Preface: Android garbage collection is an automatic process which removes unused objects from memory. However, frequent garbage collection consumes a lot of CPU, and it will also pause the app.

Background: The garbage collection of Unix sockets first selects a set of candidate sockets that are only referenced from the flight (total_refs == inflight_refs). This condition is checked and marked once during the candidate collection phase. Although inflight_refs is protected by unix_gc_lock, total_refs (file count) is not protected.

Vulnerability details: Google described the one that attackers may be picking apart – CVE-2021-1048 – as caused by a use-after-free (UAF) vulnerability in the kernel.

Additional: CVE-2021-1048 is a use-after-free issue in the Kernel that allows for local privilege escalation but require attacker had local access right. Afterwards, the attacker can install rogue applications or use Internet Web applications to obtain malicious code (Javascript).
As a result, the attacker will escape the sandbox and abuse this kernel vulnerability.

Official announcement: Published November 1, 2021 | Updated November 2, 2021. There are indications that CVE-2021-1048 may be under limited, targeted exploitation.Please refer to the link for details – https://source.android.com/security/bulletin/2021-11-01

Preface: The open source Paho MQTT project for embedded C to connect and communicate with IoT Platform.

Background: MQTT is based on the client-server communication mode. MQTT server is called as MQTT Broker. Currently, there are many MQTT Brokers in the IIoT world. MQTT client libraries under different programming languages and platforms (see below):

Eclipse Paho C and Eclipse Paho Embedded C
Eclipse Paho Java Client
Eclipse Paho MQTT Go client
emqtt : Erlang mqtt client library provided by EMQ
MQTT.js Web & Node.js Platform MQTT Client
Eclipse Paho Python

The Paho MQTT project for embedded C includes three sub-projects:
– MQTTPacket: provides serialization and deserialization of MQTT data packets and some helper functions.
– MQTTClient: encapsulates the high-level C++ client program generated by MQTTPacket.
– MQTTClient-C: encapsulates the high-level C client program generated by MQTTPacket.

Vulnerability details: In versions prior to 1.1 of the Eclipse Paho MQTT C Client, the client does not check rem_len size in readpacket.

Ref: The design weakness of  Eclipse Paho MQTT C Client was found 21st June 2017. Version 1.1 do a remedy. Developer confirm with success on 14th July, 2017. However, the versions prior to 1.1  has been identified as a vulnerability by a researcher and assigned CVE-2021-41036 on 2nd Nov, 2021.

Question: Do you think the vulnerable version of MQTT Client-C have chance attacking the MQTT Broker?

Official announcement: https://github.com/eclipse/paho.mqtt.embedded-c/issues/96

Preface: Mojo is a collection of runtime libraries providing a platform-agnostic abstraction of common IPC primitives, a message IDL format
, and a bindings library with code generation for multiple target language to facilitate convenient message passing across arbitrary inter – and intra-process boundaries.

Background:Chrome limits most of the attack surface of the web (e.g., DOM rendering, script execution, media decoding, etc) to sandboxed processes.

Vulnerability details: Multiple vulnerabilities have been discovered in Google Chrome. Remote attackers can use these vulnerabilities to trigger remote execution of arbitrary code on the target system.

Possibilities: Refer to attached diagram (point 4). The interface defines one method, FilterInstalledApps. In the generated C++ interface, this method take an extra argument which is a callback to invoke with the result. In javaScript, the function instead returns a Promise.
Remark: The Promise object represents the eventual completion (or failure) of an asynchronous operation and its resulting value.

If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program.

Solution: Install the patch provided by the software vendor – https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html

Preface: Generally speaking, heap buffer overflow unlike stack overflow, there is no such thing as ret on the heap that can change the program flow, so at most, the data is overwritten. It seems that there is little risk, but in fact it is not the case.

Background: Vim comes standard with most modern Linux distributions, but some of the minimal installation doesn’t include vim editor default. Vim is a vi-like editor but is more advanced and powerful than the original Vi.

Vulnerability details: Certain versions of vim is vulnerable to Heap-based Buffer Overflow. Found design weakness in raw file (move.c) programming syntax. Invalid memory access when scrolling without a valid screen.

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Buffer overflows generally lead to crashes.

Remedy: Do not set VALID_BOTLINE in w_valid.

Affected Vendor/Software: vim/vim version < 8.2.3564

Reference: In C++, new/delete should be preferred over malloc()/free() where possible. (In C, new/delete is not available, so the choice would be obvious there.)
The main difference between both these languages is C is a procedural programming language and does not support classes and objects, while C++ is a combination of both procedural and object-oriented programming languages.
Usually C compiler doesn’t add boundaries check for memory access. Sometimes due to code error, there is read or write from outside the buffer, such an error is usually hard to detect.

Preface: We install and configure a caching plugin which will speed up the delivery of page assets to your visitors, since these content will have been generated beforehand. The result will be a faster loading page, and reduced wait times for all operations.

Background: A caching plug-in will speed up the web application response. For websites with very high traffic (load balancing),
we install and configure object caching plugins, such as Redis or Memcache.

Vulnerability details: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. AS_Redis is an AntSword plugin for Redis. The Redis Manage plugin for AntSword prior to version 0.5 is vulnerable to Self-XSS due to due to insufficient input validation and sanitization via redis server configuration. Self-XSS in the plugin configuration leads to code execution. This issue is patched in version 0.5.

How does Self-XSS work? Self-XSS operates by tricking users into copying and pasting malicious content into their browsers’ web developer console. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user’s account.

Question: With reference to the attached picture, do you think it is really a self-xss vulnerability?

Official CVE announcement – https://nvd.nist.gov/vuln/detail/CVE-2021-41172

Preface: The Eclipse OpenJ9 virtual machine (VM) implements the Java Virtual Machine Specification. Most Java applications should run on an OpenJDK that contains the OpenJ9 VM without changing anything. However, because it is an independent implementation there are some differences compared to the HotSpot VM, which is the default OpenJDK VM and is also included in an Oracle JDK.

Background: OpenJ9 is a high performance, scalable, Java™ virtual machine (VM) implementation that is fully compliant with the Java Virtual Machine Specification.

Building OpenJDK with OpenJ9

$ git clone https://github.com/ibmruntimes/openj9-openjdk-jdk9
$ cd openj9-openjdk-jdk9
$ bash ./get_source.sh
$ bash ./configure –with-freemarker-jar=freemarker.jar
$ make images
$ cd build/linux-x86_64-normal-server-release/images/
$./jdk/bin/java -version

The VM has connections into the rest of the JDK
To build OpenJDK with OpenJ9 requires patches

• Build process
• Class libraries

Vulnerability details: In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.

Risk rating: NVD score not yet provided.

Official announcement – https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395

Preface: If you have already integrated the Discourse API with the AWS API, you should be vigilant about this.

Background: Amazon Simple Notification Service (Amazon SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers). Publishers communicate asynchronously with subscribers by sending messages to a topic, which is a logical access point and communication channel. Clients can subscribe to the SNS topic and receive published messages using a supported endpoint type, such as Amazon Kinesis Data Firehose, Amazon SQS, AWS Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS).

Discourse is the open source discussion platform built for Internet usage . Use it as a mailing list, discussion forum, long-form chat room, and more! Discourse supports the latest, stable releases of all major browsers and platforms:Microsoft Edge, Google Chrome, Mozilla Firefox & Apple Safari.

Vulnerability details: In affected versions maliciously crafted requests could lead to remote code execution. This resulted from a lack of validation in subscribe_url values. But what is the exact consequence, it is unknown in the moment. But the risk level of this vulnerability will be based on the adjacent component. For example: AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. So if there is design limitation on Lambda. This remote code execution power will be boosted. See whether the information displayed in attached diagram will awaken your thinking of this vulnerability?

Workaround: To workaround the issue without updating, requests with a path starting [/]webhooks[/]aws path could be blocked at an upstream proxy.

Official announcement: Vendor has released a security advisory to address a critical remote code execution (RCE) vulnerability (CVE-2021-41163) in Discourse versions 2.7.8 and earlier. —https://github.com/discourse/discourse/security/advisories/GHSA-jcjx-pvpc-qgwq

Preface:To date, more than 240 applications have been built on the Cosmos mainnet. The main categories of applications include finance, infrastructure, privacy, and social interactions.

Background: The Cosmos SDK is a framework for building blockchain applications. Tendermint Core (BFT Consensus) and the Cosmos SDK are written in the Golang programming language. Cosmos SDK is used to build Gaia, the first implementation of the Cosmos Hub.

Vulnerability details: Affected versions of the SDK (up to 0.44.1) were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared to the node’s local clock time. Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would require applying the patch and rolling back the latest block. Users are advised to update to version 0.44.2.

Remedy: Upgrading to version 0.44.2 eliminates this vulnerability. Applying the patch 68ab790a761e80d3674f821794cf18ccbfed45ee is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Preface: The design weakness was disclosed by the apache organization on January 14, 2021. Design limitations on Xmlbeans have been fixed. Developer suggest to use 3.0.1, instead of Xmlbeans 2.6.0.

Background: PS/nVision – a PeopleTools software that you use to design and create Microsoft Excel spreadsheet reports for PeopleSoft data. nVision selects data from your PeopleSoft database using ledgers, trees, and queries. Queries are useful for extracting data from sources other than ledgers.
nVision works in three modes:OpenXML mode, Excel Automation mode and Cross Platform mode.

• nVision uses the OpenXML mode on the batch server that uses Microsoft’s OpenXML SDK to generate Excel-compatible documents.
• nVision continues using the operation mode called Excel automation mode that automates the Excel application to generate spreadsheet documents in PeopleTools PIA architecture
• nVision uses the Cross Platform mode to generate spreadsheet documents in PeopleTools PIA architecture

Vulnerability details: CVE-2021-23926 PeopleSoft Enterprise PeopleTools (nVision (XML Beans)) – The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.

Reference: The XML entity extension injection attack uses valid and well-formed xml blocks to expand exponentially until the resources allocated by the server are exhausted. This is because XML parsers used by XMLBeans did not set the properties needed to protect the user from malicious XML input.

Official announcement: Oracle Critical Patch Update Advisory (October 2021) – https://www.oracle.com/security-alerts/cpuoct2021.html