Read Time:8 Second
An issue was discovered in RK Smart TV Box MAX and V88 SmartTV box that allows attackers to cause a denial of service via the switchNextDisplayInterface service.
Monthly Archives: July 2022
CVE-2020-21405
Read Time:7 Second
An issue was discovered in H96 Smart TV Box H96 Pro Plus allows attackers to corrupt files via calls to the saveDeepColorAttr service.unk
Orca adds detection and response capabilities to its agentless cloud security solution
Read Time:33 Second
Orca Security has added cloud detection and response (CDR) capabilities to its cloud security platform, the company announced Tuesday. The new feature expands the platform’s ability to detect, investigate, and respond to in-progress attacks.
“What we’re adding with the CDR capability is the ability to have full visibility for governance of the cloud environment from workload scanning to non-workload related incidents,” says Orca CEO and co-founder Avi Shua. “What we’re seeing more frequently is that many attacks these days don’t involve workloads at all so putting endpoint protection on them is not going to protect an organization.”
Unpatched Flaws in Popular GPS Devices Allow Adversaries to Disrupt and Track Vehicles
Read Time:3 Second
BitSight described six ‘severe’ vulnerabilities in the MiCODUS MV720 GPS tracker
Oracle July 2022 Critical Patch Update Addresses 188 CVEs
Read Time:5 Minute, 21 Second
Oracle July 2022 Critical Patch Update Addresses 188 CVEs
Oracle addresses 188 CVEs in its third quarterly update of 2022 with 349 patches, including 66 critical updates.
Background
On July 19, Oracle released its Critical Patch Update (CPU) for July 2022, the third quarterly update of the year. This CPU contains fixes for 188 CVEs in 349 security updates across 32 Oracle product families. Out of the 349 security updates published this quarter, 66 patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 146, followed by medium severity patches at 133.
This quarter’s update includes over 90 medium severity CVEs, followed by 65 high severity CVEs.
Severity
Issues Patched
CVEs
Critical
66
29
High
146
65
Medium
133
90
Low
4
4
Total
349
188
Analysis
This quarter, the Oracle Financial Services Applications product family contained the highest number of patches at 59, accounting for 16.91% of the total patches, followed by Oracle Communications with 56 patches, which accounted for 16.05% of the total patches.
Oracle did not include security patches for five product families:
Oracle Autonomous Health Framework
Oracle Berkeley DB
Oracle Blockchain Platform
Oracle NoSQL Database
Oracle SQL Developer
While these five product families did not receive security patches, Oracle notes that there are third-party patches included as part of its CPU release that affect them:
Oracle Product Family
Component
CVE
Oracle Autonomous Health Framework
Autonomous Health Framework (NumPy)
CVE-2021-41495
Oracle Autonomous Health Framework
Autonomous Health Framework (NumPy)
CVE-2021-41496
Oracle Autonomous Health Framework
Autonomous Health Framework (Python)
CVE-2021-29396
Oracle Autonomous Health Framework
Autonomous Health Framework (Python)
CVE-2021-29921
Oracle Autonomous Health Framework
Trace File Analyzer (jackson-databind)
CVE-2020-36518
Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2021-4104
Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2022-23302
Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2022-23305
Oracle Berkeley DB
Data Store (Apache Log4j)
CVE-2022-23307
Oracle Blockchain Platform
Blockchain Cloud Service Console (OpenSSH)
CVE-2021-41617
Oracle NoSQL Database
Administration (Netty)
CVE-2021-43797
Oracle SQL Developer
Oracle SQL Developer (Apache PDFBox)
CVE-2021-31811
Oracle SQL Developer
Oracle SQL Developer (Apache PDFBox)
CVE-2021-31812
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Oracle Product Family
Number of Patches
Remote Exploit without Authentication
Oracle Financial Services Applications
59
38
Oracle Communications
56
45
Oracle Fusion Middleware
38
32
Oracle MySQL
34
10
Oracle Supply Chain
24
19
Oracle Communications Applications
17
12
Oracle Retail Applications
17
13
Oracle Commerce
12
10
Oracle PeopleSOft
11
9
Oracle Database Server
9
1
Oracle Construction and Engineering
7
4
Oracle Systems
7
2
Oracle E-Business Suite
6
5
Oracle Enterprise Manager
6
6
Oracle Health Sciences Applications
6
3
Oracle JD Edwards
6
3
Oracle Java SE
5
4
Oracle GoldenGate
4
2
Oracle Big Data Graph
3
3
Oracle Food and Beverage Applications
3
3
Oracle HealthCare Applications
3
2
Oracle Policy Automation
3
1
Oracle REST Data Services
2
2
Oracle Hospitality Applications
2
2
Oracle Virtualization
2
0
Oracle Essbase
1
0
Oracle Global Lifecycle Management
1
0
Oracle Graph Server and Client
1
0
Oracle Spatial Studio
1
0
Oracle TimesTen In-Memory Database
1
1
Oracle Siebel CRM
1
0
Oracle Utilities Applications
1
1
Oracle out-of-band security alert for E-Business Suite
In some instances, Oracle will publish a security alert outside of its normal CPU process. Following Oracle’s April 2022 CPU, it published an alert on May 19 for CVE-2022-21500, a vulnerability in Oracle E-Business Suite version 12.2 that could allow an attacker to self-register a new user account on a publicly accessible E-Business Suite system. Successful exploitation could grant an attacker access to the system and allow them to collect personal information on the registered employees on the system including first and last names, email addresses and potentially more sensitive details.
For organizations that did not apply the patch for CVE-2022-21500 in May, applying this quarter’s CPU includes this fix.
Oracle patches Spring4Shell across a number of product families
As part of its July 2022 CPU, Oracle released additional patches for CVE-2022-22965, a remote code execution vulnerability in the Spring Core Framework, referred to as Spring4Shell by the security research community, that was originally disclosed in March. The patches in the July 2022 CPU that address Spring4Shell across a variety of Oracle products are summarized in the table below:
Oracle Product
Component
Oracle Commerce Platform
Endeca Integration (Spring Framework)
Oracle Communications Unified Inventory Management
TMF APIs (Spring Framework)
Oracle Communications Billing and Revenue Management – Elastic Charging Engine
Charging Server (Spring Framework)
Oracle Communications Cloud Native Core Binding Support Function
BSF (Spring Framework)
Oracle Communications Cloud Native Core Security Edge Protection Proxy
SEPP (Spring Framework)
Oracle Communications Cloud Native Core Service Communication Proxy
SCP (Spring Boot)
Oracle Primavera Gateway
Admin (Spring Framework)
Oracle Enterprise Manager for MySQL Database
EM Plugin: General (Spring Framework)
Oracle WebLogic Server
Third Party Tools, Samples (Spring Framework)
Oracle BI Publisher
Web Service API (Spring Framework)
Oracle Business Intelligence Enterprise Edition
Analytics Server (Spring Framework)
Oracle Data Integrator
Runtime Java agent for ODI (Spring Framework)
Oracle Identity Management Suite
Installer (Spring Framework)
Oracle Identity Manager Connector
General and Misc (Spring Framework)
Oracle Middleware Common Libraries and Tools
Third Party Patch (Spring Framework)
Oracle Retail Bulk Data Integration
BDI Job Scheduler (Spring Framework)
Oracle Retail Customer Management and Segmentation Foundation
Security (Spring Framework)
Oracle Retail Financial Integration
PeopleSoft Integration Bugs (Spring Framework)
Oracle Retail Integration Bus
RIB Kernal (Spring Framework)
Oracle Retail Merchandising System
Foundation (Spring Framework)
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
Oracle Critical Patch Update Advisory – July 2022
Oracle July 2022 Critical Patch Update Risk Matrices
Oracle Advisory to CVE Map
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
More malware-infested apps, downloaded millions of times, found in the Google Play store
Read Time:14 Second
Three million Android users may have lost money and had their devices infected by spyware, after the discovery that the official Google Play store has been distributing apps infected by a new family of malware.
Read more in my article on the Tripwire State of Security blog.
Clunk flush! Bexplus cryptocurrency exchange closes suddenly, giving its users only 24 hours to withdraw funds
Read Time:8 Second
Bexplus gave its users only 24 hours to withdraw their funds.
Can you imagine a traditional financial institution treating its customers in such a slipshod fashion?
Drupal core – Moderately critical – Multiple vulnerabilities – SA-CORE-2022-015
Read Time:1 Minute, 15 Second
Project:
Date:
2022-July-20
Security risk:
Vulnerability:
Multiple vulnerabilities
Description:
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core does not include the Media module and therefore is not affected.
Reported By:
Heine of the Drupal Security Team
Fixed By:
Lee Rowlands of the Drupal Security Team
Alex Pott of the Drupal Security Team
Samuel Mortenson
xjm of the Drupal Security Team
Heine of the Drupal Security Team
Joseph Zhao, provisional member of the Drupal Security Team
Vijay Mani, provisional member of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Benji Fisher, provisional member of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Alex Pott of the Drupal Security Team
Samuel Mortenson
xjm of the Drupal Security Team
Heine of the Drupal Security Team
Joseph Zhao, provisional member of the Drupal Security Team
Vijay Mani, provisional member of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Neil Drumm of the Drupal Security Team
Benji Fisher, provisional member of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Drupal core – Critical – Arbitrary PHP code execution – SA-CORE-2022-014
Read Time:2 Minute, 31 Second
Project:
Date:
2022-July-20
Vulnerability:
Arbitrary PHP code execution
Description:
Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).
However, the protections for these two vulnerabilities previously did not work correctly together. As a result, if the site were configured to allow the upload of files with an htaccess extension, these files’ filenames would not be properly sanitized. This could allow bypassing the protections provided by Drupal core’s default .htaccess files and possible remote code execution.
This issue is mitigated by the fact that it requires a field administrator to explicitly configure a file field to allow htaccess as an extension (a restricted permission), or a contributed module or custom code that overrides allowed file uploads.
Solution:
Install the latest version:
If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Auditing your files directory’s .htaccess to ensure it has not been overwritten or overridden in a subdirectory
If your web server uses Apache httpd with AllowOverride, you should check within your files directories and subdirectories to ensure that any .htaccess files present are intentional. You can search for files named .htaccess by running the following command in the roots of both your public and private files directory:
find ./ -name “.htaccess” -print
Drupal automatically creates .htaccess files like the following in the root of the public files directory:
# Turn off all options we don’t need.
Options -Indexes -ExecCGI -Includes -MultiViews
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we’re run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
php_flag engine off
</IfModule>
<IfModule mod_php.c>
php_flag engine off
</IfModule>
Check with your system administrator for the correct .htaccess configuration for the given files directory.
This advisory is not covered by Drupal Steward.
Reported By:
Fixed By:
Peter Wolanin of the Drupal Security Team
xjm of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
xjm of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Jen Lampton, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Drupal core – Moderately critical – Access Bypass – SA-CORE-2022-013
Read Time:1 Minute, 4 Second
Project:
Date:
2022-July-20
Vulnerability:
Access Bypass
Description:
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.
No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
This advisory is not covered by Drupal Steward.
Solution:
Install the latest version:
If you are using Drupal 9.4, update to Drupal 9.4.3.
If you are using Drupal 9.3, update to Drupal 9.3.19.
All versions of Drupal 9 prior to 9.3.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 core is not affected.
Reported By:
Fixed By:
Pierre Rudloff
Tim Plunkett
Heine of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
xjm of the Drupal Security Team
Lauri Eskola, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Tim Plunkett
Heine of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
xjm of the Drupal Security Team
Lauri Eskola, provisional member of the Drupal Security Team
Dave Long, provisional member of the Drupal Security Team
Lee Rowlands of the Drupal Security Team