Post Content
Yearly Archives: 2022
Drupal core – Moderately critical – Third-party libraries – SA-CORE-2022-006
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.
We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has already published information about the vulnerability, and vulnerabilities might exist with core, contributed modules, or custom modules that use Guzzle for outgoing requests. Guzzle has rated this vulnerability as low-risk.
This advisory is not covered by Drupal Steward.
Install the latest version:
If you are using Drupal 9.3, update to Drupal 9.3.9.
If you are using Drupal 9.2, update to Drupal 9.2.16.
All versions of Drupal 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Drupal 7 is not affected.
Alex Pott of the Drupal Security Team
Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Peter Wolanin of the Drupal Security Team
CVE-2021-25019
The SEO Plugin by Squirrly SEO WordPress plugin before 11.1.12 does not escape the type parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2021-24905
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
New Mexico Appoints Cybersecurity Advisor
Annie Winterfield Manriquez becomes state’s first senior advisor for Cybersecurity and Critical Infrastructure
FTC Accuses CafePress of Data Breach “Cover-Up”
Commission orders e-commerce platform to compensate small businesses and improve security
Dental Care Data Breach May Impact 1 Million Texans
Social Security numbers at risk in state’s largest reported breach since notification law enacted
Scottish mental health charity “devastated” by heartless RansomEXX ransomware attack
The RansomEXX ransomware gang has seen fit to publish on the dark web 12GB of data stolen from SAMH, including unredacted photographs of individuals’ driving licences, passports, personal information such as volunteers’ home addresses and phone numbers, and – in some cases – even passwords and credit card details.
Read more in my article on the Hot for Security blog.
Open-Xchange Security Advisory 2022-03-21
Posted by Martin Heiland via Fulldisclosure on Mar 21
Dear subscribers,
we’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: OXUIB-1092
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable…
Developer Sabotages Open-Source Software Package
This is a big deal:
A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software.
The application, node-ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.
[…]
The node-ipc update is just one example of what some researchers are calling protestware. Experts have begun tracking other open source projects that are also releasing updates calling out the brutality of Russia’s war. This spreadsheet lists 21 separate packages that are affected.
One such package is es5-ext, which provides code for the ECMAScript 6 scripting language specification. A new dependency named postinstall.js, which the developer added on March 7, checks to see if the user’s computer has a Russian IP address, in which case the code broadcasts a “call for peace.”
It constantly surprises non-computer people how much critical software is dependent on the whims of random programmers who inconsistently maintain software libraries. Between log4j and this new protestware, it’s becoming a serious vulnerability. The White House tried to start addressing this problem last year, requiring a “software bill of materials” for government software:
…the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
It’s not a solution, but it’s a start.