A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation.
podman-3.4.7-1.fc34
Security fixes for CVE-2022-1227, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649
Hot Patches for Log4Shell Introduced Multiple Vulnerabilities in Amazon Web Services
Amazon Web Services has addressed vulnerabilities introduced by the hot patches released in response to the Log4Shell vulnerability in December.
On April 19, researchers with Palo Alto’s Unit 42 disclosed four vulnerabilities introduced by the hot patches for Amazon Web Services (AWS) in response to CVE-2021-44228, also known as Log4Shell. While there are four CVEs, CVE-2022-0070 and CVE-2022-0071 were assigned to address incomplete patches for CVE-2021-3100 and CVE-2021-3101 respectively, which were initially disclosed in December 2021.
CVE
Description
CVSSv3
CVE-2021-3100
Apache Log4j Hot Patch Service Execution with Unnecessary Privileges Vulnerability
8.8
CVE-2021-3101
Hotdog Hot Patch Solution Execution with Unnecessary Privileges Vulnerability
8.8
CVE-2022-0070
Apache Log4j Hotpatch Service Execution with Unnecessary Privileges Vulnerability
8.8
CVE-2022-0071
Hotdog Hot Patch Solution Execution with Unnecessary Privileges Vulnerability (Incomplete Fix)
8.8
On December 12, in response to the Log4Shell vulnerability, AWS released open source hot patches — short term solutions to be implemented at scale until a more robust fixed version can be deployed — for several environments. These hot patches detect vulnerable Java applications and patch them “on the fly.”
According to the researchers at Unit 42, the hot patch solutions developed to address Log4Shell for standalone servers, Kubernetes clusters, Elastic Container Service (ECS) clusters and Fargate contained “severe security issues.” These hot patches, though from AWS, can be applied to other cloud and on-prem environments.
These issues can be exploited by “every container in [the hot patched] environment” to achieve container escape and host takeover. The vulnerabilities also allow unprivileged processes to escalate privileges and gain code execution with root privileges. The vulnerabilities are not configuration-dependent, they can be exploited in most AWS environments.
The following is a summary of the solutions for the hot patches:
Solution
Fixed Version
Release
Amazon Linux (AMI)
1.1-16
log4j-cve-2021-44228-hotpatch
Kubernetes
1.1-16
kubernetes-log4j-cve-2021-44228-node-agent Daemonset
Bottlerocket
1.02
hotdog-v1.0.2
A list of Tenable plugins to identify these vulnerabilities can be found here.
Tenable.cs users can detect vulnerable Kubernetes deployments via the kubernetes-log4j-cve-2021-44228-node-agent hot patch daemonset using open policy agent rego. The rego checks the image version, if it is “v0.0.12-debian” then it finds the corresponding configmap to check the actual package version that the daemonset job will install in the cluster. If Tenable.cs does not detect the fixed version (1.1-16), the product will display an alert.
AWS Security Page for CVE-2021-3100, CVE-2021-3101, CVE-2022-0070 and CVE-2022-0071
Palo Alto’s Unit 42 Blog Post
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
American natural foods company notifies online customers of data scraping attack
Bureau asks for IP logs and benign samples of encrypted files to aid ransomware investigation
Container and cloud security provider Sysdig has launched Risk Spotlight, a vulnerability prioritization tool based on runtime intelligence, designed to enable security teams to prioritize remediation — particularly regarding vulnerabiities related to container technology — without affecting development speed.
While working with open-source packages, developers often bring associated vulnerabilities into their software environment that may not warrant immediate attention if they do not affect production applications. When all these vulnerabilities get flagged by security systems, it leads to increased alert noise that gets difficult for the developers to handle.
UN North Korea expert says cybercrime pays for country’s banned missile and nuclear programs
ruby-3.0.4-152.fc34
Rebuilt.
In a move demonstrative of international cooperation and partnership, the Five Eyes (United States, Australia, Canada, New Zealand, and United Kingdom) issued an alert giving a “comprehensive overview of Russian state-sponsored and cybercriminal threats to critical infrastructure.” The alert also includes remediation guidance, which CISOs will find of particular import.
Alert AA22-110A – Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure, provides details on the cyber operations attributable to Russian state actors, including the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM). It also identifies cybercriminal organizations, including some which have expressed fealty to the Russian Federation, that have pledged to conduct cyber operations against entities that are providing support to Ukraine. Thus, your company’s position on Russia’s invasion of Ukraine very well may place your company in the target sights of Russian state actors or their cybercriminal cronies.
podman-3.4.7-1.fc35
Security fixes for CVE-2022-1227, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649
