The ARMR Report – Week of May 6, 2019

By May 8, 2019 May 9th, 2019 ARMR Reports

AppSec News & ARMR Remediation Updates

The last few weeks have been exciting for enterprise applications. After the discovery of the WebLogic 0Day, hackers didn’t waste any time launching malicious attacks on these vulnerable systems. We also saw vulnerabilities emerge in SAP, Cisco routers, as well as a notable attack on healthcare EMR systems. Here’s a recap of the week’s AppSec news.

AppSec News from the Web

  • Oracle WebLogic deserialization vulnerability continues decent into mayhem with more ransomware (check out our blog on the topic a little further down) READ MORE >
  • Default configs leave 90% of SAP’s customers vulnerable to 10KBLAZE remote exploit READ MORE >
  • Open Source shows insecurity when researchers find CSRF and SSRF vulnerabilities tied to Jenkins plugin (not Jenkins, we love that guy) READ MORE >
  • Cisco switching leave systems vulnerable to r00t access, more on the SSH vulnerability and the emerging backdoor conspiracy theory. READ MORE >

Waratek Blogs & Alerts

FS-ISAC Annual Summit Recap

Our team attended the recent FS-ISAC Summit in hot beautiful Orlando which brought together nearly 1,000 executives from the financial industry to discuss issues related security. Application security remained a hot topic and saw plenty of discussion time as FinServ continues to balance the need for rapid innovation with the strict requirements around security and deluge of emerging regulation and compliance. Our CEO, John Adams, gives his thoughts on the event and a deep dive in to vulnerability patching in this week’s blog. READ MORE >

Deserialization in Depth

As seen in the recent WebLogic 0day, Oracle continues to be blighted by deserialization vulnerabilities. Whether you content that it’s a feature or a bug, I think it’s safe to say that most agree that it’s a problem. One of our security researchers took a deep dive into deserialization, what it is and what it isn’t, and we think it’s a timely read. READ MORE  >

Customer CVE Alert for Week of May 3, 2019

Below is a list of CV’s that were announced last week which are protected by the Waratek ARMR Platform. This list is not comprehensive of all of the CVEs issued and only represents application vulnerabilities. For customers that have questions, please contact your account manager or If you want more information on any of the CVE’s below, please visit the Mitre site here.

Dates are dd/mm.
NVD Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

CVECWEVuln TypePublish DateUpdate DateCVSS ScoreRemotely Exploitable
CVE-2018-2058020Exec Code03/05/201906/05/20199.3Remote
The WSDL import functionality in SmartBear ReadyAPI 2.5.0 and 2.6.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL file.
CVE-2019-022791801/05/201903/05/20195.4Local Network
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
CVE-2018-1696122Dir. Trav.02/05/201903/05/20195Remote
An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/dl_publication.php allows Path traversal via the file parameter, allowing remote attackers to read PDF files in arbitrary directories.
A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
An issue was discovered in Open XDMoD through 7.5.0. html/gui/general/login.php has Reflected XSS via the xd_user_formal_name parameter.
The WallboardServlet resource in Jira before version 7.13.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the cyclePeriod parameter.
The labels gadget in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jql parameter.
A DOM based XSS vulnerability has been identified in the Netstorage component of Open Enterprise Server (OES) allowing a remote attacker to execute javascript in the victims browser by tricking the victim into clicking on a specially crafted link. This affects OES versions OES2015SP1, OES2018, and OES2018SP1. Older versions may be affected but were not tested as they are out of support.
CVE-2019-379922Dir. Trav.06/05/201906/05/20194.3Remote
Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead a directory traversal attack.
IBM Planning Analytics 2.0 through 2.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 153177.
IBM Sterling B2B Integrator and Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159946.
CVE-2018-13983XSS06/05/201906/05/2019Not ReportedNot Reported
ImpressCMS 1.3.10 has XSS via the PATH_INFO to htdocs/install/index.php, htdocs/install/page_langselect.php, or htdocs/install/page_modcheck.php.
CVE-2019-379706/05/201906/05/2019Not ReportedNot Reported
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.
CVE-2019-389403/05/201903/05/2019Not ReportedNot Reported
It was discovered that the ElytronManagedThread in Wildfly’s Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.

Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek