DATABASE RESOURCES PRICING ABOUT US

{"id": "SAP_NETWEAVER_AS_3123396.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "SAP NetWeaver AS Desynchronization (ICMAD)", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.\n\nAn unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2022-02-09T00:00:00", "modified": "2022-12-05T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/157848", "reporter": "This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://launchpad.support.sap.com/#/notes/3123396", "http://www.nessus.org/u?f0c19cc7", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22536"], "cvelist": ["CVE-2022-22536"], "immutableFields": [], "lastseen": "2023-05-18T14:41:51", "viewCount": 39, "enchantments": {"backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2022-0042"]}, {"type": "cisa", "idList": ["CISA:C491359F9996B7AF8A31AD01C810E384"]}, {"type": "cve", "idList": ["CVE-2022-22536"]}, {"type": "githubexploit", "idList": ["75F44E16-D76D-596E-A23F-1F440DA58219"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:A40F87C53D5487E9D81FB6A8F62AF633"]}, {"type": "nessus", "idList": ["SAP_NETWEAVER_AS_WEB_DETECT.NBIN"]}, {"type": "talos", "idList": ["SAP"]}, {"type": "threatpost", "idList": ["THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2"]}]}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:484D6DEC-EFAF-46E7-ACF1-6CB13F63FC68"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0042"]}, {"type": "cisa", "idList": ["CISA:C491359F9996B7AF8A31AD01C810E384"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2022-22536"]}, {"type": "cve", "idList": ["CVE-2022-22536"]}, {"type": "githubexploit", "idList": ["75F44E16-D76D-596E-A23F-1F440DA58219", "92B6BB94-CA85-576F-96D4-94E149EE1FC3"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2B7FA24A43BE3D53EA1E393BEC594625", "MALWAREBYTES:A40F87C53D5487E9D81FB6A8F62AF633"]}, {"type": "thn", "idList": ["THN:221BD04ADD3814DC78AF58DFF41861F3"]}, {"type": "threatpost", "idList": ["THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2"]}, {"type": "trellix", "idList": ["TRELLIX:73420774AE3767CFB11F493B41572174"]}]}, "exploitation": null, "score": {"value": 0.6, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-22536", "epss": 0.96724, "percentile": 0.99427, "modified": "2023-05-02"}], "vulnersScore": 0.6}, "_state": {"dependencies": 1684458132, "score": 1698844884, "epss": 0}, "_internal": {"score_hash": "c0ca59e4f7db02172e579cf9b34913d6"}, "pluginID": "157848", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157848);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2022-22536\");\n script_xref(name:\"IAVA\", value:\"2022-A-0063\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/09/08\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0006\");\n\n script_name(english:\"SAP NetWeaver AS Desynchronization (ICMAD)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SAP NetWeaver application server is affected by a desynchronization vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53\nand SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.\n\nAn unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute \nfunctions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete \ncompromise of Confidentiality, Integrity and Availability of the system.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f0c19cc7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://launchpad.support.sap.com/#/notes/3123396\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22536\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sap:netweaver_application_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sap_netweaver_as_web_detect.nbin\");\n script_require_keys(\"installed_sw/SAP Netweaver Application Server (AS)\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443, 8000, 50000);\n\n exit(0);\n}\n\ninclude('vcf_extras_sap.inc');\n\nvar app_info = vcf::sap_netweaver_as::get_app_info(kernel:TRUE);\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nvar fix = 'See vendor advisory';\n\n# Kernel constraints\nvar constraints = [\n {'equal' : '7.22', 'fixed_display' : fix },\n {'equal' : '7.49', 'fixed_display' : fix },\n {'equal' : '7.53', 'fixed_display' : fix },\n {'equal' : '7.77', 'fixed_display' : fix },\n {'equal' : '7.81', 'fixed_display' : fix },\n {'min_version' : '7.85', 'max_version' : '7.87', 'fixed_display' : fix },\n {'equal' : '8.04', 'fixed_display' : fix }\n];\n\nvcf::sap_netweaver_as::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n kernel:TRUE\n);\n", "naslFamily": "Web Servers", "cpe": ["cpe:/a:sap:netweaver_application_server"], "solution": "Apply the appropriate patch according to the vendor advisory.", "nessusSeverity": "Critical", "cvssScoreSource": "CVE-2022-22536", "vendor_cvss2": {"score": 10, "vector": "CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "vendor_cvss3": {"score": 10, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "vpr": {"risk factor": "High", "score": "8.1"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2022-02-08T00:00:00", "vulnerabilityPublicationDate": "2022-02-08T00:00:00", "exploitableWith": []}

{"cisa_kev": [{"lastseen": "2023-12-06T16:20:37", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-18T00:00:00", "type": "cisa_kev", "title": "SAP Multiple Products HTTP Request Smuggling Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2022-08-18T00:00:00", "id": "CISA-KEV-CVE-2022-22536", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-12-06T15:08:47", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T23:15:00", "type": "cve", "title": "CVE-2022-22536", "cwe": ["CWE-444"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-09-27T15:15:00", "cpe": ["cpe:/a:sap:netweaver_application_server_abap:7.22", "cpe:/a:sap:netweaver_application_server_abap:7.86", "cpe:/a:sap:web_dispatcher:7.49", "cpe:/a:sap:netweaver_application_server_abap:8.04", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.49", "cpe:/a:sap:content_server:7.53", "cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.22", "cpe:/a:sap:web_dispatcher:7.53", "cpe:/a:sap:netweaver_application_server_abap:7.81", "cpe:/a:sap:web_dispatcher:7.85", "cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext", "cpe:/a:sap:netweaver_application_server_abap:7.49", "cpe:/a:sap:netweaver_application_server_abap:krnl64nuc_7.49", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.22", "cpe:/a:sap:web_dispatcher:7.86", "cpe:/a:sap:netweaver_application_server_abap:7.77", "cpe:/a:sap:web_dispatcher:7.77", "cpe:/a:sap:web_dispatcher:7.22ext", "cpe:/a:sap:netweaver_application_server_abap:7.53", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.22ext", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_7.53", "cpe:/a:sap:netweaver_application_server_abap:krnl64uc_8.04", "cpe:/a:sap:netweaver_application_server_abap:7.85", "cpe:/a:sap:web_dispatcher:7.81", "cpe:/a:sap:netweaver_application_server_abap:7.87", "cpe:/a:sap:web_dispatcher:7.87"], "id": "CVE-2022-22536", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22536", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.87:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.81:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.87:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.85:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.77:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.77:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:8.04:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.81:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.85:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.22:*:*:*:*:*:*:*", "cpe:2.3:a:sap:web_dispatcher:7.86:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.86:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_8.04:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.53:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64uc_7.49:*:*:*:*:*:*:*", "cpe:2.3:a:sap:netweaver_application_server_abap:krnl64nuc_7.22ext:*:*:*:*:*:*:*", "cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*"]}], "prion": [{"lastseen": "2023-11-20T23:24:47", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T23:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-09-27T15:15:00", "id": "PRION:CVE-2022-22536", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22536", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-18T07:32:20", "description": "A remote code execution vulnerability exists in SAP NetWeaver Application Server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T00:00:00", "type": "checkpoint_advisories", "title": "SAP NetWeaver Application Server Remote Code Execution (CVE-2022-22536)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2022-02-17T00:00:00", "id": "CPAI-2022-0042", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-10-18T16:35:16", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim\u2019s request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-09T00:00:00", "type": "attackerkb", "title": "CVE-2022-22536", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-10-07T00:00:00", "id": "AKB:484D6DEC-EFAF-46E7-ACF1-6CB13F63FC68", "href": "https://attackerkb.com/topics/QF2qeHgdBB/cve-2022-22536", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-04-02T17:34:59", "description": "# SAP-memory-pipes-desynchronization-vulnerability-MPI-CVE-2022-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-02T16:12:56", "type": "githubexploit", "title": "Exploit for HTTP Request Smuggling in Sap Content Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2022-04-02T16:12:56", "id": "92B6BB94-CA85-576F-96D4-94E149EE1FC3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-12-06T15:50:11", "description": "* CVE-2022-22536\nSAP memory pipes desynchronization vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-15T09:22:19", "type": "githubexploit", "title": "Exploit for HTTP Request Smuggling in Sap Netweaver Application Server Abap", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-11-24T20:22:28", "id": "75F44E16-D76D-596E-A23F-1F440DA58219", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nuclei": [{"lastseen": "2023-12-06T22:36:44", "description": "SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T00:00:00", "type": "nuclei", "title": "SAP Memory Pipes (MPI) Desynchronization", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22536"], "modified": "2023-12-05T00:00:00", "id": "NUCLEI:CVE-2022-22536", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2022/CVE-2022-22536.yaml", "sourceData": "id: CVE-2022-22536\n\ninfo:\n name: SAP Memory Pipes (MPI) Desynchronization\n author: pdteam\n severity: critical\n description: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation attacks. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.\n remediation: |\n Apply the latest security patches and updates provided by SAP to mitigate this vulnerability.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2022-22536\n - https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022\n - https://github.com/Onapsis/onapsis_icmad_scanner\n - https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/\n - https://launchpad.support.sap.com/#/notes/3123396\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\n cvss-score: 10\n cve-id: CVE-2022-22536\n cwe-id: CWE-444\n epss-score: 0.95701\n epss-percentile: 0.99252\n cpe: cpe:2.3:a:sap:content_server:7.53:*:*:*:*:*:*:*\n metadata:\n max-request: 2\n vendor: sap\n product: content_server\n shodan-query: http.favicon.hash:-266008933\n tags: cve,cve2022,sap,smuggling,netweaver,web-dispatcher,memory-pipes,kev\n\nhttp:\n - raw:\n - |+\n GET {{sap_path}} HTTP/1.1\n Host: {{Hostname}}\n Content-Length: 82646\n Connection: keep-alive\n\n {{repeat(\"A\", 82642)}}\n\n GET / HTTP/1.1\n Host: {{Hostname}}\n\n payloads:\n sap_path:\n # based on https://github.com/Onapsis/onapsis_icmad_scanner\n - /sap/admin/public/default.html\n - /sap/public/bc/ur/Login/assets/corbu/sap_logo.png\n stop-at-first-match: true\n unsafe: true\n read-all: true\n\n matchers-condition: and\n matchers:\n - type: dsl\n dsl:\n - \"contains(tolower(body), 'administration')\"\n - \"contains(tolower(header), 'content-type: image/png')\"\n condition: or\n\n - type: word\n part: body\n words:\n - \"HTTP/1.0 400 Bad Request\" # error in concatenated response\n - \"HTTP/1.0 500 Internal Server Error\"\n - \"HTTP/1.0 500 Dispatching Error\"\n condition: or\n\n - type: status\n status:\n - 200\n\n# digest: 4a0a0047304502205863287a57d4e9aa73f4c5618d2ceda056e1d44d6376dc53f8eeec8ac3923a78022100dc80eee5ae506ca3eeb5d2ba1aab21c58f5866d7cc97c2ee826c593f3c5e2de4:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-02-12T11:27:58", "description": "On February 8, 2022, SAP released [security updates](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>) to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes\u2014such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. Impacted organizations could experience:\n\n * theft of sensitive data,\n * financial fraud,\n * disruption of mission-critical business processes,\n * ransomware, and\n * halt of all operations.\n\nAdditionally, security researchers from Onapsis, in coordination with SAP, released a [Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. Onapsis also provides an [open source tool](<https://github.com/Onapsis/onapsis_icmad_scanner>) to identify if a system is vulnerable and needs to be patched.\n\nCISA recommends operators of SAP systems review [SAP\u2019s February 2022 Security Updates page](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>), the [Onapsis Research Labs Threat Report: SAP ICMAD Vulnerabilities](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>), and the [Onapsis GitHub page](<https://github.com/Onapsis/onapsis_icmad_scanner>) for more information and apply necessary updates and mitigations.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T00:00:00", "type": "cisa", "title": "Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-08T00:00:00", "id": "CISA:C491359F9996B7AF8A31AD01C810E384", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-02-14T09:32:54", "description": "There\u2019s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.\n\nThe vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in [Security Note 3123396](<https://launchpad.support.sap.com/>), received the tip-top risk score \u2013 a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.\n\nThe issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a [security advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) about them this week. And, in a [blog post](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>), SAP director of security response Vic Chung confirmed the severity of Onapsis\u2019 findings. He said that if they aren\u2019t remediated, the bugs \u2013 aka \u201cICMAD\u201d \u2013 \u201cwill enable attackers to execute serious malicious activity on SAP users, business information and processes.\u201d\n\nSpecifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:\n\n * Hijack of user identities, theft of all user credentials and personal information\n * Exfiltration of sensitive or confidential corporate information\n * Fraudulent transactions and financial harm\n * Change of banking details in a financial system of record\n * Denial-of-service attack that disrupts critical systems for the business\n\nOnapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of[ a Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing the critical vulnerabilities on Tuesday.\n\nThe firm estimated that there were tens of thousands \u2013 approximately 40,000 \u2013 SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.\n\nSAP and Onapsis urged customers to apply both Security Note 3123396 and [3123427](<https://t.nylas.com/t1/116/4a3z713b1kum7z18ruaq7siqk/13/51ec755ca6f695096592b0335df2b6ec4ba279684d0ae63b9df0739442312162>) without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download [here](<https://github.com/Onapsis/onapsis_icmad_scanner>).\n\n## No Known Related Breaches \u2013 Yet\n\n\u201cSince ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,\u201d Chung said.\n\nThe ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications \u2013 just one flavor of the business-critical apps that threat actors are actively targeting.\n\n\u201cAs we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,\u201d said Mariano Nunez, CEO and co-founder of Onapsis. \u201cThe discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as[ RECON](<https://onapsis.com/recon-sap-cyber-security-vulnerability>) and[ 10KBLAZE](<https://onapsis.com/resources/10kblaze>), are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.\u201d\n\nAs of Tuesday, SAP and Onapsis weren\u2019t aware of any breaches related to the trio of bugs, but that\u2019s clearly no reason to delay in applying the updates in[ Security Note 3123396 [CVE-2022-22536]](<https://launchpad.support.sap.com/>) to affected SAP applications as soon as possible, they said.\n\n021022 13:28 UPDATE: An Onapsis spokesperson told Threatpost that as of Thursday, the team still hadn\u2019t seen either exploitation of the ICMAD flaws nor a proof of concept but that, unsurprisingly, they\u2019ve seen probes scanning for the vulnerability.\n\n## What to Do\n\nOnapsis has prepared this on-demand [recording](<https://hubs.ly/Q013KNxr0>) that details what to do to avoid any damage.\n\nAs well, at noon ET on Thursday, Onapsis\u2019 Nunez and SAP CISO Richard Puckett will provide a [threat briefing](<https://twitter.com/marianonunezdc/status/1491803623709310977>) about the ICMAD vulnerabilities.\n\n> Join SAP's [#CISO](<https://twitter.com/hashtag/CISO?src=hash&ref_src=twsrc%5Etfw>) Richard Puckett and me on the threat briefing about the [#icmad](<https://twitter.com/hashtag/icmad?src=hash&ref_src=twsrc%5Etfw>) vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. [#sap](<https://twitter.com/hashtag/sap?src=hash&ref_src=twsrc%5Etfw>) [#onapsis](<https://twitter.com/hashtag/onapsis?src=hash&ref_src=twsrc%5Etfw>) [#research](<https://twitter.com/hashtag/research?src=hash&ref_src=twsrc%5Etfw>) [#cisa](<https://twitter.com/hashtag/cisa?src=hash&ref_src=twsrc%5Etfw>) [#icm](<https://twitter.com/hashtag/icm?src=hash&ref_src=twsrc%5Etfw>) [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/QObvbdN6sp>\n> \n> \u2014 Mariano Nunez (@marianonunezdc) [February 10, 2022](<https://twitter.com/marianonunezdc/status/1491803623709310977?ref_src=twsrc%5Etfw>)\n\n## Internally Facing Apps Also at Risk\n\nA vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.\n\n\u201cEven if the applications are internal-only, there\u2019s still risk when combined with other threats, including disgruntled employees and compromised network devices,\u201d he told Threatpost via email on Thursday. \u201cThis is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.\u201d\n\nSAP servers are \u201cextremely rich targets,\u201d noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have \u201csignificant\u201d access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.\n\n\u201cWith the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,\u201d Turner explained.\n\nHe compared the potential for exploitation to that presented by [Hafnium](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>): an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>).\n\n\u201cJust as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,\u201d Turner suggested. \u201cThe SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.\u201d\n\nMike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, \u201cthe potential risk is high.\u201d\n\nAll the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations \u201cas soon as is practical,\u201d he advised.\n\n_021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin._\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T16:39:04", "type": "threatpost", "title": "SAP Patches Severe \u2018ICMAD\u2019 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T16:39:04", "id": "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "href": "https://threatpost.com/sap-patches-severe-icmad-bugs/178344/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T17:51:24", "description": "There\u2019s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.\n\nThe vulnerabilities, discovered by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in [Security Note 3123396](<https://launchpad.support.sap.com/>), received the tip-top risk score \u2013 a 10 out of 10. The other two CVEs received scores of 8.1 and 7.5, respectively.\n\nThe issues are severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a [security advisory](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) about them this week. And, in a [blog post](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>), SAP director of security response Vic Chung confirmed the severity of Onapsis\u2019 findings. He said that if they aren\u2019t remediated, the bugs \u2013 aka \u201cICMAD\u201d \u2013 \u201cwill enable attackers to execute serious malicious activity on SAP users, business information and processes.\u201d\n\nSpecifically, successful exploitation could lead to this frightening laundry list of cybersecurity hazards:\n\n * Hijack of user identities, theft of all user credentials and personal information\n * Exfiltration of sensitive or confidential corporate information\n * Fraudulent transactions and financial harm\n * Change of banking details in a financial system of record\n * Denial-of-service attack that disrupts critical systems for the business\n\nOnapsis, which specializes in security for SAP, Oracle, Salesforce and other software-as-a-service (SaaS) platforms, joined SAP in coordinating the release of[ a Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert>) describing the critical vulnerabilities on Tuesday.\n\nThe firm estimated that there were tens of thousands \u2013 approximately 40,000 \u2013 SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.\n\nSAP and Onapsis urged customers to apply both Security Note 3123396 and [3123427](<https://t.nylas.com/t1/116/4a3z713b1kum7z18ruaq7siqk/13/51ec755ca6f695096592b0335df2b6ec4ba279684d0ae63b9df0739442312162>) without delay. Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing the serious issues, available to download [here](<https://github.com/Onapsis/onapsis_icmad_scanner>).\n\n## No Known Related Breaches \u2013 Yet\n\n\u201cSince ICM is exposed to the internet and untrusted networks by design, vulnerabilities in this component have an increased level of risk,\u201d Chung said.\n\nThe ICMAD bugs are critical memory-corruption vulnerabilities that should be patched promptly, given that ICM is a core component of SAP business applications \u2013 just one flavor of the business-critical apps that threat actors are actively targeting.\n\n\u201cAs we have observed through recent threat intelligence, threat actors are actively targeting business-critical applications like SAP and have the expertise and tools to carry out sophisticated attacks,\u201d said Mariano Nunez, CEO and co-founder of Onapsis. \u201cThe discovery and patching of the ICMAD vulnerabilities as well as those previously identified by Onapsis Research Labs, such as[ RECON](<https://onapsis.com/recon-sap-cyber-security-vulnerability>) and[ 10KBLAZE](<https://onapsis.com/resources/10kblaze>), are essential to protecting the business-critical applications that power 92 percent of the Forbes Global 2000.\u201d\n\nAs of Tuesday, SAP and Onapsis weren\u2019t aware of any breaches related to the trio of bugs, but that\u2019s clearly no reason to delay in applying the updates in[ Security Note 3123396 [CVE-2022-22536]](<https://launchpad.support.sap.com/>) to affected SAP applications as soon as possible, they said.\n\n## What to Do\n\nOnapsis has prepared this on-demand [recording](<https://hubs.ly/Q013KNxr0>) that details what to do to avoid any damage.\n\nAs well, at noon ET on Thursday, Onapsis\u2019 Nunez and SAP CISO Richard Puckett will provide a [threat briefing](<https://twitter.com/marianonunezdc/status/1491803623709310977>) about the ICMAD vulnerabilities.\n\n> Join SAP's [#CISO](<https://twitter.com/hashtag/CISO?src=hash&ref_src=twsrc%5Etfw>) Richard Puckett and me on the threat briefing about the [#icmad](<https://twitter.com/hashtag/icmad?src=hash&ref_src=twsrc%5Etfw>) vulnerabilities. Make sure you have all the info to protect your business-critical SAP applications. Today at 12pm ET. [#sap](<https://twitter.com/hashtag/sap?src=hash&ref_src=twsrc%5Etfw>) [#onapsis](<https://twitter.com/hashtag/onapsis?src=hash&ref_src=twsrc%5Etfw>) [#research](<https://twitter.com/hashtag/research?src=hash&ref_src=twsrc%5Etfw>) [#cisa](<https://twitter.com/hashtag/cisa?src=hash&ref_src=twsrc%5Etfw>) [#icm](<https://twitter.com/hashtag/icm?src=hash&ref_src=twsrc%5Etfw>) [#security](<https://twitter.com/hashtag/security?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/QObvbdN6sp>\n> \n> \u2014 Mariano Nunez (@marianonunezdc) [February 10, 2022](<https://twitter.com/marianonunezdc/status/1491803623709310977?ref_src=twsrc%5Etfw>)\n\n## Internally Facing Apps Also at Risk\n\nA vulnerability in ICM exposes the business-critical data enterprises depend on SAP to manage and safeguard, pointed out Casey Bisson, head of product and developer relations at code-security provider BluBracket. That goes for internal-facing apps as well as internet-facing ones, he said, given that ICM is at the core of practically all SAP-based web applications, and that includes apps that are internal-only.\n\n\u201cEven if the applications are internal-only, there\u2019s still risk when combined with other threats, including disgruntled employees and compromised network devices,\u201d he told Threatpost via email on Thursday. \u201cThis is exactly the vulnerability that threat actors like ransomware operators and state operatives are looking for.\u201d\n\nSAP servers are \u201cextremely rich targets,\u201d noted Aaron Turner, vice president of software-as-a-service (SaaS) posture at AI cybersecurity company Vectra. They have \u201csignificant\u201d access to material business processes and, generally, have multiple privileged credentials stored and used on those servers, he said via email.\n\n\u201cWith the Onapsis research, they have uncovered an exploit path that allows attackers to gain access to those privileged credentials to move laterally within the on-premises network, and also pivot into the cloud as most SAP customers have federated their legacy SAP workloads with cloud-based ones,\u201d Turner explained.\n\nHe compared the potential for exploitation to that presented by [Hafnium](<https://threatpost.com/hades-ransomware-connections-hafnium/165069/>): an advanced persistent threat (APT) believed to be linked to the Chinese government that Microsoft said has carried out zero-day attacks on Microsoft Exchange servers using the group of vulnerabilities known as [ProxyLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>).\n\n\u201cJust as Hafnium allowed attackers to pivot from on-prem Exchange to M365, this SAP attack path could allow the same,\u201d Turner suggested. \u201cThe SAP security updates will be critical ones to install, not just to protect those on-premises SAP servers but also any systems, on-prem or cloud, that may share credentials or trust relationships with those servers.\u201d\n\nMike Parkin, engineer at enterprise cyber-risk remediation SaaS provider Vulcan Cyber, told Threatpost that regardless of the current lack of reports of ICMAD exploits, \u201cthe potential risk is high.\u201d\n\nAll the more reason for organizations that rely on the affected components to deploy the patches and other relevant mitigations \u201cas soon as is practical,\u201d he advised.\n\n_021022 12:24 UPDATE: Added input from Casey Bisson, Aaron Turner and Mike Parkin._\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T16:39:04", "type": "threatpost", "title": "SAP to Give Threat Briefing on Uber-Severe \u2018ICMAD\u2019 Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T16:39:04", "id": "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "href": "https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-03-02T00:00:00", "description": "# The Bug Report - February 2022 \n\nBy Jesse Chick \u00b7 March 2, 2022\n\n## Your Cybersecurity Comic Relief\n\n[](<https://toggl.com/>) **[Image courtesy of https://toggl.com/](<https://toggl.com/>)**\n\n## Why am I here?\n\nWelcome back to the Bug Report, stubby-month edition! For those in the audience unfamiliar with our shtick, [every month](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-bug-report-january-2022.html>) we compile a shortlist of the top vulnerabilities of the month, so that they might whittle away at your last few hours of peaceful sleep. \n\nIt\u2019s a testament to the excitement of the last few months that February came as something of a reprieve for many of us who follow the ebbs and flows of the vulnerability landscape. But as we all slow down and catch our breath, someone, somewhere is having their personal information leaked, their intellectual property held by ransomware, or their privacy otherwise abused by a 0-day...and you're probably here for the grisly details. So, we at Trellix dutifully present to you our four high-impact vulns released during the month of February:\n\n * CVE-2022-22620: Apple WebKit\n * CVE-2022-0609: Google Chrome\n * CVE-2022-24086: Magento/ Adobe Commerce \n * CVE-2022-22536: SAP Internet Communications Manager\n \n\n\n## CVE-2022-22620: Apple finally gave something away for free!\n\n### What is it?\n\nWebKit is Apple\u2019s browser engine. If you are browsing the internet using an Apple product, I\u2019d bet with next month\u2019s rent money that WebKit is churning behind the scenes. Versions of WebKit prior to iOS 15.3.1 contain a use-after-free vulnerability (which occurs due to shoddy memory management) that can allow full remote code execution on a victim\u2019s device. The avenue of attack most likely to be used by attackers is a malicious URL (remember phishing from those pesky compliance trainings?) or via embedding the payload in a cross-site scripting attack on a vulnerable webpage. In the same terse fashion we curious souls have come to expect, Apple has withheld further detail on this vulnerability and the nature of the exploit. \n\n### Who cares?\n\nI care. I have an iPhone. And so do [6 million](<https://securityboulevard.com/2022/02/apples-zero-day-0-click-critical-vulnerability-cve-2022-22620/>) of you on Twitter, apparently, who likely rely on Apple products for either professional or personal tasks. To make this threat even less abstract for us Apple used-to-be-elite-now-commoners, there have been [reports](<https://twitter.com/Laughing_Mantis/status/1494394742821425164>) of CVE-2022-22620 being exploited in conjunction with privilege escalation to gain access to users\u2019 cameras and microphones.\n\n### What can I do?\n\nUpdate. Gotta update, always. To make sure your iPhone is running the patched version of iOS, go to Settings &gt; General &gt; About. If the \u201cSoftware Version\u201d shows something older than 15.3.1, that device is vulnerable, and it would be best to update immediately.\n\n### The Gold Standard\n\nAt this point, patching via software update is your best option. If you would like to have security and other updates installed automatically overnight upon release by Apple, this can be configured on all relevant devices to ensure you are free of exposure as quickly as possible.\n\n \n\n\n## CVE-2022-0609: Should you switch to Firefox?\n\n### What is it?\n\nAppearing like roaches, use-after-free browser bugs travel in groups. This one was discovered in-house at Google, by the Threat Analysis Group, inside of Chrome\u2019s animation component. Although some interaction from the user is required to carry out a successful exploit, this vulnerability can be leveraged to send and execute commands on a victim\u2019s machine over a local network.\n\n### Who cares?\n\nThe hundreds of millions of Chrome users (backed by Chrome\u2019s nearly two-thirds market share among today\u2019s browsers) may want to pay it some mind. This especially holds true for those who often browse from a public network, e.g. students and those who frequently travel, since public networks are a common reservoir of targets for malicious actors. Sure enough, [according to Google](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-0609>), this vulnerability is reported to have been exploited numerous times in the wild. But we all work from home now so no big deal, right? (I\u2019m hoping this comment does NOT age well).\n\n### What can I do?\n\n[Update Chrome](<https://support.google.com/chrome/answer/95414?hl=en&co=GENIE.Platform%3DDesktop>) to version [98.0.4758.102](<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html>) or later, if you have not done so already. Checking the current version of Chrome is as simple as pasting \u201cchrome://version\u201d into the search bar.\n\n### The Gold Standard\n\nAs with iOS, etc., turning on automatic updates for Chrome is a good practice. Set it and forget. \n\n \n\n\n## CVE-2022-24086: All your e-commerce belongs to\u2026.?\n\n### What is it?\n\nYou can be forgiven for having never heard of Magento; avoiding PHP back ends like Ebola seems like decent practice. It turns out Magento is an open-source e-commerce platform which was bought by Adobe in 2018 and now forms the backbone of Adobe Commerce. Due to a lack of proper input validation (CWE-20, if you care) during the checkout stage of a transaction, an attacker can use Adobe Commerce\u2014or the open-source release of Magento that parallels it\u2014to achieve unauthenticated RCE with the same privileges as the corresponding server process. So, if Magento is running as root, this is about as bad as it gets.\n\n### Who cares?\n\nWell, if your platform relies on Adobe Commerce or open-source Magento, consider yourself vulnerable\u2014all unpatched versions of each are affected. Not to mention, CVE-2022-24086 has been actively exploited in the wild.\n\nAs of this writing, there is no complete publicly-available proof of concept, although a redacted version of a working POC (seen below) created by researchers with [Positive Technologies Offensive Team](<https://swarm.ptsecurity.com/>) has been released on [Twitter](<https://twitter.com/ptswarm/status/1494240197915123713>) and distributed widely, which illustrates the leaking of \u201c/etc/passwd\u201d on a vulnerable host.\n\n \n\n\n### What can I do?\n\nPatch, and patch quickly. Time is of the essence! But be sure to follow the [instructions from Adobe](<https://helpx.adobe.com/security/products/magento/apsb22-12.html#Summary>) with care: there are two patches which must be applied in sequence, one to address [CVE-2022-24086](<https://vulners.com/cve/CVE-2022-24086>) and another to fix the near-identical follow-on issue tracked as [CVE-2022-24087](<https://sensorstechforum.com/cve-2022-24087-adobe-magento/>). Both patches are required to make sure that your platform is safe from exploitation of this vulnerability.\n\n### The Gold Standard\n\nStay abreast on the latest impactful vulnerabilities throughout the industry; or you just might see a piece of your own infrastructure featured in the latest CVE. Our [security bulletins](<https://www.mcafee.com/enterprise/en-us/threat-center/product-security-bulletins.html>) are a great place to start.\n\n \n\n\n## CVE-2022-22536: A Perfect 10!\n\n### What is it?\n\nDoes anyone have a clue what SAP stands for? I\u2019ve always wondered but never been able to demystify the potential acronym. This month it could be confused with a Strikingly Attackable Platform thanks to CVE-2022-22536. The bug exists in the SAP Internet Communication Manager (ICM) when the webserver hosting the ICM is sitting behind a proxy. An attacker can use a technique called [HTTP Response Smuggling](<https://www.whitehatsec.com/glossary/content/http-response-smuggling>) to poison the proxy\u2019s web cache and ICM response queue. Upon an unexpecting user visiting the website and making a GET request for the page, they will download the attacker\u2019s malicious JavaScript instead of the intended webpage. A more detailed (and colorful!) explanation of the attack mechanics is available on the [Onapsis website](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities?utm_campaign=2022-Q1-global-ICM-campaign-page&utm_medium=website&utm_source=third-party&utm_content=CISA-alert#download>), for the price of your email, of course.\n\n### Who cares?\n\nSAP in January of 2022 proudly [reported](<https://www.sap.com/documents/2017/04/4666ecdd-b67c-0010-82c7-eda71af511fa.html>) that 99 of 100 of the largest companies in the world were SAP customers with over [230 million cloud users](<https://www.sap.com/about/company/what-is-sap.html>). Couple that statistic with the fact that every SAP application sitting behind any kind of proxy with standard configuration will be vulnerable to this bug, there is a good chance you might need to cancel your weekend plans. Although we don\u2019t put much stock in [CVSS score](<https://nvd.nist.gov/vuln-metrics/cvss>) for this publication, it's worth noting this scored the magical unicorn rating of a perfect 10 and was able to garner special attention from our friends at [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>).\n\n### What can I do?\n\nIf in doubt as to whether or not your SAP server is vulnerable, the good people at [Onapsis](<https://onapsis.com/>), who discovered the vulnerability, released a Python-based [scanning tool](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>) with a complete CLI. Or, if you have the version number of your NetWeaver, Web Dispatcher, etc., you can simply cross-reference it with [SAP\u2019s official list](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>) of vulnerable versions. Don\u2019t want a call at 2 a.m. about a breach? Take the time to download and install the patches for your SAP products today!\n\n### The Gold Standard\n\nUnfortunately, not every vulnerability can be adequately addressed by network security products, and this vulnerability happens to be one of those cases. Your best bet is to follow the mitigations mentioned above and keep your servers up to date.\n", "cvss3": {}, "published": "2022-03-02T00:00:00", "type": "trellix", "title": "The Bug Report - February 2022 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-0609", "CVE-2022-22536", "CVE-2022-22620", "CVE-2022-24086", "CVE-2022-24087"], "modified": "2022-03-02T00:00:00", "id": "TRELLIX:73420774AE3767CFB11F493B41572174", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-february-2022.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2022-02-14T11:27:09", "description": "German enterprise software maker SAP has patched three critical vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP business applications. Customers are urged by both [SAP](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>) and [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) to address these critical vulnerabilities as soon as possible.\n\nOn February 8, SAP released 14 new security notes and security researchers from Onapsis, in coordination with SAP, released a [Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities>) describing SAP ICM critical vulnerabilities, [CVE-2022-22536](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22536>), [CVE-2022-22532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22532>), and [CVE-2022-22533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22533>). Onapsis also provides an [open source tool](<https://github.com/Onapsis/onapsis_icmad_scanner>) to identify if a system is vulnerable and needs to be patched.\n\n## CVE-2022-22536\n\nThe most important vulnerability in this report is CVE-2022-22536, one of the ICMAD vulnerabilities. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server and is present in most SAP products. It is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.\n\nCVE-2022-22536 is a request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability scored a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) rating of 10 out of 10. The high score is easy to explain. A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation of the vulnerability.\n\n## Other vulnerabilities\n\nSome of the other \u201chigh scorers\u201d are [Log4j](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) related vulnerabilities, and a security update for the browser control Google Chromium delivered with SAP Business Client. The other two ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533 received scores of 8.1 and 7.5, respectively.\n\n## Scan tool\n\nOn [GitHub](<https://github.com/Onapsis/onapsis_icmad_scanner>) Onapsis published a Python script that can be used to check if a SAP system is affected by CVE-2022-22536.\n\nA [Shodan scan](<https://www.shodan.io/search?query=server%3A+SAP+NetWeaver+Application+Server>) shows there are more than 5,000 SAP NetWeaver servers currently connected to the Internet and exposed to attacks until the patch is applied.\n\n## Mitigation\n\nSAP and Onapsis are currently unaware of any customer breaches that relate to these vulnerabilities, but strongly advise impacted organizations to immediately apply Security Note 3123396 (which covers CVE-2022-22536) to their affected SAP applications as soon as possible.\n\nThe Cybersecurity &amp; Infrastructure Security Agency (CISA) warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations.\n\nThe post [SAP customers are urged to patch critical vulnerabilities in multiple products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/sap-customers-are-urged-to-patch-critical-vulnerabilities-in-multiple-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-10T08:58:36", "type": "malwarebytes", "title": "SAP customers are urged to patch critical vulnerabilities in multiple products", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22532", "CVE-2021-22533", "CVE-2021-22536", "CVE-2022-22532", "CVE-2022-22533", "CVE-2022-22536"], "modified": "2022-02-10T08:58:36", "id": "MALWAREBYTES:A40F87C53D5487E9D81FB6A8F62AF633", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/sap-customers-are-urged-to-patch-critical-vulnerabilities-in-multiple-products/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-23T00:02:12", "description": "On Thursday, CISA (the US Cybersecurity and Infrastructure Security Agency) updated [its catalog of actively exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) by adding seven new entries. These flaws were found in Apple, Google, Microsoft, Palo Alto Networks, and SAP products. CISA set the due date for everyone to patch the weaknesses by September 8, 2022.\n\nCVE-2022-22536, an SAP flaw with the highest risk score of 10, is one of the seven. We wrote about it in February, and thankfully, SAP addressed the issue fairly quickly, too, by issuing a patch. CISA even mentioned that if customers fail to patch CVE-2022-22536, they could be exposed to ransomware attacks, data theft, financial fraud, and other business disruptions that'd cost them millions.\n\n[**CVE-2022-32893**](<https://cve.report/CVE-2022-32893>) and [**CVE-2022-32894**](<https://cve.report/CVE-2022-32894>), the two zero-day, out-of-bounds write vulnerabilities affecting iOS, iPadOS, and macOS, continue to [headline](<https://www.malwarebytes.com/blog/news/2022/08/urgent-update-for-macos-and-ios-two-actively-exploited-zero-days-fixed>) as of this writing. These are serious flaws that, if left unpatched, could allow anyone to take control of vulnerable Apple systems. Apple already released fixes for these from the following support pages:\n\n * [About the security content of iOS 15.6.1 and iPadOS 15.6.1](<https://support.apple.com/en-gb/HT213412>)\n * [About the security content of macOS Monterey 12.5.1](<https://support.apple.com/en-gb/HT213413>)\n * [About the security content of Safari 15.6.1](<https://support.apple.com/en-us/HT213414>)\n\nThe Google Chrome flaw with high severity, **[CVE-2022-2856](<https://www.malwarebytes.com/blog/news/2022/08/update-chrome-now-google-issues-patch-for-zero-day-spotted-in-the-wild>)**, is also [confirmed](<https://www.forbes.com/sites/daveywinder/2022/08/20/google-confirms-chrome-zero-day-5-as-attacks-begin-update-now/>) to be targeted by hackers. As with other zero-days, technical details about it are light, but the [advisory](<https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html>) states that the flaw is an \"insufficient validation of untrusted input in Intents.\" The [Intents](<https://developers.google.com/assistant/conversational/intents>) technology works in the background and is involved in processing user input or handling a system event. If this flaw is exploited, anyone could create a malicious input that Chrome may validate incorrectly, leading to arbitrary code execution or system takeover.\n\nGoogle already patched this. While Chrome should've updated automatically, it is recommended to force an update check to ensure the patch is applied.\n\nMicrosoft also has patches available for **[CVE-2022-21971](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971>)** and **[CVE-2022-26923](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923>)** in February and May, respectively. The former was given an \"exploitation less likely\" probability, but that has already changed--a [proof-of-concept (PoC)](<https://www.malwarebytes.com/glossary/proof-of-concept>) has been available since March. PoC exploits were also made public for the latter Microsoft flaw. However, these were released after Microsoft had already pushed out a patch.\n\nPalo Alto Networks's is the oldest among the new vulnerabilities added to the catalog. Discovered in 2017, **[CVE-2017-15944](<https://nvd.nist.gov/vuln/detail/CVE-2017-15944>)** has a severity rating of 9.8 (Critical). Once exploited, attackers could perform remote code execution on affected systems. You can read more about this flaw on [Palo Alto's advisory page](<https://security.paloaltonetworks.com/CVE-2017-15944>).\n\nMalwarebytes advises readers to apply patches to these flaws if they use products of the companies we mentioned. You don't have to wait for the due date before you act.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-22T15:00:00", "type": "malwarebytes", "title": "CISA wants you to patch these actively exploited vulnerabilities before September 8", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15944", "CVE-2022-21971", "CVE-2022-22536", "CVE-2022-26923", "CVE-2022-2856", "CVE-2022-32893", "CVE-2022-32894"], "modified": "2022-08-22T15:00:00", "id": "MALWAREBYTES:2B7FA24A43BE3D53EA1E393BEC594625", "href": "https://www.malwarebytes.com/blog/news/2022/08/cisa-wants-you-to-patch-these-actively-exploited-vulnerabilities-before-september-8", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-09-23T16:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjs8JaMOY9R6lUtMUspyaZkXpTsX4qNnhcrHTL9mWH5ZNa5vmozYX5_wadmPyK4zvGOflysK8-kmfWEodQkGRkX2S6SRc2Rz3Mmc6gZULQMoM1NWsDnbyPfI1hCtqNvHLJGrpMX5ei4CIFAfpq-ihMIXLWrMaa-7Q5NtgXCuo8GX35xntkWn95YjMu2/s728-e100/cisa.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a [critical SAP security flaw](<https://www.cisa.gov/uscert/ncas/current-activity/2022/08/18/cisa-adds-seven-known-exploited-vulnerabilities-catalog>) to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence of active exploitation.\n\nThe issue in question is [CVE-2022-22536](<https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10>), which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.\n\nDescribed as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions -\n\n * SAP Web Dispatcher (Versions - 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)\n * SAP Content Server (Version - 7.53)\n * SAP NetWeaver and ABAP Platform (Versions - KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)\n\n\"An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary web caches,\" CISA said in an alert.\n\n\"A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation,\" Onapsis, which [discovered](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities>) the flaw, [notes](<https://onapsis.com/threat-report/icmad-sap-vulnerabilities>). \"Consequently, this makes it easy for attackers to exploit it and more challenging for security technology such as firewalls or IDS/IPS to detect it (as it does not present a malicious payload).\"\n\nAside from the SAP weakness, the agency added new flaws disclosed by Apple ([CVE-2022-32893 and CVE-2022-32894](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>)) and Google ([CVE-2022-2856](<https://thehackernews.com/2022/08/new-google-chrome-zero-day.html>)) this week as well as previously documented Microsoft-related bugs ([CVE-2022-21971](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971>) and [CVE-2022-26923](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26923>)) and a remote code execution vulnerability in Palo Alto Networks PAN-OS ([CVE-2017-15944](<https://nvd.nist.gov/vuln/detail/CVE-2017-15944>), CVSS score: 9.8) that was disclosed in 2017.\n\nCVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was resolved by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022, relates to a privilege escalation flaw in Active Directory Domain Services.\n\n\"An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System,\" Microsoft describes in its advisory for CVE-2022-26923.\n\nThe CISA notification, as is traditionally the case, is light on technical details of in-the-wild attacks associated with the vulnerabilities so as to avoid threat actors taking further advantage of them.\n\nTo mitigate exposure to potential threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the relevant patches by September 8, 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-20T14:19:00", "type": "thn", "title": "CISA Adds 7 New Actively Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15944", "CVE-2022-21971", "CVE-2022-22536", "CVE-2022-26923", "CVE-2022-2856", "CVE-2022-32893", "CVE-2022-32894"], "modified": "2022-09-23T13:13:33", "id": "THN:221BD04ADD3814DC78AF58DFF41861F3", "href": "https://thehackernews.com/2022/08/cisa-adds-7-new-actively-exploited.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2023-12-06T20:41:31", "description": "Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind.\n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239134>\n\n## GitHub exploits and Vulristics\n\nThis month I made some improvements to my Vulristics vulnerability prioritization tool. These changes relate to the use of exploit data on Github. We all know that exploits are often posted on GitHub. But how adequate is this source in order to evaluate the exploitability?\n\n### PoC in Github\n\nFor example, there is an interesting [PoC in GitHub](<https://github.com/nomi-sec/PoC-in-GitHub>) repository on github. It contains the results of an automated search for exploits of CVE vulnerabilities on GitHub. There are currently PoCs for 4484 CVE IDs. \n\nDistribution by years:\n \n \n CVE-1999-_: 4 CVE-2000-_: 4 \n CVE-2001-_: 10 CVE-2002-_: 14 \n CVE-2003-_: 6 CVE-2004-_: 9 \n CVE-2005-_: 7 CVE-2006-_: 13 \n CVE-2007-_: 18 CVE-2008-_: 21 \n CVE-2009-_: 22 CVE-2010-_: 25 \n CVE-2011-_: 27 CVE-2012-_: 39 \n CVE-2013-_: 64 CVE-2014-_: 128 \n CVE-2015-_: 144 CVE-2016-_: 185 \n CVE-2017-_: 323 CVE-2018-_: 407 \n CVE-2019-_: 504 CVE-2020-_: 684 \n CVE-2021-_: 747 CVE-2022-_: 739 \n CVE-2023-*: 340\n\nThe total number of CVEs is growing, and so is the number of exploitable CVEs.  But no one guarantees that PoC is functional and that there are no rickrolls or malware. Be careful. \n\nFor example, it contains Office RCE vulnerability (CVE-2023-36884) from the July Patch Tuesday. But if you look closely, everything is not so rosy.  Let&#x27;s see.\n\n 1.  Maxwitat/CVE-2023-36884-Scripts-for-Intune-Remediation-SCCM-Compliance-Baseline - script for remediation\n 2.  deepinstinct/Storm0978-RomCom-Campaign - IOCs\n 3.  zerosorai/CVE-2023-36884 - remediation utility\n 4.  tarraschk/CVE-2023-36884-Checker - vulnerability detection script\n 5.  or2me/CVE-2023-36884_patcher - remediation utility\n 6.  ToddMaxey/CVE-2023-36884 - script for remediation\n 7.  ridsoliveira/Fix-CVE-2023-36884 - script for remediation\n 8.  raresteak/CVE-2023-36884 - information for remediation\n\nThere is no POC yet. \n\nSo &quot;PoC in GitHub&quot; would be more appropriate to call &quot;CVE mentions in GitHub&quot;. It will highlight mentions of CVEs, but, of course, it will not show the context. Then only manual analysis or some automated classification will help you.\n\n### Vulristics vulners-use-github-exploits-flag\n\nThe ambiguity of exploitation data on GitHub is also bad for my Vulristics reports. For high-profile vulnerabilities, such as Zerologon (CVE-2020-1472), there are too many references to GitHub in the report, most of which are not related to exploits. \n\n\n\nAnd it is very difficult to automatically understand which repositories contain exploits and which contain irrelevant content. And, **as a rule**, it is not really necessary. Fully functional exploit will most likely end up in specialized exploit packs, although it may happen with some delay.\n\n\n\nTherefore, I think Vulristics users should be able to generate both reports containing as much information about exploits as possible (although it will be littered) and reports that take into account only known exploit packs.\n\nI have added the option `--vulners-use-github-exploits-flag`, which can be either `True` or `False`. The default value is `True`.\n\nI also added [source] links.\n\n### Exceptions\n\nAn exploit from GitHub, **as a rule**, ends up in a specialized exploit pack over time, BUT NOT ALWAYS! For example, **Command Injection** - SAP NetWeaver (CVE-2022-22536).\n\n\n\nWe see that exploits for this vulnerability are available only on the GitHub. And, judging by the description, they are valid. \n\n\n\nAnd if we generate a Vulristics report with `--vulners-use-github-exploits-flag \"False\"`, then we will lose this valuable information. \n\n\n\nSo be aware and use the option with caution. \n\n## VM vendors updates\n\n### Qualys First-Party Application Risk Detection and Remediation\n\nIn early August, Qualys [introduced new capabilities](<https://blog.qualys.com/product-tech/2023/08/03/qualys-expands-cloud-platform-for-first-party-application-risk-detection-and-remediation>) for analyzing the vulnerabilities of self-written (First-Party) and open source applications.\n\n 1. Custom Assessment and Remediation (CAR) is a mechanism for adding your own detection scripts, including PowerShell and Python scripts. You can write your own detection script (for example, using the versions that the application security guys told you), add it to Qualys and get a list of vulnerable hosts. Such vulnerabilities will have a QID and can be treated as vulnerabilities detected by Qualys itself.\n 2. Runtime Software Composition Analysis (SCA). During a vulnerability scan, not only the software itself is checked, but also the libraries used by this software. In fact, Qualys Agent runs through the file system and searches / analyzes library files (including Log4j). This is not a super new feature. I have seen such detections in Microsoft Defender for Endpoint for a long time. But apparently it becomes a mandatory feature.\n\n### Tenable ExposureAI\n\n[Tenable announced](<https://www.tenable.com/press-releases/tenable-makes-generative-ai-security-tools-available-to-the-research-community>) Vulnerability (Exposure) Management with generative AI similar to ChatGPT. The product (or rather technology) will be called [ExposureAI](<https://www.tenable.com/solutions/exposure-ai>) and will be available as part of Tenable One.\n\nMain features:\n\n 1. It will be possible to make requests in a natural language.\n 2. It will be possible to generate human-readable descriptions of Attack Path scenarios (this saves time when preparing reports).\n 3. It will be possible to see insights &quot;what needs to be done first&quot;.\n\nAs with Cyclops Security, which announced similar functionality a little earlier, it all depends on how smart the system turns out to be and how bad mistakes it makes.\n\n### SC Awards and Rapid7\n\n[SC Awards](<https://www.scmagazine.com/2023-sc-award-winners>) continues to be fun. This year Rapid7 InsightVM received &quot;Best Vulnerability Management Solution&quot;. [In the nomination](<https://www.scmagazine.com/news/2023-sc-awards-finalists-best-vulnerability-management-solution#>) there was Tenable - it&#x27;s ok. Do you know what other 3 giants and innovators of the VM market were there?\n\n Palo Alto Networks Prisma Cloud - cloud-native application protection platform  \n Lacework - cloud security platform  \n Coalfire Ransomware Simulation-as-a-Service (RSaaS) \n\nHave the contest organizers heard of Qualys VM? \n\nApparently, so that Tenable would not be offended, they were given &quot;Best Risk / Policy Management Solution&quot; (Qualys was also in this nomination) and &quot;Best Security Company&quot;. The company is the best, but apparently their VM is so-so, Rapid7&#x27;s solution is better.  The only pity is that Rapid7 seems to have problems with sales of this best VM solution. &quot;[Rapid7 will lay off](<https://www.crn.com/news/security/rapid7-to-make-surprising-layoffs-of-hundreds-as-it-invests-in-msps-mdr>) about 18 per cent of its workforce, around 470 employees, with significant cuts to sales and engineering \u2013 as well as permanently close some office locations&quot;.\n\nNow let&#x27;s talk about vulnerabilities.\n\n## Anglo-Saxon vulnerability lists\n\nAnglo-Saxon state security agencies from 5 countries issued a joint advisory &quot;[2022&#x27;s Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/sites/default/files/2023-08/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf>)&quot;. I took this report, wrote out the CVE references and released 2 Vulristics reports:\n\n 1. [TOP 12 vulnerabilities](<https://avleonov.com/vulristics_reports/aa23-215a_top12_report_with_comments_ext_img.html>)\n 2. [Extended with all vulnerabilities (42) from the advisory ](<https://avleonov.com/vulristics_reports/aa23-215a_report_with_comments_ext_img.html>)\n\nIn the Top 12 Vulnerabilities, all CVEs have links to exploits and signs of exploitation in the wild. All of them are Urgent, except for one, because it is EoP in the not-so-common Workspace One. The most critical are RCEs in Apache Log4j2, Microsoft Exchange, and Confluence.\n\nIn the extended report, all CVEs have the sign of exploitation in the wild, but there are 6 vulnerabilities without links to exploits and therefore with Critical/High criticality. The most critical are RCEs in Apache HTTP Server, Apache Log4j2, Windows RDP and Microsoft Exchange.\n\nIt is worth noting that the extended list contains such Oldies But Goodies vulnerabilities as:\n\n * [Zerologon](<https://avleonov.com/2020/09/30/microsoft-patch-tuesday-september-2020-zerologon-and-other-exploits-rces-in-sharepoint-and-exchange/>) (CVE-2020-1472). A vulnerability in the cryptography of Microsoft\u2019s Netlogon process that allows an attack against Microsoft Active Directory domain controllers\n\n\n\n * Microsoft Office RCE (CVE-2017-11882). The PoC for this vulnerability appeared a week after the publication in 2017 and since then, for more than 5 years, it has been actively exploited. \n\n\n\nCompared to [last year advisory](<https://avleonov.com/2022/10/21/joint-advisory-aa22-279a-and-vulristics/>), GitLab and exotics like Hikvision and Buffalo are gone. The set of CVEs looks better.\n\nCommands for those who want to build a report themselves in [Vulristics](<https://github.com/leonov-av/vulristics>) using [comments for CVEs](<https://avleonov.com/vulristics_reports/AA23-215A_comments.txt>) from AA23-215A.\n \n \n $ cat AA23-215A_comments.txt | grep -v \"30 Additional\" | egrep -o \"CVE-[0-9]-[0-9]\" | sort | uniq > AA23-215A_cves_top12.txt\n $ cat AA23-215A_comments.txt | egrep -o \"CVE-[0-9]-[0-9]\" | sort | uniq > AA23-215A_cves.txt\n \n $ python3 vulristics.py --report-type \"cve_list\" --cve-project-name \"AA23-215A\" --cve-list-path \"AA23-215A_cves.txt\" --cve-comments-path \"AA23-215A_comments.txt\" --cve-data-sources \"ms,nvd,epss,vulners,attackerkb\" --rewrite-flag \"True\"\n $ python3 vulristics.py --report-type \"cve_list\" --cve-project-name \"AA23-215A_top12\" --cve-list-path \"AA23-215A_cves_top12.txt\" --cve-comments-path \"AA23-215A_comments.txt\" --cve-data-sources \"ms,nvd,epss,vulners,attackerkb\" --rewrite-flag \"False\"\n\nFunny detail: 8 agencies from 5 countries released this, but there was no one who carefully read and noticed that in several places the identifier for Log4Shell is written as &quot;CVE-2021- 44228&quot; with a space. Both [in pdf](<https://www.cisa.gov/sites/default/files/2023-08/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf>), and in [the web-version](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a>). \n\n## August Microsoft Patch Tuesday\n\nMy impressions of the August Microsoft Patch Tuesday - nothing special. \n\n\n\n * All vulnerabilities: 103\n * Urgent: 0\n * Critical: 1\n * High: 33\n * Medium: 69\n * Low: 0\n\nFormally, the most critical vulnerability is **Denial of Service** - .NET and Visual Studio (CVE-2023-38180), because there are signs of exploitation. There are no details, but it is somehow doubtful. \n\n\n\nNo more vulnerabilities with public exploits or signs of exploitation.\n\nSeveral **Remote Code Executions** - Microsoft Exchange (CVE-2023-35368, CVE-2023-38185, CVE-2023-35388, CVE-2023-38182). 3 of them definitely require authentication, one is unclear. This authentication can potentially be obtained through **Elevation of Privilege** - Microsoft Exchange (CVE-2023-21709) - &quot;This vulnerability allows a remote, unauthenticated attacker to log in as another user&quot;. It&#x27;s better to patch! \n\n**Remote Code Execution** - Microsoft Teams (CVE-2023-29328, CVE-2023-29330). Fortunately, in Russia it&#x27;s not popular anymore.\n\nThere is also a bunch of EoPs in the Windows kernel&amp;components.\n\nFull report: [ms_patch_tuesday_august2023_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_august2023_report_with_comments_ext_img.html>)\n\n## Other important vulnerabilities\n\nAmong other vulnerabilities of this month, I would like to highlight:\n\n * Actively exploited since April 2023 WinRAR Extension Spoofing (CVE-2023-38831), which also has a public exploit. I highly recommend installing the WinRAR 6.23 update, which also fixes the potentially dangerous RCE CVE-2023-40477.\n\n\n\n * [Numerous vulnerabilities](<https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US>) in the J-Web component (web console) of the Juniper Networks Junos operating system on SRX and EX series devices. These are the vulnerabilities that lead to RCE and for them there is a [detailed review](<https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/>) and a [PoC](<https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/>).\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-30T16:15:31", "type": "avleonov", "title": "August 2023: GitHub PoCs, Vulristics, Qualys First-Party, Tenable ExposureAI, SC Awards and Rapid7, Anglo-Saxon list, MS Patch Tuesday, WinRAR, Juniper", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2020-1472", "CVE-2022-22536", "CVE-2023-21709", "CVE-2023-29328", "CVE-2023-29330", "CVE-2023-35368", "CVE-2023-35388", "CVE-2023-36844", "CVE-2023-36884", "CVE-2023-38180", "CVE-2023-38182", "CVE-2023-38185", "CVE-2023-38831", "CVE-2023-40477"], "modified": "2023-08-30T16:15:31", "id": "AVLEONOV:7E0DF6DEBB35FB55F6B4D33A7262A422", "href": "https://avleonov.com/2023/08/30/august-2023-github-pocs-vulristics-qualys-first-party-tenable-exposureai-sc-awards-and-rapid7-anglo-saxon-list-ms-patch-tuesday-winrar-juniper/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-12-06T21:19:51", "description": "### **SUMMARY**\n\nThe following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):\n\n * United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)\n * Australia: Australian Signals Directorate\u2019s Australian Cyber Security Centre (ACSC)\n * Canada: Canadian Centre for Cyber Security (CCCS)\n * New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)\n * United Kingdom: National Cyber Security Centre (NCSC-UK)\n\nThis advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.\n\nThe authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory\u2014including the following\u2014to reduce the risk of compromise by malicious cyber actors.\n\n * **Vendors, designers, and developers**: Implement [secure-by-design and -default principles and tactics](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ) to reduce the prevalence of vulnerabilities in your software. \n * **Follow the Secure Software Development Framework (SSDF)**, also known as [SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" ), and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.\n * **Prioritize secure-by-default configurations**, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.\n * **Ensure that published CVEs include the proper CWE field** identifying the root cause of the vulnerability.\n * **End-user organizations**: \n * **Apply timely patches to systems**. **Note**: First check for signs of compromise if CVEs identified in this CSA have not been patched.\n * Implement a centralized patch management system.\n * **Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers**.\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.\n\nDownload the PDF version of this report:\n\nAA23-215A PDF (PDF, 980.90 KB )\n\n### **TECHNICAL DETAILS**\n\n#### **Key Findings**\n\nIn 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.\n\nMalicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure\u2014the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).\n\nMalicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets\u2019 networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.\n\n#### **Top Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )**. **This vulnerability, affecting Fortinet SSL VPNs, was also [routinely exploited in 2020](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" ) and [2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" ). The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )**, **[**CVE-2021-31207**](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )**, **[**CVE-2021-34523**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )**.** These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.\n * [**CVE-2021-40539**](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )**.** This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability [began in late 2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a> \"APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus\" ) and [continued throughout 2022](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF> \"Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors\" ).\n * [**CVE-2021-26084**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )**.** This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n * [**CVE-2021- 44228**](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )**.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[[1](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance>)] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.\n * [**CVE-2022-22954**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" ), [**CVE-2022-22960**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )**.** These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution**. **Exploitation of CVE-2022-22954 and CVE-2022-22960 [began in early 2022](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b> \"Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\" ) and attempts continued throughout the remainder of the year.\n * [**CVE-2022-1388**](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )**.** This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication** **on F5 BIG-IP application delivery and security software**.**\n * [**CVE-2022-30190**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )**.** This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.\n * [**CVE-2022-26134**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" ). This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability ([CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )), which cyber actors also exploited in 2022.\n_Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy\n\n| \n\nSSL VPN credential exposure\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918 Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nSecurity Feature Bypass\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngine\n\n| \n\nADSelfService Plus\n\n| \n\nRCE/\n\nAuthentication Bypass\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nArbitrary code execution\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n(Log4Shell)\n\n| \n\nApache\n\n| \n\nLog4j2\n\n| \n\nRCE\n\n| \n\n[CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" )\n\n[CWE-20 Improper Input Validation](<https://cwe.mitre.org/data/definitions/20.html> \"CWE-20: Improper Input Validation\" )\n\n[CWE-400 Uncontrolled Resource Consumption](<https://cwe.mitre.org/data/definitions/400.html> \"CWE-400: Uncontrolled Resource Consumption\" )\n\n[CWE-502 Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access and Identity Manager\n\n| \n\nRCE\n\n| \n\n[CWE-94 Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \\('Code Injection'\\)\" ) \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, Identity Manager, and vRealize Automation\n\n| \n\nImproper Privilege Management\n\n| \n\n[CWE-269 Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nMissing Authentication Vulnerability\n\n| \n\n[CWE-306 Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nRCE\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities\u2014listed in Table 2\u2014that were also routinely exploited by malicious cyber actors in 2022.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nArbitrary Code Execution\n\n| \n\nNone Listed \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](<https://cwe.mitre.org/data/definitions/119.html> \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary File Reading\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\nRCE\n\n| \n\n[CWE-416: Use After Free](<https://cwe.mitre.org/data/definitions/416.html> \"CWE-416: Use After Free\" ) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nApplication Delivery Controller and Gateway\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nPrivilege Escalation\n\n| \n\n[CWE-330: Use of Insufficiently Random Values](<https://cwe.mitre.org/data/definitions/330.html> \"CWE-330: Use of Insufficiently Random Values\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100\n\n| \n\nSQL Injection\n\n| \n\n[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](<https://cwe.mitre.org/data/definitions/89.html> \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command \\('SQL Injection'\\)\" ) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857> \"CVE-2021-26857\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-502: Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security\n\n| \n\nPrivilege Escalation Exploit Chain\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer-Side Request Forgery\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \\(SSRF\\)\" ) \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"\u00a0CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \\('Path Traversal'\\)\" ) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series Appliances\n\n| \n\nStack-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" )\n\n[CWE-121: Stack-based Buffer Overflow](<http://cwe.mitre.org/data/definitions/121.html> \"CWE-121: Stack-based Buffer Overflow\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j\n\n| \n\nRCE\n\n| \n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" ) \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS\n\n| \n\nHeap-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" ) \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nCollaboration Suite\n\n| \n\n\u2018Cross-site Scripting\u2019\n\n| \n\n[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](<https://cwe.mitre.org/data/definitions/79.html> \"CWE-79: Improper Neutralization of Input During Web Page Generation \\('Cross-site Scripting'\\)\" ) \n \n[CVE-2022-22536](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nInternet Communication Manager (ICM)\n\n| \n\nHTTP Request Smuggling\n\n| \n\n[CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')](<https://cwe.mitre.org/data/definitions/444.html> \"CWE-444: Inconsistent Interpretation of HTTP Requests \\('HTTP Request/Response Smuggling'\\)\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzu\n\n| \n\nSpring Cloud\n\n| \n\nRCE\n\n| \n\n[CWE-94: Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \\('Code Injection'\\)\" )\n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \\('Expression Language Injection'\\)\" ) \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nWSO2\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\n[CWE-434: Unrestricted Upload of File with Dangerous Type](<https://cwe.mitre.org/data/definitions/434.html> \"CWE-434: Unrestricted Upload of File with Dangerous Type\" ) \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite\n\n| \n\nCommand Injection\n\n| \n\n[CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \\('Injection'\\)\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows CSRSS\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nQNAP NAS\n\n| \n\nExternally Controlled Reference\n\n| \n\n[CWE-610: Externally Controlled Reference to a Resource in Another Sphere](<https://cwe.mitre.org/data/definitions/610.html> \"CWE-610: Externally Controlled Reference to a Resource in Another Sphere\" ) \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nPrivilege Escalation\n\n| \n\nNone Listed \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS, FortiProxy, FortiSwitchManager\n\n| \n\nAuthentication Bypass\n\n| \n\n[CWE-306: Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n### **MITIGATIONS**\n\n#### **Vendors and Developers**\n\nThe authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:\n\n * **Identify repeatedly exploited classes of vulnerability. **Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.\n * **Ensure business leaders are responsible for security. **Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.\n * **Follow the SSDF** ([SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" )_)_ and implement secure design practices into each stage of the SDLC. Pay attention to: \n * Prioritizing the use of memory safe languages wherever possible [[SSDF PW 6.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [[SSDF PW 4.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [[SSDF PW.5.1, PW.7.1, PW.7.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Establishing a [vulnerability disclosure program](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained> \"Vulnerability Disclosure Programs Explained\" ) to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [[SSDF RV.1.3](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]. As part of this, establish processes to determine root causes of discovered vulnerabilities.\n * Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [[SSDF PW.7.2, PW.8.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [[SSDF PW.9.1, PW9.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]\n * **Prioritize secure-by-default configurations** such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.\n * **Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability **to enable industry-wide analysis of software security and design flaws.\n\nFor more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide [Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ).\n\n#### **End-User Organizations**\n\nThe authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors\u2019 activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cross-sector-cybersecurity-performance-goals> \"Cross-Sector Cybersecurity Performance Goals\" ) for more information on CPGs, including additional recommended baseline protections.\n\n#### **_Vulnerability and Configuration Management_**\n\n * **Update software, operating systems, applications, and firmware on IT network assets in a timely manner** [CPG 1.E]. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> \"Known Exploited Vulnerabilities Catalog\" ), especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Replace end-of-life software (i.e., software no longer supported by the vendor).\n * **Routinely perform automated asset discovery** across the entire estate to identify and catalogue all the systems, services, hardware and software.\n * **Implement a robust patch management process **and centralized patch management system that establishes prioritization of patch applications [CPG 1.A]. \n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, MSPs and CSPs can expand their customer\u2019s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources. \n * CISA Insights Risk Considerations for Managed Service Provider Customers\n * CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/how-manage-your-security-when-engaging-managed-service-provider> \"How to Manage Your Security When Engaging a Managed Service Provider\" )\n * **Document secure baseline configurations for all IT/OT components**, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].\n * **Perform regular secure system backups** and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].\n * **Maintain an updated cybersecurity incident response plan** that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].\n\n#### **_Identity and Access Management_**\n\n * **Enforce phishing-resistant multifactor authentication (MFA) for all users**, without exception. [CPG 2.H].\n * **Enforce MFA on all VPN connections**. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].\n * **Regularly review, validate, or remove privileged accounts** (annually at a minimum) [CPG 2.D, 2.E].\n * **Configure access control under the principle of least privilege** [CPG 2.Q]. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible). \n**Note:** See CISA\u2019s Capacity Enhancement Guide \u2013 Implementing Strong Authentication and ACSC\u2019s guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication> \"Implementing Multi-Factor Authentication\" ) for more information on authentication system hardening.\n\n#### **_Protective Controls and Architecture_**\n\n * **Properly configure and secure internet-facing network devices**, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X]. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * **Implement Zero Trust Network Architecture (ZTNA)** to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. **Note:** See the Department of Defense\u2019s [Zero Trust Reference Architecture](<https://dodcio.defense.gov/Portals/0/Documents/Library/\\(U\\)ZT_RA_v2.0\\(U\\)_Sep22.pdf> \"Department of Defense \\(DoD\\) Zero Trust Reference Architecture\" ) for additional information on Zero Trust.\n * **Continuously monitor the attack surface** and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T]. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].\n * Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].\n * Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].\n * Use a network protocol analyzer to examine captured data, including packet-level data.\n\n#### **_Supply Chain Security_**\n\n * **Reduce third-party applications and unique system/application builds**\u2014provide exceptions only if required to support business critical functions [CPG 2.Q].\n * Ensure contracts require vendors and/or third-party service providers to: \n * Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].\n * Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.\n\n### **RESOURCES**\n\n * For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see: \n * Joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a> \"Top 10 Routinely Exploited Vulnerabilities\" )\n * Joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" )\n * Joint CSA [2021 Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" )\n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n * See ACSC\u2019s [Essential Eight mitigation strategies](<https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model> \"Essential Eight Maturity Model\" ) for additional mitigations.\n * See ACSC\u2019s [Cyber Supply Chain Risk Management](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management> \"Cyber Supply Chain Risk Management\" ) for additional considerations and advice.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **PURPOSE**\n\nThis document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **REFERENCES**\n\n[1] [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n### **VERSION HISTORY**\n\nAugust 3, 2023: Initial version.\n\n### **APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES**\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Affected Products and Versions**\n\n| \n\n**Patch Information**\n\n| \n\n**Resources** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199> \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows\" )\n\n| \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nOffice, Multiple Versions\n\n| \n\n[Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882> \"Microsoft Office Memory Corruption Vulnerability\" )\n\n| \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests](<https://www.fortiguard.com/psirt/FG-IR-20-233> \"FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests\" )\n\n| \n\nJoint CSAs:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" )\n\n[Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a> \"Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology\" )\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12\n\n| \n\n[SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://forums.ivanti.com/s/article/SA44101?language=en_US> \"SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX\" )\n\n| \n\nCISA Alerts:\n\n[Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\nACSC Advisory:\n\n[2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/about-us/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software> \"2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi> \"Alert - APT Actors Target U.S. and Allied Networks - update 1\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\n[Remote Desktop Services Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708> \"Remote Desktop Services Remote Code Execution Vulnerability\" )\n\n| \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance> \"CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance\" )\n\n| \n\nJoint CSAs:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\n_CCCS Alert:_\n\n[Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0> \"Alert - Detecting Compromises relating to Citrix CVE-2019-19781\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5\n\n| \n\nBIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5\n\n| \n\n[K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://my.f5.com/manage/s/article/K52145254> \"K52145254: TMUI RCE vulnerability CVE-2020-5902\" )\n\n| \n\nCISA Alert:\n\n[Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a> \"Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows Server, Multiple Versions\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472> \"Netlogon Elevation of Privilege Vulnerability\" )\n\n| \n\nACSC Advisory:\n\n[2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/about-us/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Advisory 2020-016: \"Zerologon\" - Netlogon Elevation of Privilege Vulnerability \\(CVE-2020-1472\\)\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100, Build Version 10.x\n\n| \n\n[Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001> \"CONFIRMED ZERO-DAY VULNERABILITY IN THE SONICWALL SMA100 BUILD VERSION 10.X\" )\n\n| \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>) | Microsoft | Exchange Server, Multiple Versions | [Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) | \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security version 10.0.9.x Email Security\n\n| \n\n[SonicWall Email Security pre-authentication administrative account creation vulnerability](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007> \"SONICWALL EMAIL SECURITY PRE-AUTHENTICATION ADMINISTRATIVE ACCOUNT CREATION VULNERABILITY\" )\n\n| \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207> \"Microsoft Exchange Server Security Feature Bypass Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" )\n\nACSC Alert:\n\n[Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/about-us/alerts/microsoft-exchange-proxyshell-targeting-australia> \"Microsoft Exchange ProxyShell Targeting in Australia\" ) \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1\n\n| \n\n[Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html> \"Confluence Security Advisory 2022-06-02\" )\n\n| \n\nCISA Alert:\n\n[CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog](<https://www.cisa.gov/news-events/alerts/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog> \"CISA Adds One Known Exploited Vulnerability \\(CVE-2022-26134\\) to Catalog\u202f\u202f\" )\n\nACSC Alert:\n\n[Remote code execution vulnerability present in Atlassian Confluence Server and Data Center](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence> \"Remote code execution vulnerability present in Atlassian Confluence Server and Data Center\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Version\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nJoint CSA:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n| \n\nMicrosoft\n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523> \"Microsoft Exchange Server Elevation of Privilege Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nJira Atlassian\n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940> \"Confluence Server Webwork OGNL injection - CVE-2021-26084\" )\n\n| \n\nCISA Alert:\n\n[Atlassian Releases Security Updates for Confluence Server and Data Center](<https://www.cisa.gov/news-events/alerts/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data-center> \"Atlassian Releases Security Updates for Confluence Server and Data Center\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngineCorp.\n\n| \n\nManageEngine ADSelfService Plus builds up to 6113\n\n| \n\n[Security advisory - ADSelfService Plus authentication bypass vulnerability](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html> \"Security advisory - ADSelfService Plus authentication bypass vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors](<https://www.cyber.gov.au/about-us/alerts/critical-vulnerability-manageengine-adselfservice-plus-exploited-cyber-actors> \"Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server 2.4.48\n\n| | \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.49\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.50\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances\n\n| \n\n[SonicWall patches multiple SMA100 affected vulnerabilities](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026> \"SONICWALL PATCHES MULTIPLE SMA100 AFFECTED VULNERABILITIES\" )\n\n| \n\nACSC Alert:\n\n[Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\n_CCCS Alert:_\n\n[SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4> \"SonicWall security advisory\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\n[For other affected vendors and products, see CISA's GitHub repository.](<https://github.com/cisagov/log4j-affected-db>)\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a> \"Mitigating Log4Shell and Other Log4j-Related Vulnerabilities\" )\n\n| \n\nCISA webpage:\n\n[Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n_CCCS Alert:_\n\n[Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability> \"Alert - Active exploitation of Apache Log4j vulnerability - update 7\" )\n\nACSC Advisory:\n\n[2021-007: Log4j vulnerability \u2013 advice and mitigations](<https://www.cyber.gov.au/about-us/advisories/2021-007-log4j-vulnerability-advice-and-mitigations> \"2021-007: Log4j vulnerability \u2013 advice and mitigations\" )\n\nACSC Publication:\n\n[Log4j: What Boards and Directors Need to Know](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/log4j-what-boards-and-directors-need-know> \"Log4j: What Boards and Directors Need to Know\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j 2.15.0Log4j\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\n| \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and\n\nFortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier\n\n| \n\n[FortiOS - heap-based buffer overflow in sslvpnd](<https://www.fortiguard.com/psirt/FG-IR-22-398> \"FortiOS - heap-based buffer overflow in sslvpnd\" )\n\n| \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite\n\n| \n\n[Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30> \"Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release\" )\n\n| \n \n[CVE-2022-22536 ](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nNetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)\n\n| \n\n[Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher](<https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/> \"Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher\" )\n\n| \n\nCISA Alert:\n\n[Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)](<https://www.cisa.gov/news-events/alerts/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing> \"Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager \\(ICM\\)\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzumware Tanzu\n\n| \n\nSpring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions\n\n| \n\n[CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression](<https://spring.io/security/cve-2022-22963> \"CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression\" )\n\n| \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace\n\nONE Access and Identity Manager\n\n| \n\n[VMware Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nVMware Cloud Foundation (vRA), 3.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.x\n\n| \n\n[VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nAtlassianWSO2\n\n| \n\nWSO2 API Manager 2.2.0 and above through 4.0.0\n\nWSO2 Identity Server 5.2.0 and above through 5.11.0 \n\nWSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0\n\nWSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0\n\nWSO2 Enterprise Integrator 6.2.0 and above through 6.6.0\n\n| \n\n[WSO2 Documentation - Spaces](<https://wso2docs.atlassian.net/wiki/spaces> \"Spaces\" )\n\n| \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite, 8.8.15 and 9.0\n\n| \n\n[Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes> \"Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release\" )\n\n| \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nF5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions\n\n| \n\n[K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388](<https://my.f5.com/manage/s/article/K23605346> \"K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388\" )\n\n| \n\nJoint CSA:\n\n[Threat Actors Exploiting F5 BIG-IP CVE-2022-1388](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138a> \"Threat Actors Exploiting F5 BIG-IP CVE-2022-1388\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| | \n\nCISA Alert:\n\n[Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability](<https://www.cisa.gov/news-events/alerts/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability> \"Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047> \"Windows Client Server Run-time Subsystem \\(CSRSS\\) Elevation of Privilege Vulnerability\" )\n\n| \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nCertain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage\n\n| \n\n[DeadBolt Ransomware](<https://www.qnap.com/en/security-advisory/qsa-22-24> \"DeadBolt Ransomware\" )\n\n| \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.](<https://www.cyber.gov.au/about-us/alerts/vulnerability-alert-2-new-vulnerabilities-associated-microsoft-exchange> \"Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.\" ) \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0\n\n| \n\n[FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface](<https://www.fortiguard.com/psirt/FG-IR-22-377> \"FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface\" )\n\n| \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-03T12:00:00", "type": "ics", "title": "2022 Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-13379", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-5902", "CVE-2021-20016", "CVE-2021-20021", "CVE-2021-20038", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40438", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44228", "CVE-2021-45046", "CVE-2022-1388", "CVE-2022-22047", "CVE-2022-22536", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22963", "CVE-2022-24682", "CVE-2022-26134", "CVE-2022-27593", "CVE-2022-27924", "CVE-2022-29464", "CVE-2022-30190", "CVE-2022-40684", "CVE-2022-41082", "CVE-2022-42475", "CVE-2023-26360"], "modified": "2023-08-03T12:00:00", "id": "AA23-215A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}