[CERT-daily] Tageszusammenfassung - 31.03.2022

Daily end-of-shift report team at cert.at
Thu Mar 31 18:21:44 CEST 2022 

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 30-03-2022 18:00 − Donnerstag 31-03-2022 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ Spring patches leaked Spring4Shell zero-day RCE vulnerability ∗∗∗
---------------------------------------------
Spring released emergency updates to fix the Spring4Shell zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring4shell-zero-day-rce-vulnerability/


∗∗∗ Java: Exploit für RCE-Lücke in Spring geleakt ∗∗∗
---------------------------------------------
Unter Umständen reicht ein HTTP-Request, um Spring-Anwendungen eine Webshell unterzujubeln. Die Lücke wird wohl bereits ausgenutzt.
---------------------------------------------
https://www.golem.de/news/java-exploit-fuer-rce-luecke-in-spring-geleakt-2203-164292-rss.html


∗∗∗ SpringShell Detector - searches compiled code (JAR/WAR binaries) for potentially vulnerable web apps ∗∗∗
---------------------------------------------
The SpringShell vulnerability may affect some web applications using Spring Framework, but requires a number of conditions to be exploitable. One specific condition which may be rather rare (and therefore render most applications non-exploitable in practice) is the existence of Spring endpoints which bind request parameters to a non-primitive (Java Bean) type. This tool can be used to scan compiled code and verify whether such endpoints exist in the codebase.
---------------------------------------------
https://github.com/jfrog/jfrog-spring-tools


∗∗∗ Simple local Spring vulnerability scanner ∗∗∗
---------------------------------------------
This is a simple tool that can be used to find instances of Spring vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged.
---------------------------------------------
https://github.com/hillu/local-spring-vuln-scanner


∗∗∗ Spring4Shell: Security Analysis of the latest Java RCE 0-day vulnerabilities in Spring ∗∗∗
---------------------------------------------
Weve been taking a look at the new zero-day exploit, dubbed Spring4Shell, supposedly discovered in Spring Core to determine if its a problem or not, as well as explained another RCE vulnerability found in Spring.
---------------------------------------------
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities


∗∗∗ Calendly actively abused in Microsoft credentials phishing ∗∗∗
---------------------------------------------
Phishing actors are actively abusing Calendly to kick off a clever sequence to trick targets into entering their email account credentials on the phishing page.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/calendly-actively-abused-in-microsoft-credentials-phishing/


∗∗∗ Lazarus Trojanized DeFi app for delivering malware ∗∗∗
---------------------------------------------
We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.
---------------------------------------------
https://securelist.com/lazarus-trojanized-defi-app/106195/


∗∗∗ Conti-nuation: methods and techniques observed in operations post the leaks ∗∗∗
---------------------------------------------
This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.
---------------------------------------------
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ QNAP warns severe OpenSSL bug affects most of its NAS devices ∗∗∗
---------------------------------------------
Taiwan-based network-attached storage (NAS) maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qnap-warns-severe-openssl-bug-affects-most-of-its-nas-devices/


∗∗∗ “VMware Spring Cloud” Java bug gives instant remote code execution – update now! ∗∗∗
---------------------------------------------
Easy unauthenticated remote code execution - PoC code already out
---------------------------------------------
https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gives-instant-remote-code-execution-update-now/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libgc and pjproject), Fedora (cobbler, mingw-openjpeg2, and openjpeg2), Mageia (openvpn), openSUSE (abcm2ps, fish3, icingaweb2, kernel-firmware, nextcloud, openSUSE-build-key, python2-numpy, salt, and zlib), Slackware (vim), SUSE (kernel-firmware, opensc, python2-numpy, python3, salt, and zlib), and Ubuntu (dosbox, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, [...]
---------------------------------------------
https://lwn.net/Articles/889852/


∗∗∗ The Old Switcheroo: Hiding Code on Rockwell Automation PLCs ∗∗∗
---------------------------------------------
CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity.
---------------------------------------------
https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automation-plcs/


∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN42543427/


∗∗∗ Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-032


∗∗∗ Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-web-query-for-i-is-vulnerable-to-denial-of-service-in-apache-commons-compress-cve-2021-36090-arbitrary-code-execution-in-apache-log4j-cve-2021-44832-and-cross-site-s/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in NumPy ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-numpy/


∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-9/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-xstream-4/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-10/


∗∗∗ Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to HTTP request smuggling due to Netty (CVE-2021-43797) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-is-vulnerable-to-http-request-smuggling-due-to-netty-cve-2021-43797/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-tensorflow-5/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-go-6/


∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Wget vulnerability (CVE-2021-31879) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-security-is-affected-by-wget-vulnerability-cve-2021-31879/


∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-spring-3/


∗∗∗ Security Bulletin: IBM Security Verify Access is vulnerable to obtaining sensitive information due to improper validation of JWT tokens. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-access-is-vulnerable-to-obtaining-sensitive-information-due-to-improper-validation-of-jwt-tokens/


∗∗∗ CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 (Severity: HIGH) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0778

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

More information about the Daily mailing list