Interway a.s WebJET CMS 8.6.896 is vulnerable to Cross Site Scripting (XSS).

%PDF-1.4 %���� 1 0 obj <> endobj 3 0 obj <> endobj 7 0 obj <>>> endobj 8 0 obj <>>> endobj 9 0 obj <> stream x��\[Y��~�\_1���}��H���8�ce ��R��#�9�Fr� ��.�ź�XlmJ���,��7x�Q��r��IJ�9�c��\[�Z��pa�>���?�����o�FoR� �Kx��1.�F����~������˿N/��﮴�߄B����'���g��^�\_���"�vߟ\_=I�9��Ư�8����":m����Fp��#6��M Ok:2�M���>�l���F�2k�DcQf�%��X/�Ō�F�!�A0�kT��\*3k&��\`���}�^�y�\*>�K�p����}D&^����\_��>\\\\,Iz�K\\:KD��8lx�R�\]��>�֨� :j2Sl\`\`rԎ\*��R�\*xkg�z����%~M�����?� F����e��ի\] y6.��2��$\[#�S���%#2����r�$>�d��e9g4+�bJ�vs��i�9�F�Q�\`w�,#��Z\[��gs"���!�MK��v���Ơ�W;�Q\[�d�zg��X\[�Pe�=��;�K��?L�K\\j�Kj��������H�6�>W&��c2� "M0���-YL�G��o����+�+��Wrf���g&���#.e}zdƛp�O����9���o֐;n�<��ȿ�P��h���"4 \* �0�ɚ^�6��:�,Ŷ��R1/��H�y����k�e����<�Jﾘ=VYǦm�v�ҫRU�/��X4Ț{Xzg��Q���NS������))k�ㆌlfB��jb��y��t"��&PJi�惕��lD�cVR��Fo"PN�W�6E�N\],�Z5ȌI�w~NZ�I˿�~��պpI��X�ʬ��o�"Kp?�=u�Dv�ޘ��.x �����G:e=6#�X6pI#�v�M�m�W&��� #i��8���(u-���#����I�l�d�G�TOj1$a���c��1D\[�=�OT��ѓ��\\��\]m�E:��(�ji&7J(TH3Le&�h���-�٬����T�1� 0c����&��&��ɦ�.���Ŵ$���&��%�O�c"\\Z�i\*���0���@0zKc4��v���O�)O0�J"#�� ��Ke�^Y3Vk �3�r�Ȧ�aSTw;��0�����A� 1�g�6+�ؘT�+bR�� ��̷<>�ٷmg�\`4��;3�D���癅��W����H�HG�%Y:E�:�����'�\`����卫�t�ѱ9�d1=�97h��R\*60)�����m�����7ɀ{4 �#����V�5����x�LY���\]�iڝ�ޤ�}�!To����Tũzt��R�g��=K��b@=�B��ŀ\[�\*��kr��+�j@�&�����T��̖�u�uR���OV��,�SJV�\]ܡ�d���O%o��6'�VJ��(�P�n�x4�eK� �Q�!�3�i���lasΡ�.◞z�pβcZL8�g�;��@�(((�3�uΧ@�A$�P�At+A���9\]0��f@m΅�.�SJ0����!hl�xiA��� �i����1H"7覆����rw?&sp%a��y\`,Xl��;m��E�\`�M8�#M��M n��Ϧ���\_7c��(�����{�f�������b@���\*��W�J|Ңl����t?�f�'�������+�}�vΗ'��;���u�R����m�nD7�����p-�'' \\P��՟O��y�/1$y��ٝ���\\}���o#�c��z@�w$��-��e����v�2����"g��������7��7�� /�E�Bo!7�r��Q�� ��OӼh$2'vj!ֶ��Xڄ��'�7�zc(�BJS/5�dn=�jUa/ejq��\\�Ӎ�>!�����Y5���U�.�x�v\`����\[t�����B���J�{���y�!O�\]��l��V\\Uo��io�j�̌m��o�4�������~��hD�#7\_�I\[߫�����A�֔Y�� ��j��yh���2)�R�Z�~�u����%����JS���\`���\*�Hi�2)V��%{�pR�QH�R��bsF �����^@�/b�~�j\\߸j�x���z�6�6\[�5B��zi�a'-�s�j���M�ݏ�mw �^!�$�My�˵���A�?�6l��\\� �q�V�R��~I�2g��왃����%��RN�2nF:��x���\[~.��jM� c�IFA>\`�0ܣ�8�A��<ߌ^G��\\�)������2��{<����\`� ����1�Thl�\*��\*�nx�x��Lx����l��W�K����T��f�v�s��j�G D-S��u>�miM^-$Ǒ���\*�J ^������\[J^s��Щ��=mo����}��%߲����C���M�~�M�ԙ�X��u>�08

CVE-2022-37830

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcj_image' shortcode in versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-5638: class-wcj-general-shortcodes.php in woocommerce-jetpack/tags/7.1.3/includes/shortcodes – WordPress Plugin Repository

Facing a potential cascade of legal challenges from industry groups and state attorneys general, the EPA has rescinded its cyber-rules. But where does that leave local water safety?

_**TL;DR: Facing legal challenges from state AGs and water associations, the EPA decided to give up its fight to mandate cyber-risk assessments for water utilities — for now. Experts warn that the sector is woefully at risk for escalating cyberattacks, and they explain why and offer insights for what utilities should do next.**_

The Environmental Protection Agency last week withdrew rules governing cybersecurity standards for the public water sector, after industry groups and Republican lawmakers brought litigation on the issue. But cybersecurity experts warn that public safety and health is at risk without cyber improvements in the sector, as cyberattacks threaten to flow freely.

The now-defanged rules were established in a March 3 interpretive memorandum (PDF), and they would have required water systems to include a cybersecurity evaluation for operational technology (OT) and industrial control systems (ICS) during any sanitary survey.

The Sanitary Survey Program requires periodic, mandated onsite reviews of the water source, facilities, equipment, operation, and maintenance of a system to make sure that it can produce and distribute safe drinking water. The cyber dimension is an augmentation of the existing rule that the EPA added, thus circumventing the usual, politically charged rulemaking process for introducing new regulation.

According to Mike Hamilton, CISO of Critical Insight, the augmentation is "just a requirement to assess each environment and provide those results to the EPA," adding that the ask is "truly not hard or expensive to meet." The exercise would allow the federal government to determine the extent to which support (through grants, for example) should be allocated, he says, and "more importantly, the aggregate results would identify areas of systemic vulnerability that could be addressed as a priority." 

However, others in the political and policymaking world disagree on the need for the requirements as they were proposed — specifically three state attorneys general and a pair of industry groups.

**EPA Blowback From Industry, Conservatives**

The sanitary surveys aren't going away, but including cybersecurity checks within them is a bridge too far, argued Republican lawmakers, who quickly mounted a multistate legal challenge to the augmentation of the Sanitary Survey Program, arguing that the EPA has no right to simply amend existing rules without a public comment period or legislative approval.

They also argued that the cost of considering cybersecurity as part of sanitary checks would be prohibitive — although estimates as to the cost of the reviews have not been made public.

"Rather than cleaning up our water, the federal government is hurting Iowa's small towns," said Iowa Attorney General Brenna Bird, in a statement made in April after joining the litigation. "At a time of soaring inflation, where it's hard enough to make ends meet, the federal government insists on making Iowans' water bills more costly. We're going to hold the Biden Administration accountable and protect Iowans' pocketbooks."

The American Water Works Association (AWWA) and the National Rural Water Association (NRWA) meanwhile in July won a petition to the US Court of Appeals for the Eighth Circuit to stop the cybersecurity rules from going into effect until the litigation was complete.

"NRWA commends the court for issuing this stay preventing EPA from enforcing the Cybersecurity Rule until it is determined if it has been lawfully implemented," said NRWA CEO Matthew Holmes in a statement at the time. "While NRWA fully supports efforts to strengthen cybersecurity in small communities across the country, enforcing this regulation is not the best way to help small and rural systems, and could have costly and unnecessary consequences."

In absence of cybersecurity mandates, the EPA is hoping to work with states, drinking water systems, and wastewater systems to implement voluntary measures, including conducting cybersecurity risk assessments and providing user training.

"There are upwards of 150,000 water facilities in the US. Expecting a small, rural water board to be able to operate under the same requirements, cyber or otherwise, as New York City is presently unrealistic," says Stephen Mozia, OT cybersecurity practice leader at Optiv. "A combination of local, state, and federal regulations and voluntary measures, such as investing in cybersecurity best practices, can bridge the gap in the long term."

**Cyberattackers Look to Make Waves**

The developments come as threats to water utilities continue to lurk on the edges of the critical infrastructure landscape.

"Cybersecurity represents a serious and increasing threat to drinking water and wastewater utilities," according to the EPA's recent notice withdrawing the rules (PDF). In the March memo, it put a finer point on the problem: Cyberattacks have the "same or even greater potential to compromise the treatment and distribution of safe drinking water as a physical attack," it warned.

Indeed, Kaspersky's 2023 H1 incident overview report on ICS systems showed that water supply and sewage companies were among the most-attacked critical infrastructure industries, with four officially confirmed incidents. In one instance, Galil Sewage Corp. in Israel's Galilee region confirmed that an attack targeted its programmable logic controllers (PLCs), which led to a temporary halt of its irrigation operations.

Evgeny Goncharov, head of Kaspersky ICS CERT, notes that the water system attacks were carried out by low-skilled actors and hacktivists, demonstrating how easy it is to access and manipulate OT systems.

"As the time passes, we see that both the hacktivists evolve, and more and more attacking tools and knowledge becomes available for them," he warns.

APTs could get into the mix too, he adds: "The geopolitical tensions may change everything in a minute — should another state decide attacking critical infrastructure of a 'non-friendly country' is not a taboo anymore."

To boot, financially motivated actors could be another risk.

"Cybercriminals may decide that the current most common monetizing scheme (data lock and/or extortion for ransomware and resale) is not efficient anymore \[and\] they may switch to locking physical equipment … which would be way more devastating than the current \[ransomware attacks\]," he says.

Unwanted outcomes could include loss of water quality through compromise of chemical injection and filtration processes, complete loss of availability of control systems and the need to revert to manual processes (traveling to manually open valves, measuring water levels), and, importantly, "disruption to waste treatment processes (also part of the water sector) that can very rapidly devolve into a public health emergency," Critical Insight's Hamilton points out.

**Water System Cybersecurity Takes Long-Term Vision**

While security researchers note that the EPA's heart is in the right place, securing and hardening water infrastructure is an incredibly complex task that will require a mesh of different yet related courses of action, and a good amount of industry-sector education.

"Water utility infrastructure is something not that easy to secure because of its diverse and distributed nature," explains Goncharov. "Lots of small and midsize objects equipped with different OT systems by multiple vendors, normally outdated, with various type remote connections. The other problem would be lack of qualified cybersecurity specialists to manage all the infrastructure security and the general low cybersecurity culture of personnel."

To get arms around the problem, Hamilton recommends that utilities first take the EPA up on its offer to support voluntary risk assessments. While funding is there for some improvements — the Cybersecurity for Rural Water Systems Act of 2023 has earmarked $7.5 million for rural water systems security, for instance — operators need to determine how to spend it.

"Operators are fully capable of using the NIST Cybersecurity Framework (CSF) to self-assess, identify areas of risk, and develop a corrective action plan with budget estimates," he says. "This information could be brought to the utility commissions that manage rates and potentially address the costs through rate increases. This assessment is not difficult, can be performed over one or two days, and would help the operators understand more broadly how to manage risk in these environments."

In addition, security specialists and government resources should put effort into deep cybersecurity awareness programs.

"Operators of water utilities, and especially the small and rural utilities that raised the objection regarding costs of assessments, generally come from a background in the trades and not information technology and are not versed in cybersecurity," Hamilton says. "Risk management is typically aligned with physical security to the exclusion of IT and OT."

Kaspersky's Goncharov suggests that regulatory bodies also "should do the hard work of preparing answers and how-tos to all the most common questions, explaining to the organizations both things technical (such as how the state/central incident monitoring system is secured and why they should trust it, and how it would be supporting the sector); and organizational/financial."

EPA Turns Off Taps on Water Utility Cyber Regulations

Red Hat Security Advisory 2023-5790-01 - Python-reportlab is a library used for generation of PDF documents. Issues addressed include a code execution vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5790.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python-reportlab security updateAdvisory ID:        RHSA-2023:5790-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5790Issue date:         2023-10-17Revision:           01CVE Names:          CVE-2019-19450====================================================================Summary: An update for python-reportlab is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python-reportlab is a library used for generation of PDF documents.Security Fix(es):* python-reportlab: code injection in paraparser.py allows code execution (CVE-2019-19450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-19450References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5790-01

Red Hat Security Advisory 2023-5789-01 - Python-reportlab is a library used for generation of PDF documents. Issues addressed include a code execution vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5789.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python-reportlab security updateAdvisory ID:        RHSA-2023:5789-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5789Issue date:         2023-10-17Revision:           01CVE Names:          CVE-2019-19450====================================================================Summary: An update for python-reportlab is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python-reportlab is a library used for generation of PDF documents.Security Fix(es):* python-reportlab: code injection in paraparser.py allows code execution (CVE-2019-19450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-19450References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5789-01

Red Hat Security Advisory 2023-5788-01 - Python-reportlab is a library used for generation of PDF documents. Issues addressed include a code execution vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5788.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python-reportlab security updateAdvisory ID:        RHSA-2023:5788-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5788Issue date:         2023-10-17Revision:           01CVE Names:          CVE-2019-19450====================================================================Summary: An update for python-reportlab is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python-reportlab is a library used for generation of PDF documents.Security Fix(es):* python-reportlab: code injection in paraparser.py allows code execution (CVE-2019-19450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-19450References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5788-01

Red Hat Security Advisory 2023-5787-01 - Python-reportlab is a library used for generation of PDF documents. Issues addressed include a code execution vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5787.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python-reportlab security updateAdvisory ID:        RHSA-2023:5787-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5787Issue date:         2023-10-17Revision:           01CVE Names:          CVE-2019-19450====================================================================Summary: An update for python-reportlab is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python-reportlab is a library used for generation of PDF documents.Security Fix(es):* python-reportlab: code injection in paraparser.py allows code execution (CVE-2019-19450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-19450References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5787-01

Red Hat Security Advisory 2023-5786-01 - Python-reportlab is a library used for generation of PDF documents. Issues addressed include a code execution vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_5786.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python-reportlab security updateAdvisory ID:        RHSA-2023:5786-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:5786Issue date:         2023-10-17Revision:           01CVE Names:          CVE-2019-19450====================================================================Summary: An update for python-reportlab is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python-reportlab is a library used for generation of PDF documents.Security Fix(es):* python-reportlab: code injection in paraparser.py allows code execution (CVE-2019-19450)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2019-19450References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2023-5786-01

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.

2023/10/10  
2023/10/17　更新  
2023/10/18　更新

本脆弱性に対しCVE番号が割り当てられましたため、お知らせの件名、内容を更新いたしました。

**本脆弱性に対応したProself Ver5.63を2023/10/17にリリースいたしました。**  
なお、Proself Gateway Edition、Proself Mail Sanitize Editionの次期バージョンにつきましては、誠に恐れ入りますがリリースまでしばらくお待ちくださいますようお願い申し上げます。

アップデート手順につきましては以下URLで公開しているチュートリアルに記載しておりますので、ダウンロードの上ご確認ください。

  
平素はProselfをご利用いただき、誠にありがとうございます。

弊社製品であるProselfにおきまして新たなゼロデイ脆弱性が発見されました(2023/10/04付)。脆弱性の内容としてはXXE(XML External Entity)となります(CVE-2023-45727)。攻撃者はXXEを悪用してProselfのアカウント情報を外部に送信し、その情報を元にProselfへの不正ログインを試みている可能性がございます。

本脆弱性は以下のバージョンに含まれます。

*   Proself Ver5.62以下
*   Proself Gateway Edition Ver1.65以下
*   Proself Mail Sanitize Edition Ver1.08以下

  
既に本脆弱性が悪用されていることを確認しておりますため、Proselfをご利用中のお客様におかれましてはお手数をおかけし誠に申し訳ございませんが、以下について急ぎご確認をお願い申し上げます。

【目次】

*   攻撃を受けたかどうかの確認
*   暫定対応について
*   恒久策について
*   Proselfのゼロデイ脆弱性への対応バージョンに関する補足

**攻撃を受けたかどうかの確認**  

  
以下の手順にてご確認ください。

**◆Linux OSの場合**

1.  コンソールを起動後、Proselfインストールフォルダ/logs に移動します。(赤文字部分)  
    以下はProselfインストールフォルダが「/usr/local/Proself5」である場合の例となります。
    
    \# cd /usr/local/Proself5/logs  
    
2.  以下コマンドを実行します。(赤文字部分)
    
    \# grep "jp.co.northgrid.proself.updater.afterreboot.logic.AfterRebootCheckLogic  - .\*Proself Ver" proself\_updater.log\*  
    
    ※改行を含めず必ず1行にして実行ください。  
    また、ダブルクォーテーション内の半角スペースが以下のようになっているかどうかを必ずご確認ください。  
    (略)AfterRebootCheckLogic(半角スペース)(半角スペース)\-(半角スペース).\*Proself(略)  
    

  
**◆Windows OSの場合**  

1.  コマンドプロンプトを起動後、Proselfインストールフォルダ/logs に移動します。(赤文字部分)  
    以下はProselfインストールフォルダが「C:\\Program Files\\Proself5」である場合の例となります。
    
    C:\\>cd "C:\\Program Files\\Proself5\\logs"  
    
2.  以下コマンドを実行します。(赤文字部分)
    
    C:\\Program Files\\Proself5\\logs>findstr /R /C:"jp.co.northgrid.proself.updater.afterreboot.logic.AfterRebootCheckLogic  - .\*Proself Ver" proself\_updater.log\*  
    
    ※改行を含めず必ず1行にして実行ください。  
    また、ダブルクォーテーション内の半角スペースが以下のようになっているかどうかを必ずご確認ください。  
    (略)AfterRebootCheckLogic(半角スペース)(半角スペース)\-(半角スペース).\*Proself(略)  
    

  
上記コマンド実行結果の見方は以下の通りとなります。

*   **コマンド実行時に出力がある場合**  
    以下のような出力がある場合は攻撃が行われた可能性がございます。
    
    proself\_updater.log:ERROR 2023-10-05 00-00-00: 864643784 \[https-jsse-nio-443-exec-14\] jp.co.northgrid.proself.updater.afterreboot.logic.AfterRebootCheckLogic - 「Proself Ver (何らかの文字列)  
    
      
    出力がある場合は影響有無の確認等を弊社で行いたく存じますので、大変恐れ入りますが「info@proself.jp」までご連絡いただくか、以下弊社お問い合わせフォームよりお問い合わせくださいますようお願い申し上げます。
    
    ※その他、万が一疑わしいログがあった場合は弊社にご連絡ください。  
    
*   **コマンド実行時に何も出力がない場合**  
    攻撃は行われておりません。  
    

**暫定対応について**  

  
以下の手順を実施ください。  

*   暫定対応については脆弱性が悪用されたどうかに関わらず全てのお客様が対象ですので、必ず実施くださいますようお願い申し上げます。
*   Proselfのサービス再起動は不要で即時反映されます。
*   本対応によるProselfのご利用ユーザーに対する影響はございません。

  

1.  以下のダウンロードURLにアクセスし「updaterafterreboot.xml」をダウンロードします。
    
    **◆ダウンロードURL**  
    https://support.proself.jp/public/tAIqAwIAvqA2rlEAT4ffrY7laqegWFKh-foM
    
    上記アクセス時にメールアドレスを入力し「パスワードを取得」をクリックしますと、パスワードの入力画面に切り替わると共にワンタイムパスワードが記載されたメールが送信されます。  
    画面上のパスワード欄にワンタイムパスワードを入力の上「パスワード送信」をクリックください。
    
2.  ダウンロードした「updaterafterreboot.xml」を「◆ダウンロードしたファイルの上書き先」に記載しているフォルダ内に上書きコピーします。
    
    **◆ダウンロードしたファイルの上書き先**
    
    Proselfインストールフォルダ/webapps/proself/WEB-INF/xml/process/admin/config/  
    
      
    **◆Linux OSの例**  
    Proselfインストールフォルダが「/usr/local/Proself5」である場合は、「updaterafterreboot.xml」の上書き先は以下のようになります。
    
    /usr/local/Proself5/webapps/proself/WEB-INF/xml/process/admin/config/  
    
      
    **◆Windows OSの例**  
    Proselfインストールフォルダが「C:\\Program Files\\Proself5」である場合は、「updaterafterreboot.xml」の上書き先は以下のようになります。
    
    C:\\Program Files\\Proself5\\webapps\\proself\\WEB-INF\\xml\\process\\admin\\config\\  
    

**恒久策について**  

  
本お知らせ冒頭に記載しております通り、本脆弱性の対応を行ったProself Ver5.63をリリース済みですので、アップデートを実施くださいますようお願いいたします。  
なお、Proself Gateway Edition、Proself Mail Sanitize Editionの次期バージョンにつきましては、誠に恐れ入りますがリリースまでしばらくお待ちくださいますようお願い申し上げます。

この度はご迷惑をおかけし誠に申し訳ございません。

**Proselfのゼロデイ脆弱性への対応バージョンに関する補足**  

  
次期バージョンリリースの対象につきましては以下の通りとなりますことを補足申し上げます。

*   以下は現在サポート中のため、脆弱性対応を行ったバージョンをリリースいたします。  
    *   Proself Enterprise Edition Ver.5
    *   Proself Standard Edition Ver.5
    *   Proself Gateway Edition Ver.1
    *   Proself Mail Sanitize Edition Ver.1
*   以下はサポート終了しているため、脆弱性対応を行ったバージョンのリリースは行いません。  
    *   Proself Enterprise Edition Ver.4以下
    *   Proself Standard Edition Ver.4以下

【ご注意】  
Ver.4以下(Enterprise Edition/Standard Edition)をご利用中の場合、Proselfのご利用を停止するかVer.5へのバージョンアップをご検討ください。サポートが終了しているバージョンをこのまま利用し続けた場合、脆弱性を悪用され全てのファイルが流出してしまう危険性がございます。  

  
サポートに関しては「Proself年間保守サービス規約」に基づいております。規約については以下のURLをご参照ください。  
https://www.proself.jp/pdf/proselfsupport.pdf  
※規約は保守サービスライセンス証書の裏面に印刷されているものと同様です。

以上

CVE-2023-45727: お知らせ: [至急]Proselfのゼロデイ脆弱性(CVE-2023-45727)による攻撃発生について(更新) / オンラインストレージ構築パッケージ Proself (プロセルフ)

In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6




Hi.  
It is very easy to make Mosquitto use 100% of the CPU. Just run the command:  
openssl s\_client -connect mosquitt-server: 8883

I ran a look at the server code today and found the cause of the problem.  
Until a timeout occurs, the server will continue to execute the main loop without pausing. This is because epoll\_wait gets the EPOLLOUT event all the time. Below are two diagrams showing the CPU consumption with and without the fix.

Unfixed (100% CPU):  
mosquitto-cpuprof-TooHigh.pdf

with the fix (0.7% CPU):  
mosquitto-cpuprof-Normal.pdf

@ralight should check if my patch does not restore the problem that his commit solved  
fabdfcc

Tag

#pdf