AppSec News & ARMR Remediation Updates
The last few weeks have been exciting for enterprise applications. After the discovery of the WebLogic 0Day, hackers didn’t waste any time launching malicious attacks on these vulnerable systems. We also saw vulnerabilities emerge in SAP, Cisco routers, as well as a notable attack on healthcare EMR systems. Here’s a recap of the week’s AppSec news.
AppSec News from the Web
- Oracle WebLogic deserialization vulnerability continues decent into mayhem with more ransomware (check out our blog on the topic a little further down) READ MORE >
- Default configs leave 90% of SAP’s customers vulnerable to 10KBLAZE remote exploit READ MORE >
- Open Source shows insecurity when researchers find CSRF and SSRF vulnerabilities tied to Jenkins plugin (not Jenkins, we love that guy) READ MORE >
- Cisco switching leave systems vulnerable to r00t access, more on the SSH vulnerability and the emerging backdoor conspiracy theory. READ MORE >
Waratek Blogs & Alerts
FS-ISAC Annual Summit Recap
Our team attended the recent FS-ISAC Summit in
hot beautiful Orlando which brought together nearly 1,000 executives from the financial industry to discuss issues related security. Application security remained a hot topic and saw plenty of discussion time as FinServ continues to balance the need for rapid innovation with the strict requirements around security and deluge of emerging regulation and compliance. Our CEO, John Adams, gives his thoughts on the event and a deep dive in to vulnerability patching in this week’s blog. READ MORE >
Deserialization in Depth
As seen in the recent WebLogic 0day, Oracle continues to be blighted by deserialization vulnerabilities. Whether you content that it’s a feature or a bug, I think it’s safe to say that most agree that it’s a problem. One of our security researchers took a deep dive into deserialization, what it is and what it isn’t, and we think it’s a timely read. READ MORE >
Customer CVE Alert for Week of May 3, 2019
Below is a list of CV’s that were announced last week which are protected by the Waratek ARMR Platform. This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or firstname.lastname@example.org. If you want more information on any of the CVE’s below, please visit the Mitre site here.
Dates are dd/mm.
NVD Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
|CVE||CWE||Vuln Type||Publish Date||Update Date||CVSS Score||Remotely Exploitable|
|The WSDL import functionality in SmartBear ReadyAPI 2.5.0 and 2.6.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.|
|A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.|
|An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/dl_publication.php allows Path traversal via the file parameter, allowing remote attackers to read PDF files in arbitrary directories.|
|A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.|
|An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/login.php has Reflected XSS via the xd_user_formal_name parameter.|
|Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.|
|CVE-2018-13983||XSS||06/05/2019||06/05/2019||Not Reported||Not Reported|
|ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.php, htdocs/install/page_langselect.php, or htdocs/install/page_modcheck.php.|
|CVE-2019-3797||06/05/2019||06/05/2019||Not Reported||Not Reported|
|This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.|
|CVE-2019-3894||03/05/2019||03/05/2019||Not Reported||Not Reported|
|It was discovered that the ElytronManagedThread in Wildfly’s Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.|