VARIoT IoT vulnerabilities database

Mikrotik RouterOs before stable version 6.47 suffers from a memory corruption vulnerability in the /nova/bin/lcdstat process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference)

IBM Security Verify Access Docker 10.0.0 could allow a remote priviled user to upload arbitrary files with a dangerous file type that could be excuted by an user. IBM X-Force ID: 200600. Vendor exploits this vulnerability IBM X-Force ID: 200600 Is published as.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 8.04, 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.53, 7.77, 7.81, 7.84, allows an attacker to send overlong content in the RFC request type thereby crashing the corresponding work process because of memory corruption vulnerability. The work process will attempt to restart itself after the crash and hence the impact on the availability is low. SAP NetWeaver AS ABAP and ABAP Platform Is vulnerable to an out-of-bounds write.Denial of service (DoS) It may be put into a state

IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 198299. Vendor is responsible for this vulnerability IBM X-Force ID: 198299 Is published as.Information may be obtained

A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F, allows a high privileged attacker to inject code that can be executed by the application. An attacker could thereby delete some critical information and could make the SAP system completely unavailable. SAP NetWeaver AS ABAP (Reconciliation Framework) Contains a code injection vulnerability.Information is tampered with and denial of service (DoS) It may be put into a state. SEC Consult Vulnerability Lab Security Advisory < 20220518-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: SAP® Application Server ABAP and ABAP® Platform (Different Software Components) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 CVE number: CVE-2020-6318, CVE-2020-26808, CVE-2020-26832, CVE-2021-21465, CVE-2021-21468, CVE-2021-21466, CVE-2021-21473, CVE-2021-33678 impact: critical homepage: https://www.sap.com found: 08/2020 - 02/2021 by: Fabian Hagg (Office Vienna) Alexander Meier (Office Berlin) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP is a market share leader in enterprise resource planning (ERP), analytics, supply chain management, human capital management, master data management, data integration as well as in experience management" [1]. Customers comprise 92% of the Forbes Global 2000 companies and 98% of the 100 most valued brands. 77% of the world’s transaction revenue touches an SAP system [1, 2]. "SAP NetWeaver Application Server for ABAP (AS ABAP) is a platform on which important business processes run. It provides a complete development and runtime environment for ABAP-based applications. The purpose of AS ABAP is to provide programmers with an efficient means of expressing business logic and relieve them from the necessity of platform-related and purely technical coding. AS ABAP is therefore a basis for all ABAP systems" [3]. "The [successor] ABAP platform provides a reliable and scalable server and programming environment for modern ABAP development [...]. The ABAP platform offers support for SAP HANA and SAP Fiori and allows developers to efficiently build enterprise software that meets the requirements of their business scenarios – on-premise as well as in the cloud" [4]. [1] https://www.sap.com/about/company.html [2] https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71 af511fa.html [3] https://help.sap.com/viewer/ff18034f08af4d7bb33894c2047c3b71/7.52.5/ en-US/797de8aa42e24916953c4bb3d983662d.html [4] https://developers.sap.com/topics/abap-platform.html Business recommendation: ------------------------ By exploiting the vulnerabilities documented in this advisory, privileged attackers can take complete control of affected application servers. Thus, successful exploitation can enable fraud, sabotage or data theft while affecting confidentiality, integrity, and availability of business data. SEC Consult recommends to implement security notes 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 where the documented issues are fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secured. Vulnerability overview/description: ----------------------------------- Advanced Business Application Programming (ABAP)® is a proprietary programming language by SAP SE. In common with every other programming language, ABAP can be susceptible to software vulnerabilities ranging from missing or improper authorization checks to inadequate input validation and output sanitization. Of particular concern are injection vulnerabilities, which can jeopardize the overall system security. Remote Function Call (RFC) is a proprietary network protocol by SAP SE. Comparable to application programming interfaces (APIs), SAP systems come with thousands of built-in function modules implemented in ABAP. RFC allows remote-enabled functions to be accessed via the network. This makes it possible to decentralize business applications even across system boundaries. External programs and external clients can make use of RFC connections to interact with an SAP system via libraries (e.g. NW RFC SDK) provisioned by SAP SE. This advisory covers multiple critical vulnerabilities discovered in the ABAP® coding of standard function modules. These are part of different software components that build upon the bedrock products SAP® Application Server ABAP and ABAP® Platform. 1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform Function modules RSDU_LIST_DB_TABLE_SYB and RSDU_LIST_DB_TABLE_DB4 of function groups RSDU_UTIL_SYB and RSDU_CORE_UTIL_DB4 are vulnerable to ABAP code injection bugs allowing to execute arbitrary ABAP code. Successful exploitation leads to full system compromise. 2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS) Function module CNV_MBT_SEL_STRING_RETURN of function group CNV_MBT_SEL is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) Function module CNV_GET_USERS_FOR_APP_SERVER of function group CNV_00001_HELP does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. The latter is to be considered as a Denial of Service (DoS) attack. 4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface) Function module RSDL_DB_GET_DATA_BWS of function group RSDL does not perform any programmatically implemented authorization check. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows to read out the entire database including cross-client data access. 5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface) Function module RSDL_DB_GET_DATA_BWS of function group RSDL is vulnerable to a native SQL injection (ADBC) bug allowing to execute arbitrary SQL commands at database level. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA Function module RSDRI_DF_TEXT_READ of function group RSDRI_DF_FACADE is vulnerable to an ABAP code injection bug allowing to embed arbitrary code into the ABAP Repository. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation leads to full system compromise. 7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform Function module SRM_RFC_SUBMIT_REPORT of function group SRM_REP does not enforce proper authorization checks for critical use of a dynamic program call. An attacker can abuse this bug by invoking the function remotely via the RFC protocol. Successful exploitation allows an attacker to execute existing ABAP reports without holding sufficient authorizations. Proof of concept: ----------------- 1) [CVE-2020-6318] Code Injection Vulnerability in SAP NetWeaver (ABAP Server) and ABAP Platform The vulnerable functions make use of the GENERATE SUBROUTINE POOL instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. This code gets executed on the fly by the application server in the course of execution of the functions. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: I_TABLNM Value: USR02 Import Table: I_T_SELECT_FIELDS ╒═══════════════════════════════════════════════════════════════╕ │ RSD_FIELDNM │ ╞═══════════════════════════════════════════════════════════════╡ │ BNAME │ ╘═══════════════════════════════════════════════════════════════╛ Import Table: I_T_WHERE_COND ╒═══════════╤══════╤════════════════════════════════════════════╕ │ FIELDNM │ OP │ LOW │ ╞═══════════╪══════╪════════════════════════════════════════════╡ │ BNAME │ EQ │ S'ENDEXEC. EXEC SQL.UPDATE USREFUS SET │ │ │ │ REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER │ ╘═══════════╧══════╧════════════════════════════════════════════╛ 2) [CVE-2020-26808] Code Injection Vulnerability in SAP AS ABAP and S/4 HANA (DMIS) The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: TABNAME Value: USR02 Import Table: IMT_SELSTRING ╒══════════════════════════════════════════════════════════════╕ │ LINE │ ╞══════════════════════════════════════════════════════════════╡ │ BNAME = 'TEST'. ENDSELECT. │ ├──────────────────────────────────────────────────────────────┤ │ UPDATE USREFUS SET REFUSER = 'DDIC' WHERE BNAME = 'ATTACKER' │ ├──────────────────────────────────────────────────────────────┤ │ SELECT * FROM USR02 │ ╘══════════════════════════════════════════════════════════════╛ 3) [CVE-2020-26832] Missing Authorization Check in SAP NetWeaver AS ABAP and SAP S4 HANA (SAP Landscape Transformation) The vulnerable function does not perform any explicit authorization check. Depending on a specific import parameter, the function leaks active logon sessions (opcode 02) or terminates all active logon sessions (opcode 25) by kernel call 'ThUsrInfo'. Invoking the function periodically prevents users from logging into the application server. The following payload exploits the bug to trigger the information disclosure and enumerate active user sessions: Import Parameter: MODE Value: 1 The following payload exploits the bug to terminate all active user sessions: Import Parameter: MODE Value: 2 4) [CVE-2021-21468] Missing Authorization Check in SAP Business Warehouse (Database Interface) The vulnerable function does not perform any explicit authorization check. It uses predefined classes and methods from the ABAP Database Connectivity (ADBC) framework to execute native SQL queries at database level. Depending on specific import parameters, this allows to read out arbitrary table data including user master records or secure storages (e.g. RSECTAB). The following payload exploits the bug to exfiltrate user password hashes: Import Table: I_S_TABSEL ╒══════════════════════════════════════════════════════════════╕ │ NAME │ ╞══════════════════════════════════════════════════════════════╡ │ USR02 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_S_DBCON ╒══════════════════════════════════════════════════════════════╕ │ CON_NAME │ ╞══════════════════════════════════════════════════════════════╡ │ <Database Connection String> (e.g. DEFAULT) │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_DBFIELDS ╒═══════════════╤═════════╤════════════════════════════════════╕ │ NAME │ TYPE │ LENGTH │ ╞═══════════════╪═════════╪════════════════════════════════════╡ │ BNAME │ CHAR255 │ 000255 │ ├───────────────┼─────────┼────────────────────────────────────┤ │ PWDSALTEDHASH │ CHAR255 │ 000255 │ ╘══════════════════════════════════════════════════════════════╛ 5) [CVE-2021-21465] Native SQL Injection Vulnerability in SAP Business Warehouse (Database Interface) The vulnerable function does not perform any input validation or output sanitization on import parameters that can be used to define conditional SQL statements. This allows to inject arbitrary SQL commands that get executed natively at database level in the course of execution of the function. The following payload exploits the bug to escalate privileges via reference user assignment: Import Table: I_S_TABSEL ╒══════════════════════════════════════════════════════════════╕ │ NAME │ ╞══════════════════════════════════════════════════════════════╡ │ USR02 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_S_DBCON ╒══════════════════════════════════════════════════════════════╕ │ CON_NAME │ ╞══════════════════════════════════════════════════════════════╡ │ <Database Connection String> (e.g. DEFAULT) │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_DBFIELDS ╒═══════════════╤═════════╤════════════════════════════════════╕ │ NAME │ TYPE │ LENGTH │ ╞═══════════════╪═════════╪════════════════════════════════════╡ │ BNAME │ CHAR255 │ 000255 │ ╘══════════════════════════════════════════════════════════════╛ Import Table: I_T_SELECT ╒══════════════════════╤════════╤══════════════════════════════╕ │ FIELDNM │ OPTION │LOW │ ╞══════════════════════╪════════╪══════════════════════════════╡ │ BNAME │ EQ │'';UPDATE USREFUS SET REFUSER │ │ │ │='DDIC' WHERE '1 │ ├──────────────────────┼────────┼──────────────────────────────┤ │ ' = '1 AND' AND BNAME│ EQ │'ATTACKER'; │ ╘══════════════════════════════════════════════════════════════╛ 6) [CVE-2021-21466] Code Injection Vulnerability in SAP Business Warehouse and SAP BW/4HANA The vulnerable function makes use of the INSERT REPORT instruction by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. Inserted code may be executed by chaining this bug with CVE-2021-21473. The following payload exploits the bug to escalate privileges via reference user assignment: Import Parameter: I_TABLE_NAME Value: INJECTION Import Parameter: I_DEBUG_SUFFIX Value: SAP Import Table: I_T_RANGE_STRING ╒═══════════╤═════════════════════════════════════╤════════════╕ │ CHANM │ LOW │ HIGH │ ╞═══════════╪═════════════════════════════════════╪════════════╡ │ BNAME │ '. UPDATE USREFUS SET REFUSER │ '. EXIT. " │ │ │ = 'DDIC' WHERE BNAME = 'ATTACKER │ │ ╘═══════════╧═════════════════════════════════════╧════════════╛ 7) [CVE-2021-21473] Missing Authorization Check in SAP NetWeaver AS ABAP and ABAP Platform The vulnerable function uses a dynamically generated program name (based on data from untrusted sources) in a SUBMIT call. No authorization checks are programmatically enforced. Thus, a remote, unauthorized attacker can leverage this function to start any existing ABAP report by providing the respective report name in the import parameter REPORTNAME. 8) [CVE-2021-33678] Code Injection vulnerability in SAP NetWeaver AS ABAP (Reconciliation Framework) The vulnerable function makes use of the GENERATE SUBROUTINE POOL instruction in form 'get_dynamic_fields' by providing source code that is created dynamically using untrusted user input. As there is no input validation or output sanitization, an attacker can inject malicious ABAP code through specific import parameters. These parameters are limited in size due to their variable type. This restricts an attacker in exploitation scenarios. However, it is still possible, for example, to delete critical system tables by exploiting this bug. The following payload exploits the bug to drop table USR02, leading to a complete loss of availability of the target system: Import Parameter: RTABNAME Value: X. EXEC SQL. DROP TABLE USR02- Import Parameter: RFIELDNAME Value: ENDEXEC Vulnerable / tested versions: ----------------------------- All tests were conducted on SAP NetWeaver Application Server ABAP 752 SP04 and ABAP Platform 1909. No additional testing on other releases has been carried out. According to the vendor the following releases and versions are affected by the discovered vulnerabilities: 1) SAP NetWeaver (ABAP Server) and ABAP Platform, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 2) SAP AS ABAP (DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA(DMIS), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE 3) SAP NetWeaver AS ABAP (SAP Landscape Transformation - DMIS), Versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020; SAP S4 HANA (SAP Landscape Transformation), Versions - 101, 102, 103, 104, 105 Components: DMIS, S4CORE 4) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 5) SAP Business Warehouse, Versions - 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 782 Components: SAP_BW, SAP_BW_VIRTUAL_COMP 6) SAP Business Warehouse, Versions - 700, 701, 702, 711, 730, 731, 740, 750, 782; SAP BW4HANA, Versions - 100, 200 Components: SAP_BW, DW4CORE 7) SAP NetWeaver AS ABAP and ABAP Platform, Versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755 Components: SAP_BASIS 8) SAP NetWeaver AS ABAP (Reconciliation Framework) - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 75A, 75B, 75B, 75C, 75D, 75E, 75F Components: SAP_ABA Vendor contact timeline: ------------------------ The following timelines have been split for each CVE/vulnerability, as different contacts were responsible. All identified vulnerabilities have been fixed by now by SAP and SEC Consult releases this security advisory adhering to the responsible disclosure policy. CVE-2020-6318 -------------------------------- 2020-08-12 | Contacting vendor with detailed report through vulnerability submission web form. 2020-08-13 | Vendor confirms receipt and assigns security incident number #2080354772. 2020-08-19 | Vendor confirms vulnerability. 2020-08-24 | Vendor informs about patch development strategy. 2020-09-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-09-08 | Vendor releases patch with SAP Security Note 2958563. CVE-2020-26808 -------------------------------- 2020-09-24 | Contacting vendor with detailed report through vulnerability submission web form. 2020-09-25 | Vendor confirms receipt and assigns security incident number #2070354293. 2020-10-20 | Contacting vendor to request progress information. 2020-10-21 | Vendor confirms vulnerability and states that a fix is in development. 2020-11-09 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-11-10 | Vendor releases patch with SAP Security Note 2973735. CVE-2020-26832 -------------------------------- 2020-10-23 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-26 | Vendor confirms receipt and assigns security incident number #2070432866. 2020-11-17 | Vendor confirms vulnerability and proposes CVSS score of 7.6. 2020-11-23 | Vendor asks for exploit script shown in the initial report. 2020-11-24 | Providing the requested script via encrypted PGP mail. 2020-12-07 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2020-12-08 | Vendor releases patch with SAP Security Note 2993132. CVE-2021-21465 / CVE-2021-21468 -------------------------------- 2020-10-27 | Contacting vendor with detailed report through vulnerability submission web form. 2020-10-29 | Vendor confirms receipt and assigns separated security incident numbers #2070446047 and #2070446050. 2020-11-06 | Vendor confirms vulnerability and predicts patches to be released on December Patch Tuesday 2020. 2020-11-18 | Vendor confirms that they are still on track for December Patch Tuesday 2020. 2020-12-01 | Vendor informs that patch needs to be postponed to January Patch Tuesday 2021. 2021-01-08 | Vendor informs about release of patches and clarifies that a single security note will fix both issues. Additional information about CVSS scores is provided. 2021-01-11 | Vendor informs about release of the patches, registration of CVE numbers and corresponding security note. 2021-01-12 | Vendor releases patches with SAP Security Note 2986980. CVE-2021-21466 / CVE-2021-21473 -------------------------------- 2020-11-25 | Contacting vendor with detailed report through vulnerability submission web form. 2020-11-27 | Vendor confirms receipt and assigns security incident number #2080396648. 2021-01-04 | Vendor confirms vulnerability and states that they are working on a fix. Additional information is provided detailing on that they will split the reported finding into two separated security issues and security incident numbers #2080396648 and #2080412695. 2021-01-11 | Vendor informs about release of the first patch, registration of CVE number and corresponding security note. 2021-01-11 | Vendor informs about patch release for the first issue. Additional information is provided describing that a patch for the second issue is still in development. 2021-01-12 | Vendor releases first patch with SAP Security Note 2999854. 2021-05-07 | Asking vendor for update regarding the second issue. 2021-05-11 | Vendor informs that fix is in progress and note will be released soon. 2021-06-07 | Vendor informs about release of the second patch, registration of CVE number and corresponding security note. 2021-06-08 | Vendor releases second patch with SAP Security Note 3002517. CVE-2021-33678 -------------------------------- 2021-02-01 | Contacting vendor with detailed report through vulnerability submission web form. 2021-02-03 | Vendor confirms receipt and assigns security incident number #2180074995. 2021-05-07 | Asking vendor for update. 2021-05-11 | Vendor informs that fix is in progress. 2021-07-12 | Vendor informs about release of the patch, registration of CVE number and corresponding security note. 2021-07-13 | Vendor releases patch with SAP Security Note 3048657. Solution: --------- SAP SE reacted promptly to our findings. Product Security Incident Response Team (PSRT) and engineers released patches in a timely manner for each of the reported issues. These patches are available in form of SAP Security Notes which can be accessed via the SAP Customer Launchpad [5]. More information can also be found at the Official SAP Product Security Response Space [6]. The following Security Notes need to be implemented: 2958563, 2973735, 2993132, 2986980, 2999854, 3002517, 3048657 [5] https://launchpad.support.sap.com/#/securitynotes [6] https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF F. Hagg, A. Meier / @2022

RG-UAC 6000-ISG series video surveillance security gateway is a video surveillance network security reinforcement product independently developed by Ruijie Networks. Ruijie RG-UAC 6000-ISG video access security gateway has an information disclosure vulnerability. Attackers can use this vulnerability to obtain sensitive information.

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 197973. Vendor is responsible for this vulnerability IBM X-Force ID: 197973 Is published as.Information may be obtained

H3C S1526 is a new generation switch launched by New H3C Technology Co., Ltd. It is positioned in the cultural industry market such as Internet cafes, singing bars, and digital cinemas. H3C S1526 has an arbitrary file download vulnerability, which can be exploited by attackers to obtain sensitive information.

ZenFone 4 Max (ZC520KL) is a smart phone. ZenFone 4 Max (ZC520KL) has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

Nokia 7.2 is a smart phone. Nokia 7.2 has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

General Mobile is a Turkish smartphone manufacturer. General Mobile GM8 has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

Nokia 6.2 is a smart phone. Nokia 6.2 has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

Razer Phone2 is a smart phone of the Razer brand series. Razer Phone2 has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

Razer Phone (full Netcom) is a series of smart phones under the Razer brand. Razer Phone has an information disclosure vulnerability, which can be exploited by attackers to obtain sensitive information.

General Mobile is a Turkish smartphone manufacturer. General Mobile GM9 Pro has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

Hikvision is a video-centric intelligent IoT solution and big data service provider. The streaming media management server of Hangzhou Hikvision Digital Technology Co., Ltd. has a logic flaw vulnerability, which can be exploited by attackers to obtain sensitive information.

Vsmart Live is a smart phone. Vsmart Live has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

Vsmart Joy 2+ is a smart phone. Vsmart Joy 2+ has an information disclosure vulnerability. Attackers can use vulnerabilities to obtain sensitive information.

ASUS Zenfone Live (L1) is a smartphone launched by ASUS in 2018. Asus Zenfone Live (L1) mobile phone has an information disclosure vulnerability, which can be exploited by attackers to obtain sensitive information.

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. Apache Tomcat There is an authentication vulnerability in.Information may be obtained and information may be tampered with. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 5.6.0 Security release Advisory ID: RHSA-2021:4861-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2021:4861 Issue date: 2021-11-30 CVE Names: CVE-2021-30640 CVE-2021-33037 CVE-2021-42340 ==================================================================== 1. Summary: Updated Red Hat JBoss Web Server 5.6.0 packages are now available for Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 5.6 for RHEL 7 Server - noarch, x86_64 Red Hat JBoss Web Server 5.6 for RHEL 8 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. This release of Red Hat JBoss Web Server 5.6.0 serves as a replacement for Red Hat JBoss Web Server 5.5.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es): * tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS (CVE-2021-42340) * tomcat: HTTP request smuggling when used with a reverse proxy (CVE-2021-33037) * tomcat: JNDI realm authentication weakness (CVE-2021-30640) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS 6. Package List: Red Hat JBoss Web Server 5.6 for RHEL 7 Server: Source: jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.src.rpm jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.src.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.src.rpm noarch: jws5-tomcat-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-java-jdk11-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-java-jdk8-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el7jws.noarch.rpm jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el7jws.noarch.rpm x86_64: jws5-tomcat-native-1.2.30-3.redhat_3.el7jws.x86_64.rpm jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el7jws.x86_64.rpm Red Hat JBoss Web Server 5.6 for RHEL 8: Source: jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.src.rpm jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.src.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.src.rpm noarch: jws5-tomcat-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-admin-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-docs-webapp-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-el-3.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-javadoc-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-jsp-2.3-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-lib-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-selinux-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-servlet-4.0-api-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-vault-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-vault-javadoc-1.1.8-4.Final_redhat_00004.1.el8jws.noarch.rpm jws5-tomcat-webapps-9.0.50-3.redhat_00004.1.el8jws.noarch.rpm x86_64: jws5-tomcat-native-1.2.30-3.redhat_3.el8jws.x86_64.rpm jws5-tomcat-native-debuginfo-1.2.30-3.redhat_3.el8jws.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-30640 https://access.redhat.com/security/cve/CVE-2021-33037 https://access.redhat.com/security/cve/CVE-2021-42340 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYaaMntzjgjWX9erEAQibyg/9E3I1wMpKriqTZKlf1tGcPt4wShPVNKMh B4PC8t1vBZJZ2VBMrQJdmYBUKRn3mccCqUxd0ey/UfsacIoKvAACr18iXCxYc4cO MeNqy7SWRO+Kwze2fYpBu7w5dR34yhUQAN8DAOui7DduZsS209X7WhShrLSjzF5j g+nhRCi4l5QRwcy7NF4TAhmAN7f819BwDHQJI/ttaOHqEwsDnOlPNKbV0X4Hlkf5 5VRD/8ArImD7tqpSs/9YVh34MJLCVmVkWgHBDY0I06LcRSQJoRBZDEkoPRHQxU26 hKH5oDaVezm92RFFqfwo2HHY6eGJc/qTTcd/WeW4RDfx49+ARsOt2kvO2XcEo45A iUue2MayqnfdQHRI7MMNaaWoNudI2MVBcbQYhkTZcgApZEmtCe4taeo0YUvFqUeJ N1Awh8QIN5vqA7wKdtrHiQCMx/6/fqi3VtKN3LZEuUiRMM/sueqc1yob6piuU4Vk nyHP0ULSyMYnrzoqKN1BwbobRYyXKbVR376qMtxhLMe71PXg26TgDC9seUnooNum XgcRIdc7Q2WyGaFLxGE5fS0/7FagX/etRlg9DIHi27NVl0WXgmFVLC2ZumjfSoms FgQUTPwa2Bt90Oat2u7vnB5MBvCR0+OAAsM8TK/cn/31F697MMTI6Qloiq2DDOt4 2c2PkIZ6XrY=6RkQ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. For the oldstable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u6. For the stable distribution (bullseye), these problems have been fixed in version 9.0.43-2~deb11u2. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmFok+gACgkQEMKTtsN8 TjZDbg/8D0kfepA/7f6I94IQaO2l83ct22L0KRvFs71rW488M9R9SeBYuwWG63kV Lfptm7+djz1lvbPcHCtbTtmWi6jfLpL/p0QU4NbRoGiv4gkqmBCEhKLKmVWSMp/B KINQXc7QcxpaVN8m2RfIhh4z9kmjcuUTUlfwD5rX253gsfXAPsiQv8KyXDUZV4ga 9GmFllzwWXGA0rfgzPy9owqXbjqs9ZeJj28EkSvxnnPq3U13OQbdH6uqh4MtYF25 kiyL7WClz/zV+ea60GySznHIl/qs0x+JqD4WhFsRImvr8i5YGzz6c7bapU2wdOND FkIJ9/zpxwWvzmtzTqxwlRgKz2IpFz/4xXEFQXpGAMpSP2luXW4BBq/IKzQNqb84 uIGJmHRiDEiwQ9C3JPK4LGP8lvkqmCDQRCDfF/Q8V8DW1KZJKbIHa0ZRcTj07JlB 9CJvVAWoiwrzFCgnt249Y++pdxlk8bP1d4xhD5eU88+B+t3YEtiqhJpKqlkxSVFx M/twu7ivJtQBZ6MTyP4L84evi8YvPKQcFwydP3H+cJU5+BjkbSnxhP7Era3+tKDH +D0W4u9CUH+GFYvXwclZsXBPQOWyEeDoS7mG3JLQ2eP5EvS9I+8e++aHC57JY8rd 22pSwzrEAf7kqEqct3kIpUHbN/zfemOrSlx8Apm4Ns3ze1380/o= =sRPH -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache Tomcat: Multiple Vulnerabilities Date: August 21, 2022 Bugs: #773571, #801916, #818160, #855971 ID: 202208-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Apache Tomcat, the worst of which could result in denial of service. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/tomcat < 8.5.82:8.5 >= 8.5.82:8.5 < 9.0.65:9 >= 9.0.65:9 < 10.0.23:10 >= 10.0.23:10 Description ========== Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Apache Tomcat 10.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-10.0.23:10" All Apache Tomcat 9.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-9.0.65:9" All Apache Tomcat 8.5.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.82:8.5" References ========= [ 1 ] CVE-2021-25122 https://nvd.nist.gov/vuln/detail/CVE-2021-25122 [ 2 ] CVE-2021-25329 https://nvd.nist.gov/vuln/detail/CVE-2021-25329 [ 3 ] CVE-2021-30639 https://nvd.nist.gov/vuln/detail/CVE-2021-30639 [ 4 ] CVE-2021-30640 https://nvd.nist.gov/vuln/detail/CVE-2021-30640 [ 5 ] CVE-2021-33037 https://nvd.nist.gov/vuln/detail/CVE-2021-33037 [ 6 ] CVE-2021-42340 https://nvd.nist.gov/vuln/detail/CVE-2021-42340 [ 7 ] CVE-2022-34305 https://nvd.nist.gov/vuln/detail/CVE-2022-34305 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202208-34 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ====== Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ 4