Menu
This article covers recent vulnerabilities found to be actively exploited. They are categorised based not only on the category of exploitation, but their impact, and versions affected. This article also informs on any official fix and remediation guidance for the listed vulnerabilities.
Category: Malware (Trojan Or Embedded Malicious Code)
Justice AV Solutions Viewer version 8.3.7.250-1 contains a malicious binary in the setup installer file. The malware was hosted for download on the official website of JAVS in the file JAVS Viewer Setup 8.3.7.250-1.exe. When extracted, a malicious trojan file named fffmpeg.exe is created within the file path C:\Program Files (x86)\JAVS\Viewer 8\ on the Windows operating system.
This binary contains encoded PowerShell scripts which are then executed. Upon execution, fffmpeg.exe persistently communicates with a command-and-control (C2 or C&C) server using Windows sockets and WinHTTP requests. The malware appears to be based on the so-called ‘RustDoor’, a Windows-specific version of the original ‘GateDoor’ malware for macOS.
Users should install the latest version of JAVS Viewer (8.3.8 or higher) ONLY after re-imaging affected systems from bare metal. The download is available at http://support.javs.com/xwiki/bin/view/Products/Viewer%208/Software/Releases/
Category: Command Injection
Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2.
An OS command injection vulnerability exists in the Oracle WebLogic Server component of Oracle Fusion Middleware. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
The application fails to properly sanitise XML content sent to Web Services Atomic Transactions feature (WSAT) endpoints under /wls/wsat, such as /wls-wsat/RegistrationRequesterPortType. Malicious input passed to the XMLDecoder constructor and read functions within the WorkContextXmlInputAdapter class result in the deserialization of an arbitrary Java serialized object.
Possible entry points include at least the below:
Oracle released a Critical Patch Update that fixes this issue. Customers are advised to upgrade to the latest version of the impacted product. Oracle customers can access the patch by logging in at https://support.oracle.com/epmos/faces/DocumentDisplay?id=2228898.1.
NOTE: The initial vendor patch for this CVE is incomplete or only partially effective; ensure to also patch against linked vulnerability CVE-2017-10271.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
