Known Actively Exploited Vulnerabilities Round-up (31.05.24-06.06.24)

This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.

This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.

 

CVE-2024-4978

Category: Malware (Trojan Or Embedded Malicious Code)

 

Versions Affected:

  • Justice AV Solutions Viewer v8.3.7.250-1

 

Vulnerability Summary:

Justice AV Solutions Viewer version 8.3.7.250-1 contains a malicious binary in the setup installer file. The malware was hosted for download on the official website of JAVS in the file JAVS Viewer Setup 8.3.7.250-1.exe. When extracted, a malicious trojan file named fffmpeg.exe is created within the file path C:\Program Files (x86)\JAVS\Viewer 8\ on the Windows operating system.

This binary contains encoded PowerShell scripts which are then executed. Upon execution, fffmpeg.exe persistently communicates with a command-and-control (C2 or C&C) server using Windows sockets and WinHTTP requests. The malware appears to be based on the so-called ‘RustDoor’, a Windows-specific version of the original ‘GateDoor’ malware for macOS.

 

Official Fix & Remediation Guidance:

  • Completely re-image affected endpoints. Uninstalling the software is insufficient. Deleting the malicious binary files is insufficient. Attackers may have implanted additional backdoors or malware. Re-imaging to a completely clean OS install provides a clean slate.
  • Reset credentials for any accounts that were logged into affected endpoints. This includes local accounts on the endpoint itself as well as any remote accounts accessed during the period when JAVS Viewer 8.3.7 was installed. Attackers may have stolen credentials from compromised systems.

 

Users should install the latest version of JAVS Viewer (8.3.8 or higher) ONLY after re-imaging affected systems from bare metal. The download is available at http://support.javs.com/xwiki/bin/view/Products/Viewer%208/Software/Releases/

 

 

CVE-2017-3506

Category: Command Injection

 

Versions Affected:

Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2.

 

Vulnerability Summary:

An OS command injection vulnerability exists in the Oracle WebLogic Server component of Oracle Fusion Middleware. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

The application fails to properly sanitise XML content sent to Web Services Atomic Transactions feature (WSAT) endpoints under /wls/wsat, such as /wls-wsat/RegistrationRequesterPortType. Malicious input passed to the XMLDecoder constructor and read functions within the WorkContextXmlInputAdapter class result in the deserialization of an arbitrary Java serialized object.

Possible entry points include at least the below:

  • wls-wsat/RegistrationPortTypeRPC
  • wls-wsat/ParticipantPortType
  • wls-wsat/RegistrationRequesterPortType
  • wls-wsat/CoordinatorPortType11
  • wls-wsat/RegistrationPortTypeRPC11
  • wls-wsat/ParticipantPortType11
  • wls-wsat/RegistrationRequesterPortType11

 

 

Official Fix & Remediation Guidance:

Oracle released a Critical Patch Update that fixes this issue. Customers are advised to upgrade to the latest version of the impacted product. Oracle customers can access the patch by logging in at https://support.oracle.com/epmos/faces/DocumentDisplay?id=2228898.1.

NOTE: The initial vendor patch for this CVE is incomplete or only partially effective; ensure to also patch against linked vulnerability CVE-2017-10271.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch