Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 30 and Oct. 7.

Threat Roundup for September 30 to October 7

tiny-csrf is a Node.js cross site request forgery (CSRF) protection middleware. In versions prior to 1.1.0 cookies were not encrypted and thus CSRF tokens were transmitted in the clear. This issue has been addressed in commit `8eead6d` and the patch with be included in version 1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.

**Package**

npm tiny-csrf (npm)

**Affected versions**

<1.1.0

**Patched versions**

1.1.0

**Description**

**Impact**

Weak encryption on CSRF so tokens can be read by malicious attackers.

**Patches**

Problems have been patched as of v1.1.0

**Workarounds**

Upgrade to v1.1.0

**References**

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site\_Request\_Forgery\_Prevention\_Cheat\_Sheet.html

**For more information**

Submit an issue at the github repo

CVE-2022-39287: Openly visible CSRF tokens in versions prior to v1.1.0

A cross-site scripting (XSS) vulnerability in TotalJS commit 8c2c8909 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website name text field under Main Settings.

Tested version: 8c2c8909 (latest)

Steps to reproduce the vulnerability:

*   Login in the application.
*   Set " <script>alert(document.domain)</script> as website name.
*   Fill other required fields with random values and save.
*   Then just visit the admin dashboard and the alert will fire.

Each time a target will visit the dashboard the payload will fire, even if the target is not logged in! Since the wesbite redirects to /admin/ presenting the login form, but the payload is reflected also there.

In order to test this, just click logout and reload the page.

CVE-2022-41392: [Security] Stored XSS  · Issue #38 · totaljs/cms

Two cross-site scripting vulnerabilities were fixed in Bodhi 5.6.1.

CVE-2020-15855: bodhi Changelog - pyup.io

The group has been operating for over a year, promoting their tools in hacking forums, stealing credit card information, and using typosquatting techniques to target open source software flaws.

The LofyGang threat group is using more than 200 malicious NPM packages with thousands of installations to steal credit card data, and gaming and streaming accounts, before spreading stolen credentials and loot in underground hacking forums.

According to a report from Checkmarx, the cyberattack group has been in operation since 2020, infecting open source supply chains with malicious packages in an effort to weaponize software applications.

The research team believes the group may have Brazilian origins, owing to the use of Brazilian Portuguese and a file called "brazil.js." which contained malware found in a couple of their malicious packages.

The report also details the group's tactic of leaking thousands of Disney+ and Minecraft accounts to an underground hacking community using the alias DyPolarLofy and promoting their hacking tools via GitHub.

"We saw several classes of malicious payloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and some downloaded the malicious payload during runtime from C2 servers," the Friday report noted.

**LofyGang Operates With Impunity**

The group has deployed tactics including typosquatting, which targets typing mistakes in the open source supply chain, as well as "StarJacking," whereby the package's GitHub repo URL is linked to an unrelated legitimate GitHub project.

"The package managers do not validate the accuracy of this reference, and we see attackers take advantage of that by stating their package's Git repository is legitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity," the report stated.

The ubiquity and success of open source software has made it a ripe target for malicious actors like LofyGang, explains Jossef Harush, head of Checkmarx's supply chain security engineering group.

He sees LofyGang's key characteristics as including its ability to build a large hacker community, abusing legitimate services as command-and-control (C2) servers, and its efforts in poisoning the open source ecosystem.

This activity continues even after three different reports — from Sonatype, Securelist, and jFrog — uncovered LofyGang's malicious efforts.

"They remain active and continue to publish malicious packages in the software supply chain arena," he says.

By publishing this report, Harush says he hopes to raise awareness of the evolution of attackers, who are now building communities with open source hack tools.

"Attackers count on victims to not pay enough attention to the details," he adds. "And honestly, even I, with years of experience, would potentially fall for some of those tricks as they seem like legitimate packages to the naked eye."

**Open Source Not Built for Security**

Harush points out that unfortunately the open source ecosystem was not built for security.

"While anybody can sign up and publish an open source package, no vetting process is in place to check if the package contains malicious code," he says.

A recent report from software-security firm Snyk and the Linux Foundation revealed about half of firms have an open source software security policy in place to guide developers in the use of components and frameworks.

However, the report also found that those who have such policies in place generally exhibit better security — Google is making available its process of vetting and patching software for security issues to help close avenues to hackers.

"We see attackers take advantage of this because it's super easy to publish malicious packages," he explains. "The lack of vetting powers in disguising the packages to appear legit with stolen images, similar names, or even referencing other legitimate Git projects' websites just to see they get the other projects' stars amount on their malicious packages pages."

**Heading Toward Supply Chain Attacks?**

From Harush's perspective, we're reaching the point where attackers realize the full potential of the open source supply chain attack surface.

"I expect open source supply chain attacks to evolve further into attackers aiming to steal not only the victim's credit card, but also the victim's workplace credentials, such as a GitHub account, and from there, aim for the bigger jackpots of software supply chain attacks," he says.

This would include the ability to access a workplace's private code repositories, with the capability to contribute code while impersonating the victim, planting backdoors in enterprise grade software, and more.

"Organizations can protect themselves by properly enforcing their developers with two-factor authentication, educate their software developers to not assume popular open source packages are safe if they appear to have many downloads or stars," Harush adds, "and to be vigilant to suspicious activities in software packages."

LofyGang Uses 100s of Malicious NPM Packages to Poison Open Source Software

Red Hat Security Advisory 2022-6838-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: expat security update  
Advisory ID:       RHSA-2022:6838-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6838  
Issue date:        2022-10-06  
CVE Names:         CVE-2022-40674  
====================================================================  
1. Summary:

An update for expat is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: a use-after-free in the doContent function in xmlparse.c  
(CVE-2022-40674)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, applications using the Expat library  
must be restarted for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
expat-debuginfo-2.2.10-12.el9_0.3.aarch64.rpm  
expat-debugsource-2.2.10-12.el9_0.3.aarch64.rpm  
expat-devel-2.2.10-12.el9_0.3.aarch64.rpm

ppc64le:  
expat-debuginfo-2.2.10-12.el9_0.3.ppc64le.rpm  
expat-debugsource-2.2.10-12.el9_0.3.ppc64le.rpm  
expat-devel-2.2.10-12.el9_0.3.ppc64le.rpm

s390x:  
expat-debuginfo-2.2.10-12.el9_0.3.s390x.rpm  
expat-debugsource-2.2.10-12.el9_0.3.s390x.rpm  
expat-devel-2.2.10-12.el9_0.3.s390x.rpm

x86_64:  
expat-debuginfo-2.2.10-12.el9_0.3.i686.rpm  
expat-debuginfo-2.2.10-12.el9_0.3.x86_64.rpm  
expat-debugsource-2.2.10-12.el9_0.3.i686.rpm  
expat-debugsource-2.2.10-12.el9_0.3.x86_64.rpm  
expat-devel-2.2.10-12.el9_0.3.i686.rpm  
expat-devel-2.2.10-12.el9_0.3.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
expat-2.2.10-12.el9_0.3.src.rpm

aarch64:  
expat-2.2.10-12.el9_0.3.aarch64.rpm  
expat-debuginfo-2.2.10-12.el9_0.3.aarch64.rpm  
expat-debugsource-2.2.10-12.el9_0.3.aarch64.rpm

ppc64le:  
expat-2.2.10-12.el9_0.3.ppc64le.rpm  
expat-debuginfo-2.2.10-12.el9_0.3.ppc64le.rpm  
expat-debugsource-2.2.10-12.el9_0.3.ppc64le.rpm

s390x:  
expat-2.2.10-12.el9_0.3.s390x.rpm  
expat-debuginfo-2.2.10-12.el9_0.3.s390x.rpm  
expat-debugsource-2.2.10-12.el9_0.3.s390x.rpm

x86_64:  
expat-2.2.10-12.el9_0.3.i686.rpm  
expat-2.2.10-12.el9_0.3.x86_64.rpm  
expat-debuginfo-2.2.10-12.el9_0.3.i686.rpm  
expat-debuginfo-2.2.10-12.el9_0.3.x86_64.rpm  
expat-debugsource-2.2.10-12.el9_0.3.i686.rpm  
expat-debugsource-2.2.10-12.el9_0.3.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYz9BEdzjgjWX9erEAQgpEw//SAVaBRrOgFmB37H+zj9VIGGk+//euxLS  
eXo9/Yn+ysPrdDzSVMxPVoiUY7oyNmuf1tDhacy8p90ZJ+SqpbL2pqAxcVMgq0TF  
8ZMYh54aYp6UM559jonyw8vybrp9YA1LEas3PpctLESErqoM7zLD40oxG0f/o9ly  
K5ezEmbWtdRbkHGbx0waQEZdRinVVtRCnLU8tjRjaTl7/3129O9Qa8qYMhAx4IB4  
pCL8ZCSwFGeQ4va0vHZkcw1x2Qx5WVrFbRV68AYTV/ISGh/bQtPUT+Zk1y/KZKwy  
LQmjw4nX1I8Zpue4+yddOaApdlpTk5CSWkAIUDJOtm/GiKF/nKn6tkZm+LgobpSP  
bUaipq+MbDDsNlnL5vFYob1aqdGvCPh6CKDpbJ2zFFF8dEKMzp4ugJAOD1IVECk0  
5GUwLjo2TuMNJkARQYlZrWkgt5SDt+Rev1tJ4c+GoUiXG2BNzvPG3od+nPUfJEId  
NMDQ5wnyOdXrNV4bDp2A8E4B523YbeaMZ0hbT9k+A7n4ICJMfcxLdwYWR4Eefq7S  
rWHFYDEmrhFUCaB8CwS7yeCkig4xhHY2PeDTjSyorCkQ4hWdKWrhZLT4qEs0ZcQ0  
rTwCDyF0nu4d0V4jMb+gg1GVLFj4I6bhSSGCMf0phGIBF2nwLKuiBbzEPU4S1I1J  
v9xf4LYIGu8=wW9n  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6838-01

Red Hat Security Advisory 2022-6834-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: expat security update  
Advisory ID:       RHSA-2022:6834-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6834  
Issue date:        2022-10-06  
CVE Names:         CVE-2022-40674  
====================================================================  
1. Summary:

An update for expat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: a use-after-free in the doContent function in xmlparse.c  
(CVE-2022-40674)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, applications using the Expat library  
must be restarted for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
expat-2.1.0-15.el7_9.src.rpm

x86_64:  
expat-2.1.0-15.el7_9.i686.rpm  
expat-2.1.0-15.el7_9.x86_64.rpm  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm  
expat-devel-2.1.0-15.el7_9.i686.rpm  
expat-devel-2.1.0-15.el7_9.x86_64.rpm  
expat-static-2.1.0-15.el7_9.i686.rpm  
expat-static-2.1.0-15.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
expat-2.1.0-15.el7_9.src.rpm

x86_64:  
expat-2.1.0-15.el7_9.i686.rpm  
expat-2.1.0-15.el7_9.x86_64.rpm  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm  
expat-devel-2.1.0-15.el7_9.i686.rpm  
expat-devel-2.1.0-15.el7_9.x86_64.rpm  
expat-static-2.1.0-15.el7_9.i686.rpm  
expat-static-2.1.0-15.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
expat-2.1.0-15.el7_9.src.rpm

ppc64:  
expat-2.1.0-15.el7_9.ppc.rpm  
expat-2.1.0-15.el7_9.ppc64.rpm  
expat-debuginfo-2.1.0-15.el7_9.ppc.rpm  
expat-debuginfo-2.1.0-15.el7_9.ppc64.rpm  
expat-devel-2.1.0-15.el7_9.ppc.rpm  
expat-devel-2.1.0-15.el7_9.ppc64.rpm

ppc64le:  
expat-2.1.0-15.el7_9.ppc64le.rpm  
expat-debuginfo-2.1.0-15.el7_9.ppc64le.rpm  
expat-devel-2.1.0-15.el7_9.ppc64le.rpm

s390x:  
expat-2.1.0-15.el7_9.s390.rpm  
expat-2.1.0-15.el7_9.s390x.rpm  
expat-debuginfo-2.1.0-15.el7_9.s390.rpm  
expat-debuginfo-2.1.0-15.el7_9.s390x.rpm  
expat-devel-2.1.0-15.el7_9.s390.rpm  
expat-devel-2.1.0-15.el7_9.s390x.rpm

x86_64:  
expat-2.1.0-15.el7_9.i686.rpm  
expat-2.1.0-15.el7_9.x86_64.rpm  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm  
expat-devel-2.1.0-15.el7_9.i686.rpm  
expat-devel-2.1.0-15.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
expat-debuginfo-2.1.0-15.el7_9.ppc.rpm  
expat-debuginfo-2.1.0-15.el7_9.ppc64.rpm  
expat-static-2.1.0-15.el7_9.ppc.rpm  
expat-static-2.1.0-15.el7_9.ppc64.rpm

ppc64le:  
expat-debuginfo-2.1.0-15.el7_9.ppc64le.rpm  
expat-static-2.1.0-15.el7_9.ppc64le.rpm

s390x:  
expat-debuginfo-2.1.0-15.el7_9.s390.rpm  
expat-debuginfo-2.1.0-15.el7_9.s390x.rpm  
expat-static-2.1.0-15.el7_9.s390.rpm  
expat-static-2.1.0-15.el7_9.s390x.rpm

x86_64:  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm  
expat-static-2.1.0-15.el7_9.i686.rpm  
expat-static-2.1.0-15.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
expat-2.1.0-15.el7_9.src.rpm

x86_64:  
expat-2.1.0-15.el7_9.i686.rpm  
expat-2.1.0-15.el7_9.x86_64.rpm  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm  
expat-devel-2.1.0-15.el7_9.i686.rpm  
expat-devel-2.1.0-15.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
expat-debuginfo-2.1.0-15.el7_9.i686.rpm  
expat-debuginfo-2.1.0-15.el7_9.x86_64.rpm  
expat-static-2.1.0-15.el7_9.i686.rpm  
expat-static-2.1.0-15.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYz7sqdzjgjWX9erEAQjxyA//VKee7fxyq3Bih4oJvm9Lexgt4hgej3nR  
fJvpW6n+WTV6RRGtSSD37Lif1kav3bFiQBI4u2ZDrfEQ6ZETIcl6wKANdMI4zxYk  
Nh1CAxuWtnJsqQqu4pyViMT5pP5UgbO0suKps2TSTjq7f2Hok0IkLjEhqFlrfBA1  
owK2Pk6OltAvGKqLJuV9+MIgFGZNei5vuHCQwYS3V+CGXZpAnWwfRt69S2vRAOb0  
CB5eR4yF+IGn3eEebkArFEF97eGR9kqS4o63etEqMdoQ70FaPJKe9YM/y41Q/4gV  
/gD5H6caQk6ShO/O4UmabTw5TeiKzl7tJMxdYTd3rpBEZFNQiye45++4YY64+z0o  
uSNST+1PSz/8o+3XrpFKzs//ePLhYttC9/mLIIcVnrO1l3HTwKCP5rylMb/E3pJS  
Hc4QEUMw6orsFzNpMVtN9uiX23/Xzy1W4avKxlKSyf3PraXhiwz/GOz0R7mtaOKZ  
xH/8Pt3qKbOsCtmTx/SYx2ALqOm3jEC5s3zXfWjoFM6Um7wLYu1U2uWeuMHk5Hsu  
A2OADrOyY/88JODsLsugVVpvrAX0LrY8GOdXM1ZVRb2URdYL51bfQyEf2YEewplx  
x06H6MonBt/ZjLC4fba+v/yeM9TvdcDd7M7SgfEqwBniFhyTLUBWab00AR4t8ngY  
J17i8lcjGUc=IVzO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6834-01

Red Hat Security Advisory 2022-6835-01 - This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Service Registry (container images) release and security update [2.3.0.GA]  
Advisory ID:       RHSA-2022:6835-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6835  
Issue date:        2022-10-06  
CVE Names:         CVE-2021-22569 CVE-2021-37136 CVE-2021-37137  
                   CVE-2021-41269 CVE-2022-0235 CVE-2022-0536  
                   CVE-2022-0981 CVE-2022-21724 CVE-2022-23647  
                   CVE-2022-24771 CVE-2022-24772 CVE-2022-24773  
                   CVE-2022-25647 CVE-2022-25857 CVE-2022-25858  
                   CVE-2022-26520 CVE-2022-31129 CVE-2022-37734  
====================================================================  
1. Summary:

An update to the images for Red Hat Integration Service Registry is now  
available from the Red Hat Container Catalog. The purpose of this text-only  
errata is to inform you about the security issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Integration - Service registry 2.3.0.GA serves as a  
replacement for 2.0.3.GA, and includes the below security fixes.

Security Fix(es):

* cron-utils: template Injection leading to unauthenticated Remote Code  
Execution (CVE-2021-41269)

* prismjs: improperly escaped output allows a XSS (CVE-2022-23647)

* snakeyaml: Denial of Service due missing to nested depth limitation for  
collections (CVE-2022-25857)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* protobuf-java: potential DoS in the parsing procedure for binary data  
(CVE-2021-22569)

* quarkus: privilege escalation vulnerability with RestEasy Reactive scope  
leakage in Quarkus (CVE-2022-0981)

* quarkus-jdbc-postgresql-deployment: jdbc-postgresql: Unchecked Class  
Instantiation when providing Plugin Classes (CVE-2022-21724)

* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may  
buffer skippable chunks in an unnecessary way (CVE-2021-37137)

* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for  
decompressed data (CVE-2021-37136)

* node-fetch: exposure of sensitive information to an unauthorized actor  
(CVE-2022-0235)

* follow-redirects: Exposure of Sensitive Information via Authorization  
Header leak (CVE-2022-0536)

* jdbc-postgresql: postgresql-jdbc: Arbitrary File Write Vulnerability  
(CVE-2022-26520)

* node-forge: Signature verification leniency in checking `digestAlgorithm`  
structure can lead to signature forgery (CVE-2022-24771)

* node-forge: Signature verification failing to check tailing garbage bytes  
can lead to signature forgery (CVE-2022-24772)

* node-forge: Signature verification leniency in checking `DigestInfo`  
structure (CVE-2022-24773)

* com.google.code.gson-gson: Deserialization of Untrusted Data in  
com.google.code.gson-gson (CVE-2022-25647)

* terser: insecure use of regular expressions leads to ReDoS  
(CVE-2022-25858)

* graphql-java: DoS by malicious query (CVE-2022-37734)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data  
2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way  
2024632 - CVE-2021-41269 cron-utils: template Injection leading to unauthenticated Remote Code Execution  
2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data  
2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor  
2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes  
2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak  
2056643 - CVE-2022-23647 prismjs: improperly escaped output allows a XSS  
2062520 - CVE-2022-0981 quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus  
2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability  
2067387 - CVE-2022-24771 node-forge: Signature verification leniency in checking `digestAlgorithm` structure can lead to signature forgery  
2067458 - CVE-2022-24772 node-forge: Signature verification failing to check tailing garbage bytes can lead to signature forgery  
2067461 - CVE-2022-24773 node-forge: Signature verification leniency in checking `DigestInfo` structure  
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2126809 - CVE-2022-37734 graphql-java: DoS by malicious query

5. References:

https://access.redhat.com/security/cve/CVE-2021-22569  
https://access.redhat.com/security/cve/CVE-2021-37136  
https://access.redhat.com/security/cve/CVE-2021-37137  
https://access.redhat.com/security/cve/CVE-2021-41269  
https://access.redhat.com/security/cve/CVE-2022-0235  
https://access.redhat.com/security/cve/CVE-2022-0536  
https://access.redhat.com/security/cve/CVE-2022-0981  
https://access.redhat.com/security/cve/CVE-2022-21724  
https://access.redhat.com/security/cve/CVE-2022-23647  
https://access.redhat.com/security/cve/CVE-2022-24771  
https://access.redhat.com/security/cve/CVE-2022-24772  
https://access.redhat.com/security/cve/CVE-2022-24773  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-25858  
https://access.redhat.com/security/cve/CVE-2022-26520  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-37734  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYz7stNzjgjWX9erEAQiCEQ/+OPmlKRufUR1D+rRvhWHeBMxdJ9NMoaMm  
rV3uH/FIiBLFSYWXgTY8gb53BVsZHEPfZ6G3ol70iyOjDbXazQsYBuhg/9RMLmz9  
+J1yK5sSeE9HyisYbYdHuuGIKpEMGXp78NP1rlwBEgyFrkY8pJHSdv/Fc87f2B3Z  
VeExd/Zvdcj5M4/ZmCin1yNALPKlhnbp9+9MGvcLufJUsXxOKPrQVCYMgWVWc0Wc  
aNRm4y8FBOnYrB9FeA2BBYEpmBrRK8G8OsoebuqaBvKAvytVV/NSiOMKsdaGD9WL  
XeLPl5XE3rpEVeUEH4aEjdHe6weLk/sjst335xgWI7QHZT/gjZxmxza2TBGgIkRJ  
yBT/n63geWAkaTXUCP0oepJDPKAio6B/CFVzTZS8jqO/0rDDvHIZN94nhceqamW3  
GC5gha56Pk+qcw3sArvtu0G72wY5O/+/kxp0mV+sWczIIlbS7FlkG+sxl5uHo3+M  
DDBOMwNROI6bInBxnBD4GWMepW40cGaAXt1HN/1NVaZq0mw4cdyulOMJfPpJGQK5  
IGS+TnvZn86p3cZysR3eMuaPzFG9U8vnaAw8enRmiJ6wG3NFkklIRelO7fEF8n3R  
drGnqa8gB589c9x3QUurBytdDxYWd2T71TOTyMFdTI9NtOAeuIvX+6lDj0BOftH3  
Jnw+PamuYNcÌnF  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6835-01

Red Hat Security Advisory 2022-6833-01 - Expat is a C library for parsing XML documents. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: expat security update  
Advisory ID:       RHSA-2022:6833-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6833  
Issue date:        2022-10-06  
CVE Names:         CVE-2022-40674  
====================================================================  
1. Summary:

An update for expat is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

Expat is a C library for parsing XML documents.

Security Fix(es):

* expat: a use-after-free in the doContent function in xmlparse.c  
(CVE-2022-40674)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, applications using the Expat library  
must be restarted for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
expat-2.2.5-3.el8_1.2.src.rpm

aarch64:  
expat-2.2.5-3.el8_1.2.aarch64.rpm  
expat-debuginfo-2.2.5-3.el8_1.2.aarch64.rpm  
expat-debugsource-2.2.5-3.el8_1.2.aarch64.rpm  
expat-devel-2.2.5-3.el8_1.2.aarch64.rpm

ppc64le:  
expat-2.2.5-3.el8_1.2.ppc64le.rpm  
expat-debuginfo-2.2.5-3.el8_1.2.ppc64le.rpm  
expat-debugsource-2.2.5-3.el8_1.2.ppc64le.rpm  
expat-devel-2.2.5-3.el8_1.2.ppc64le.rpm

s390x:  
expat-2.2.5-3.el8_1.2.s390x.rpm  
expat-debuginfo-2.2.5-3.el8_1.2.s390x.rpm  
expat-debugsource-2.2.5-3.el8_1.2.s390x.rpm  
expat-devel-2.2.5-3.el8_1.2.s390x.rpm

x86_64:  
expat-2.2.5-3.el8_1.2.i686.rpm  
expat-2.2.5-3.el8_1.2.x86_64.rpm  
expat-debuginfo-2.2.5-3.el8_1.2.i686.rpm  
expat-debuginfo-2.2.5-3.el8_1.2.x86_64.rpm  
expat-debugsource-2.2.5-3.el8_1.2.i686.rpm  
expat-debugsource-2.2.5-3.el8_1.2.x86_64.rpm  
expat-devel-2.2.5-3.el8_1.2.i686.rpm  
expat-devel-2.2.5-3.el8_1.2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYz7sntzjgjWX9erEAQilzg/9G0hBlNyYGAOEQ2Wd1hoaviKz1x8xQSjk  
6Yp8hYteJ8barDPVG6ZSkOzK0EgwOU2BZem6D8s4jTF3SjYokQlC5qleON1kbV6v  
uegK8apoBsByZZVbpL3ioMcwT0jvoMJkmUhOrQmd8ijnWWBcQsmwVBCP8ej/YJcd  
ugtcxE9GIaXt/KCDg04ly+NaB21Ej2bvHC9IglajZyFglLESCs9aufQcEUIyyYN5  
KHjLdIxmUvs61FsROSB4GH22OABH6v7JAZwIQB3bVr1HVSpU6eUU2ug+DN/sELtk  
0wLZWTUk09V6I2uzF3Og40qsOUmgik5CSbeNrP5j/QAYz7Fys2HYs+ybx9zIMmlw  
t72+MCZO911IxV+CV2ev5qjluOgDcNDWJJVsvjSdiMpsK6d1xe7t224MYqHJLV5v  
93fRMoL//MmF0OMcgNrR8ijooUq1WrxJBIjQQ+imyNezvjevYPnWcl2sfTJIBZAH  
UHblj3RmjTmg9qEl/hxsWqYO+7o7CqzJ49nPxAzvu/F6SKR56SRZwsZnLt/awXLD  
SfO2ff2jZA7Ruq5kvfspzh9EYlsz4117uRlm4jtYXCtnlsR43v3bDPw50oTEgTvm  
OJMkFOVAN5uVSPttPacD0JaIDpeV26ofSakXknA4+lwle9hP1enX5nQ3qkne06Dq  
7vR0gnLs+t4=0lxG  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6833-01

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Public disclosure, a talk, and a blog post later, the RCE exploit remains unresolved

Despite a researcher’s best efforts at disclosure, the maintainers of the WebPageTest project appear to be ignoring a severe remote code execution (RCE) vulnerability.

In a blog post dated September 23, ManoMano researcher Louka “Laluka” Jacques-Chevallier discussed his discovery of a pre-authentication RCE vulnerability in the open source project WebPageTest.

The research has also been the subject of a talk at DEFCON Paris.

Catch up with the latest security research and analysis

Developed by Catchpoint, WebPageTest is a tool dating back to the days of dial-up modems and the 1990s, which has evolved to become a utility to check the speed and performance of website code for optimization purposes.

According to the researcher, this software has been “prone” to security issues in the past, including a lack of updates to code and containers, outdated components which remained unpatched against known vulnerabilities, and the “intensive use of smelly PHP code”.

The latest stable release of WebPageTest, v22.01, was published in October 2021.

Server-side request forgery (SSRF) vulnerabilities, bugs that allow attackers to make successful requests via a server-side application to an unintended location or resource, have been found in WebPageTest in the past.

A newly discovered SSRF flaw was the focus of Laluka’s research.

After examining the software’s source code and carrying out both crawling and fuzzing tests, Laluka discovered an SSRF vulnerability in under 15 minutes. The SSRF was limited to an HTTP scheme, but the underlying code held more surprises for the cybersecurity researcher.

**Under the microscope**

Upon closer inspection Laluka uncovered a range of issues, including PHP code that could trigger a payload by including a slash in a path, file write bugs, and sanitization failures. Eventually, the researcher was able to push a command injection, create a reverse shell, exploit JSON file jobs, and achieve RCE.

It may also be possible to exploit the RCE if the Beanstalkd work queue engine is in use. While not present in default configurations, Laluka says that the SSRF and command injection issues could be exploited to inject a new, malicious job and force the worker to use the file.

The researcher found the first SSRF bug on April 15, and by May 25, verified the full RCE exploit chain. Laluka contacted the vendor on June 15, and although Catchpoint responded, the lines of communication were described as “pretty tedious”.

**‘Open bag’**

Despite providing the technical details of the issue and a video Proof-of-Concept (PoC), the vendor did not respond until July 28, when Catchpoint offered a $300 “big” bounty program reward.

Laluka offered to help with patch validation, but there has been radio silence since. Although he was paid, it’s been over 90 days, and there is still no news on a fix.

“I think that this software can be really helpful for devs and site reliability engineers, but that the codebase isn’t following good practices whatsoever,” Laluka told The Daily Swig. “It’s basically features in a bag – an open bag.”

Catchpoint has not responded to requests for comment from The Daily Swig.

RELATED PHP package manager component Packagist vulnerable to compromise

Tag

#js