Preface: The design weakness was disclosed by the apache organization on January 14, 2021. Design limitations on Xmlbeans have been fixed. Developer suggest to use 3.0.1, instead of Xmlbeans 2.6.0.

Background: PS/nVision – a PeopleTools software that you use to design and create Microsoft Excel spreadsheet reports for PeopleSoft data. nVision selects data from your PeopleSoft database using ledgers, trees, and queries. Queries are useful for extracting data from sources other than ledgers.
nVision works in three modes:OpenXML mode, Excel Automation mode and Cross Platform mode.

• nVision uses the OpenXML mode on the batch server that uses Microsoft’s OpenXML SDK to generate Excel-compatible documents.
• nVision continues using the operation mode called Excel automation mode that automates the Excel application to generate spreadsheet documents in PeopleTools PIA architecture
• nVision uses the Cross Platform mode to generate spreadsheet documents in PeopleTools PIA architecture

Vulnerability details: CVE-2021-23926 PeopleSoft Enterprise PeopleTools (nVision (XML Beans)) – The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Reference: The XML entity extension injection attack uses valid and well-formed xml blocks to expand exponentially until the resources allocated by the server are exhausted. This is because XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input.

Official announcement: Oracle Critical Patch Update Advisory (October 2021) – https://www.oracle.com/security-alerts/cpuoct2021.html

Preface: Sometimes, a low to medium risk rating vulnerability will be transformed into potential risk.

Background: Aruba’s ClearPass Policy Manager, part of the Aruba 360 Secure Fabric, provides role- and device-based secure network access control for IoT, BYOD & corporate devices.

The ClearPass Policy Manager is the only policy solution that centrally enforces all aspects of enterprise-grade mobility and NAC for any industry. Granular network access enforcement is based on a user’s role, device type and role, authentication method, EMM/MDM attributes, device health, location, and time-of-day.

Vulnerability details: Publication Date: 2021-Oct-12 (see below):

CVE-2021-37736, CVE-2021-37737, CVE-2021-37738,     CVE-2021-37739, CVE-2021-40986, CVE-2021-40987,      CVE-2021-40988, CVE-2021-40989, CVE-2021-40990,      CVE-2021-40991, CVE-2021-40992, CVE-2021-40993,      CVE-2021-40994, CVE-2021-40995, CVE-2021-20996,      CVE-2021-40997, CVE-2021-40998, CVE-2021-40999.

Multiple vulnerabilities have occurred. The focus area of this topic will focus on CVE-2021-40988 (path traversal). From a technical point of view, once this type of vulnerability persists. It will amplify other potential risks. Perhaps our description is one of the possibilities. The goal is to provide you with tips for consideration.

Images are loaded via some HTML, the loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk. Thus, attacker allow the application reads from the web page reachable file path. If the web application has path traversal vulnerability encounters, so an attacker can request additional path to retrieve an arbitrary file from the server’s filesystem. See the attached drawings for details.

Official announcement: ClearPass Policy Manager Multiple Vulnerabilities – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-018.txt

Preface: A Java EE server is a server application that the implements the Java EE platform APIs and provides the standard Java EE services. Java EE servers are sometimes called application servers, because they allow you to serve application data to clients, much like web servers serve web pages to web browsers.

Background: The difference between WildFly and Tomcat:
WildFly is a full Java EE application Server, while Tomcat is a Java servlet container and web server and, since because it doesn’t come with an implementation of the full JEE stack.

Tomcat uses JMX MBeans as the technology for implementing manageability of Tomcat. The descriptions of JMX MBeans for Catalina are in the mbeans-descriptors. xml file in each package. You will need to add MBean descriptions for your custom components in order to avoid a “ManagedBean is not found” exception.

Vulnerability details: The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Remedy: Users of the affected versions should apply one of the following
mitigations:

• Upgrade to Apache Tomcat 10.1.0-M6 or later
• Upgrade to Apache Tomcat 10.0.12 or later
• Upgrade to Apache Tomcat 9.0.54 or later
• Upgrade to Apache Tomcat 8.5.72 or later

Technical reference: When using the WebSocket client to connect to server endpoints, the number of HTTP redirects that the client will follow is controlled by the userProperties of the provided javax.websocket.ClientEndpointConfig. The property is org.apache.tomcat.websocket.MAX_REDIRECTIONS. The default value is 20. Redirection support can be disabled by configuring a value of zero.

Preface: For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.

Background: The assert macro performs a runtime check of the given condition. For example: When a buffer maximum is 8, where the value of i is less that 8 the assert passes. But once i becomes 8 the assert fails causing the program to abort.

Vulnerability details: An expert discovered that even if the screen color is reversed, this vulnerability can be triggered. A memory corruption issue was addressed with improved memory handling.

Impact: An application may be able to execute arbitrary code with kernel privileges.

Official announcement: https://support.apple.com/en-us/HT212846

Preface: Linux mainly uses a paging mechanism to achieve virtual memory management. The size of the memory page is PAGE_SIZE bytes instead of 4 KB. On different platforms, the page size can range from 4 KB to 64 KB.

Background: The Aspeed BMC family which is what is used on OpenPOWER machines and a number of x86 as well is typically connected to the host via an LPC (Low Pin Count) bus (among others).

The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one side of the comparison, and uses resource address (rather than just the resource size) on the other side of the comparison. This can allow malicious userspace to easily bypass the boundary check and map pages that are located outside memory-region reserved by the driver.

Vulnerability details: CVE-2021-42252 – An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel before 5.14.6. Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes.

Reminder: Hardware filter in the southbridge perhaps not easy to detect attacker exploit the vulnerability.

Official announcement:Please refer to the website for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b49a0e69a7b1a68c8d3f64097d06dabb770fec96

Remark: Seems no proof of concept disclosed till now. Refer to official details, it is a local attack. But this design flaw cause by memory corruption error trigger privilege escalation. Furthermore it is running on Linux. Therefore exploit the design flaw through 3rd party API then triggers the vulnerability still have possibilities.

Preface: the most famous UTF-8 attack was against unpatched web server.

Background: The most common users of Apache HTTP Server are from Small Businesses and the Information Technology & Services industry. Perhaps

How to Check the Apache Version?

1. Open terminal application on your Linux, Windows/WSL or macOS desktop.
2. Login to remote server using the ssh command.
3. To see Apache version on a Debian/Ubuntu Linux, run: apache2 -v.
4. For CentOS/RHEL/Fedora Linux server, type command: httpd -v.

Vulnerability details: The server didn’t correctly handle contents in the URL. So the contain contained invalid UTF-8 representation of the [/] character. Such an invalid UTF-8 escape is often referred to as an overlong sequence. Therefore it provide an opportunity to the attacker. On 6th Oct,2021, Apache released Apache HTTP 2.4.50 to fix an actively exploited path traversal vulnerability in version 2.4.49 (tracked as CVE-2021-41773). This flaw allows threat actors to view the contents of files stored on a vulnerable server. Please refer to the official website for announcements – https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013