sure my code makes sense, and that it is secure and robust, without access to that code? This point is tricky, and new solutions are required to tackle it.

When public cloud providers started introducing the concept of platform-as-a-service for compute services such as managed virtual machines (VMs), managed Kubernetes clusters, or serverless functions, the same kind of concerns were raised. Our entire strategy, as a security community, to secure compute instances was based on our ability to observe and leverage the host machine running our applications. While stripping away the complexities of managing VMs, cloud providers also stripped away the ability of security teams to observe and protect them. As a result, novel solutions had to be introduced to provide the same level of security assurance with cloud-native building blocks.

The same approach is desperately needed in low-code/no-code applications. Instead of trying to apply existing tools like code scanning or web security monitoring to artifacts generated by low-code/no-code, security teams should adopt solutions that understand the language of low-code/no-code in order to identify logical vulnerabilities in those applications.

**Concern No. 4: Visibility**  
According to 25% of respondents, "The security team doesn't know what applications are being created."

This point is particularly important because you can't protect what you can't see. Most low-code/no-code platforms have little to no capabilities for allowing admins to view applications built on these platforms. Basic questions like, "How many applications do we have?" are simply unanswerable without pervasive measures. For example, some platforms allow admins to make themselves the owners of every application separately but do not allow them to see the application otherwise. So admins must resort to an active change on the platform to take a look at the application. 

Other platforms go even further, allowing business users to create applications in a private folder that administrators cannot review, other than knowing the number of applications that exist in them. A maker could be exfiltrating data through a private application, and the admin is left with no way to even know anything besides the fact that the application exists.

Visibility becomes even trickier once companies realize that they are using more than one low-code/no-code platform. In fact, most large enterprises are already using multiple platforms. With low-code/no-code platforms becoming more popular, citizen development tools being introduced bottom-up, and software-as-a-service (SaaS) vendors becoming platforms themselves, it's clear why enterprises are suddenly finding themselves using several different platforms.

**Concern No. 5: Knowledge and Awareness**  
According to 33% of respondents, "I don't have any security concerns," "Other," or "Don't know."

Since low-code/no-code platforms often find their way into the enterprise through business units rather than top-down through IT, they can easily slip through the cracks and be missed by security and IT teams. While security teams are in most cases part of the procurement process, it's easy to treat a low-code/no-code platform as just another SaaS application used by the business, not realizing that the result of adopting this platform would be empowering a whole array of new citizen-developers in the business.

In one large organization, citizen-developers in the finance team built an expense management application to replace a manual process filled with back-and-forth emails. Employees quickly adopted the application since it made it easier for them to get reimbursed. The finance team was happy because it automated part of its repetitive work. But IT and security were not in the loop. It took some time for them to notice the application, understand that it was built outside of IT, and reach out to the finance team to bring the app under the IT umbrella.

Security and IT teams are always in a state where the backlog of concerns is much larger than their ability to invest. To make sure resources are allocated to the most critical security risks, teams must first be aware of the criticality of low-code/no-code applications to the business and the security risks that they introduce. For the former, this means that low-code/no-code applications' impact on the enterprise must be demonstrated and clear. Security teams must be part of the discussion when thinking about adopting citizen development. 

For the latter, we as a community have to research, categorize, and share concrete security risks we identify to help others to build more secure applications. Bringing IT and security into the low-code/no-code conversation would allow the adoption of these technologies to accelerate, unleashing their full potential to increase business velocity and productivity.

Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps

There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system.

![version graph](https://bugs.debian.org/cgi-bin/version.cgi?width=2;package=dcraw;found=dcraw%2F9.28-2;collapse=1;fixed=dcraw%2F9.28-3;absolute=0;height=2)

Reported by: Wooseok Kang <kangwoosuk1@gmail.com>

Date: Mon, 8 Mar 2021 04:42:02 UTC

Severity: normal

Tags: security, upstream

Found in version dcraw/9.28-2

Fixed in version dcraw/9.28-3

**Done:** Filip Hroch <hroch@physics.muni.cz>

Reply or subscribe to this bug.

Toggle useless messages

**Report forwarded** to `debian-bugs-dist@lists.debian.org, kangwoosuk1@gmail.com, Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`:  
`Bug#984761`; Package `dcraw`. (Mon, 08 Mar 2021 04:42:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Wooseok Kang <kangwoosuk1@gmail.com>`:  
New Bug report received and forwarded. Copy sent to `kangwoosuk1@gmail.com, Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`. (Mon, 08 Mar 2021 04:42:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: dcraw
Version: 9.28-2
Severity: normal
X-Debbugs-Cc: kangwoosuk1@gmail.com

Dear Maintainer,

There is an integer overflow vulnerability in dcraw.
When the victim runs dcraw with a maliciously crafted X3F input image,
arbitrary code may be executed in the victim's system.

The vulnerability resides in foveon\_load\_camf() function in dcraw.c file.
The program reads data from the input image using get4().

type = get4();  get4();  get4();
wide = get4();
high = get4();

Since there is no sanitization for these variables, we can set their values freely.
Let type=4, and wide and high are enough large values which can make overflow.
Then, it will lead to small memory allocation at the below code.

} else if (type == 4) {
    free (meta\_data);
    meta\_length = wide\*high\*3/2;
    meta\_data = (char \*) malloc (meta\_length);

Therefore, when we read data to this allocated buffer,
it causes the buffer overrun which may lead to arbitrary code execution or program crash.

I attach the maliciously crafted X3F file which crashes dcraw like below.
> dcraw dcraw-poc.X3F
dcraw-poc.X3F: Corrupt data near 0x651
\[1\]    1251 segmentation fault  dcraw dcraw-poc.X3F

Thank you.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86\_64)

Kernel: Linux 5.4.72-microsoft-standard-WSL2 (SMP w/16 CPU threads)
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages dcraw depends on:
ii  libc6            2.31-9
ii  libjpeg62-turbo  1:2.0.6-2
ii  liblcms2-2       2.12~rc1-2

dcraw recommends no packages.

Versions of packages dcraw suggests:
pn  gphoto2  <none>
pn  netpbm   <none>

-- no debconf information

\[dcraw-poc.X3F (image/x-x3f, attachment)\]

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`:  
`Bug#984761`; Package `dcraw`. (Tue, 09 Mar 2021 16:54:02 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Filip Hroch <hroch@physics.muni.cz>`:  
Extra info received and forwarded to list. Copy sent to `Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`. (Tue, 09 Mar 2021 16:54:02 GMT) (full text, mbox, link).

Message #10 received at 984761@bugs.debian.org (full text, mbox, reply):

Dear Wooseok,

I'll look on this.

Note, that I'm maintaining only Debian packaging.
I am not upstream autor; I can fix only the bugs
which does not induce extensive changes in whole
structure of the source code.

FH
--
F. Hroch <hroch@physics.muni.cz>, Masaryk University, Brno, 
Czechia.
Dept. of theor. physics and astrophysics, Kotlarska 2, CZ-611 37.

**Added tag(s) security.** Request was from `Adrian Bunk <bunk@debian.org>` to `control@bugs.debian.org`. (Mon, 31 May 2021 20:51:02 GMT) (full text, mbox, link).

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`:  
`Bug#984761`; Package `dcraw`. (Wed, 02 Jun 2021 20:42:02 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Salvatore Bonaccorso <carnil@debian.org>`:  
Extra info received and forwarded to list. Copy sent to `Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`. (Wed, 02 Jun 2021 20:42:02 GMT) (full text, mbox, link).

Message #17 received at 984761@bugs.debian.org (full text, mbox, reply):

Hi Filip, Wooseok

On Tue, Mar 09, 2021 at 05:41:51PM +0100, Filip Hroch wrote:
> Dear Wooseok,
> 
> I'll look on this.
> 
> Note, that I'm maintaining only Debian packaging.
> I am not upstream autor; I can fix only the bugs
> which does not induce extensive changes in whole
> structure of the source code.

Can you please report the issue upstream? Or was this reported
upstream?

Regards,
Salvatore

**Message sent on** to `Wooseok Kang <kangwoosuk1@gmail.com>`:  
Bug#984761. (Wed, 02 Jun 2021 20:42:07 GMT) (full text, mbox, link).

**Information forwarded** to `debian-bugs-dist@lists.debian.org, Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`:  
`Bug#984761`; Package `dcraw`. (Thu, 03 Jun 2021 10:45:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to `Filip Hroch <hroch@physics.muni.cz>`:  
Extra info received and forwarded to list. Copy sent to `Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>`. (Thu, 03 Jun 2021 10:45:03 GMT) (full text, mbox, link).

Message #25 received at 984761@bugs.debian.org (full text, mbox, reply):

Dear Salvatore,

unfortunatelly, I have not fixed it yet.

I suppose to report it to upstream author -- Mr. Coffin.
In past, I send patches without any response.

The last upstream version of dcraw has been issued
tree years ago, so I've some worry about him.

Regards,
FH


Salvatore Bonaccorso <carnil@debian.org> writes:

> Hi Filip, Wooseok
>
> On Tue, Mar 09, 2021 at 05:41:51PM +0100, Filip Hroch wrote:
>> Dear Wooseok,
>>
>> I'll look on this.
>>
>> Note, that I'm maintaining only Debian packaging.
>> I am not upstream autor; I can fix only the bugs
>> which does not induce extensive changes in whole
>> structure of the source code.
>
> Can you please report the issue upstream? Or was this reported
> upstream?
>
> Regards,
> Salvatore


--
F. Hroch <hroch@physics.muni.cz>, Masaryk University,
Dept. of theor. physics and astrophysics, Brno, Moravia, CZ

**Message sent on** to `Wooseok Kang <kangwoosuk1@gmail.com>`:  
Bug#984761. (Thu, 03 Jun 2021 10:45:06 GMT) (full text, mbox, link).

**Changed Bug title to 'dcraw: CVE-2021-3624: buffer-overflow caused by integer-overflow in foveon\_load\_camf()' from 'dcraw: buffer-overflow caused by integer-overflow in foveon\_load\_camf()'.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Tue, 29 Jun 2021 05:45:05 GMT) (full text, mbox, link).

**Reply sent** to `Filip Hroch <hroch@physics.muni.cz>`:  
You have taken responsibility. (Thu, 25 Nov 2021 13:06:14 GMT) (full text, mbox, link).

**Notification sent** to `Wooseok Kang <kangwoosuk1@gmail.com>`:  
Bug acknowledged by developer. (Thu, 25 Nov 2021 13:06:15 GMT) (full text, mbox, link).

Message #35 received at 984761-close@bugs.debian.org (full text, mbox, reply):

Source: dcraw
Source-Version: 9.28-3
Done: Filip Hroch <hroch@physics.muni.cz>

We believe that the bug you reported is fixed in the latest version of
dcraw, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984761@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Filip Hroch <hroch@physics.muni.cz> (supplier of updated dcraw package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Nov 2021 23:15:39 +0100
Source: dcraw
Architecture: source
Version: 9.28-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Astronomy Team <debian-astro-maintainers@lists.alioth.debian.org>
Changed-By: Filip Hroch <hroch@physics.muni.cz>
Closes: 478701 914447 914453 914454 914459 984761
Changes:
 dcraw (9.28-3) unstable; urgency=medium
 .
   \* Written wrappers of fread(),fwrite(),fseek() library functions which
     checks their return values. If an input/output failure is detected,
     dcraw immediately exits with non-zero status and prints a descriptive
     message. Closes: #478701, #914447, #914453, #914454, #914459, #984761
   \* Updated links; upstream has been moved to a new site.
   \* Updated packaging: evolving standards, added metadata, lintian.
Checksums-Sha1:
 25dc6466c9400cbb583545d7ee4311352286ad05 1978 dcraw\_9.28-3.dsc
 cb2b167a49544b5bf879d4a2ef8970b9390b0631 6865640 dcraw\_9.28-3.debian.tar.xz
Checksums-Sha256:
 9927b846c8f93188ae84bcd7831d6d61bc83561dba7ba2440b6dafd18ca4b74d 1978 dcraw\_9.28-3.dsc
 357ef76c9ad7c0f16f12a29d81a1dc3ee8dff1099c30636fc38fb4109f6a3db6 6865640 dcraw\_9.28-3.debian.tar.xz
Files:
 da4d8776a65a9ac1e37c5ee6a272fd5b 1978 graphics optional dcraw\_9.28-3.dsc
 d05b8ef6e95acc707c5d43b82bb9ee02 6865640 graphics optional dcraw\_9.28-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmGfguIACgkQcRWv0HcQ
3PfJLg/+McreFSi3qAg/tpwPYNMXhrQIrhK3KaCdQaJFxkTajhI2j9MeESE4UZYk
V1uDMqtcvbUJP9vSCQDr9z2q66h4u877ckI3nys/ueNKSQM5NRyTcWjzuqCMZdSz
0LZ6qO/UftRIn3HxYWWYZDgO+36I7u5Ua4wPNm+dYCqNED2sALK3sZKBd2WiVfhE
HMbHnpiMLwPVCO4RUVG1uDht0fsHPaV4rPEo0JPvipwHnpgrAKcGP55r+5EGbPdL
HuTahEDiZKhl4MBIEVHAuC2wN8HPhTpONhxIvDbrQm/HLIwm/XPt/N9QTXbv0miW
b204OoXkT33LP8eRz+U3tDpGxQU/dnEZ05sClfV+85n1Tw9Atzle/tqyeg8dVscv
jUmCu10q3ESubpnU4Opdxcm5qt5QB59z6gFnd5wzyaVQehRcGg/luUaeneqguWxz
U82aiwosXEmioXPYeDAzmkjULD1iguwAnSx6BNVGzf/t3XReVW07bFXsnpT8XASc
0LzzKA3Mzjt0y8UM9YvV9vs0SIXuxWLQa5WUfK41TG1wza8wBMewuUQJ2+r16lmG
mYrXb2vz8/8nU2jz+RdUQvhYXSWrRaiQ3Vj+Qcx8eSrveaCLM8RZqgKf6m6STev5
zIz4iwhJZVz78n+M2aci/tjZ+Fhr9RLCuZRDakQFOv5Cq5XzJJk=
=3QxF
-----END PGP SIGNATURE-----

**Bug archived.** Request was from `Debbugs Internal Request <owner@bugs.debian.org>` to `internal_control@bugs.debian.org`. (Sat, 25 Dec 2021 07:29:15 GMT) (full text, mbox, link).

**Bug unarchived.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Wed, 13 Apr 2022 05:00:02 GMT) (full text, mbox, link).

**Added tag(s) upstream.** Request was from `Salvatore Bonaccorso <carnil@debian.org>` to `control@bugs.debian.org`. (Wed, 13 Apr 2022 05:00:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Mon Apr 25 16:12:34 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Tag

#mac