Menu
This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.
Category: Command Injection
A critical command injection vulnerability exists in Apache HugeGraph-Server’s Gremlin language support. Specially crafted Gremlin commands can exploit missing reflection filtering in the HugeSecurityManager and allow escape of (and execution of code outside of) the intended ‘sandbox’. A crafted (malicious) query can be transmitted to the server via the Gremlin server interface, typically a REST API or a dedicated Gremlin client.
This vulnerability has been patched by filtering critical system classes and adding new security checks in HugeSecurityManager. Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. Update to the latest version. Downloads are available via https://hugegraph.apache.org/docs/download/download/.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Permission Management
The vCenter Server assigns improper (overly permissive) access permissions to critical configuration files containing cleartext credentials, allowing them to be accessed by unauthorised users. The product creates a file at “/etc/vmware-vpx/vcdb.properties” containing plaintext login credentials for the client’s postgresDB database, but the file is erroneously granted improper file permissions that that the file is accessible to any users that are part of the “cis” group, allowing them to connect to vCenter’s Postgres database and access further information such as system usernames and passwords.
VMware has issued a patch for the vulnerability that can be found at https://www.vmware.com/security/advisories/VMSA-2022-0009.html. Customers are advised to upgrade to the latest version of the impacted product.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Path Traversal
SolarWinds Serv-U is susceptible to a directory transversal vulnerability. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Two HTTP request parameters named InternalDir and InternalFile are retrieved before calling into the vulnerable function. By providing malicious strings for these two request parameters, the directory traversal vulnerability can be exploited. The code in the vulnerable function does make an attempt to detect path traversal by looking for a path segment \..\ in the supplied path, however if an attacker supplies path segments separated by a forward slash, (e.g. /../, then it is possible for an attacker to bypass this check and escape outside of the restricted location to access files or directories that are elsewhere on the system.
The vulnerable function has been patched in later versions. The path is now checked to see if it contains a double dot path segment (\..\), and if found the path will be sanitised.
Customers are advised to upgrade to Serv-U 15.4.2 HF 2 or later. For further information, see https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-2-Hotfix-2-Release-Notes.
NOTE: As per the vendor documentation, Serv-U version 15.3.2 and earlier will reach end of life in February 2025, and all versions below this have reached end of life and are unsupported
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: XML External Entity Processing (XXE)
Adobe Commerce is susceptible to an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By traversing chains of constructors and setters, it is possible for attackers to instantiate a wide variety of internal classes that were never meant to be user-facing. Such chaining permits downstream instantiation of PHP’s SimpleXMLElement constructor with attacker-provided value for the dataIsURL parameter. Attackers can submit a malicious payload in JSON format via the RET API that, via nested deserialization, the product ultimately delivers as a malicious parameter value to the SimpleXMLElement constructor, allowing them to load XML from external sources.
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. The XML parser can access the contents of this URI and embed these contents back into the XML document for further processing. By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. For example, a URI such as “file:///c:/winnt/win.ini” designates (in Windows) the file C:\Winnt\win.ini, or file:///etc/passwd designates the password file in Unix-based systems. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents.
An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Adobe has released a security update for Adobe Commerce, Magento Open Source and Adobe Commerce Webhooks Plugin that resolves this vulnerability. Customers are advised to upgrade to the latest version of the impacted product.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Category: Injection
The GeoTools library API that GeoServer calls passes property/attribute names to the commons-JXPath library, which has support for running functions in XPath expressions. However, the XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well. For example, methods JXPathContext.getValue(path) and JXPathContext.iterate(path) are dangerous if you let user send input into the path parameter.
Due to unsafely evaluating property names as XPath expressions before passing them to the JXPath library, the GeoTools library API is vulnable to “eval injection” via multiple OGC request parameters: the vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.
Customers are advised to upgrade to the latest version of the impacted product. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. Update to the latest version.
Download link: https://github.com/geoserver/geoserver/tags https://github.com/geotools/geotools/tags
Alternatively, you can patch manually by downloading the patch versions 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.21.5, 2.20.7, 2.20.4, 2.19.2, and 2.18.0 from https://geoserver.org to obtain the gt-app-schema, gt-complex, and gt-xsd-core jar files. Replace the corresponding files in WEB-INF/lib of the affected system for restoration.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
To keep up to date with future high-profile patches for critical exploits from vendors including Microsoft and Google, add the next ‘Patch Tuesday’ to your calendar now – 13th August 2024.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
