Preface: Speculate that this CVE is custom for Ampere Computing. Ampere Computing is an ARM architecture licensee and develops its own server microprocessors.
Background: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.
Vulnerability details: CVE-2023-3006 – A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim s hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.
Preface: About 20 years ago, people know java is unsafe. Perhaps of technology trend, so whatever the design appyling java language. The flexibility and easy to use will let people contempt about awareness of cyber security. While Java is considered relatively safe because it is a server side language, there are still multiple ways to attack and access secure code you’d like to remain private.
Background: The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE platform. Mustache is a logicless template engine and it is helpful for creating dynamic content like HTML and configuration files. If your models are type based and not just Map then JStachio is good choice.
Ref:End-users only use JVM and JRE to execute the application program. JRE identifies all the helpful class libraries needed for execution, while JVM is a subclass of JRE that decodes the bytecode into machine language and other minor tasks. Each JVM server can have a maximum of 256 threads to run Java applications.
Solution: Version 1.0.1 contains a patch for this issue.
Workaround: To mitigate this vulnerability, the template engine should properly escape special characters, including single quotes. Common practice is to escape ' as '. As a workaround, users can avoid this issue by using only double quotes " for HTML attributes.
Preface: Foreseeing the continuous development of artificial intelligence, use blockchain technology for network communication is a must. A blockchain is a distributed database or ledger shared among nodes in a computer network. They are known for their key role in maintaining a secure and decentralized record of transactions in cryptocurrency systems, but they are not limited to the use of cryptocurrencies.
Background: IDEN3 is NOT an ICO (Initial Coin Offerings). It has no token at all. It is an open source permissionless identity layer built on top of Ethereum that we expect many projects will be able to use as a foundational layer for their own identity solution. What are Initial Coin Offerings? ICOs are another form of cryptocurrency that businesses use in order to raise capital. Through ICO trading platforms, investors receive unique cryptocurrency “tokens” in exchange for their monetary investment in the business.
Ref: Circom is a compiler written in Rust for compiling circuits written in the circom language. The compiler outputs the representation of the circuit as constraints and everything needed to compute different ZK proofs.
Vulnerability details: iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
Preface: Preface: Advantages of NVDIMMs in servers. NVDIMMs provide high-speed DRAM performance coupled with flash-backed persistent storage. Aside from providing an additional memory tier in servers, NVDIMM persistence allows applications to continue processing I/O traffic during planned or unexpected system failures.
Background: Persistent Memory (PM) is a type of Non-Volatile Memory (NVM). The ndctl utility is used to manage the libnvdimm (non-volatile memory device) sub-system in the Linux Kernel. It is required for several Persistent Memory Developer Kit (PMDK) features if compiling from source. If ndctl is not available, the PMDK may not build all components and features. Utility library for managing the libnvdimm (non-volatile memory device) sub-system in the Linux kernel If you going to Writing Applications for Persistent Memory. Below details is the Programming Model Modes:
Block and File modes use IO
Data is read or written using RAM buffers
Software controls how to wait (context switch or poll)
Status is explicitly checked by software
Volume and PM modes enable Load/Store
Data is loaded into or stored from processor registers
Processor makes software wait for data during instruction
No status checking – errors generate exceptions
Recommendation: Suggest upgrade to ndctl: release v76.1 Version 76.1 Fixed the following: cxl/event-trace: use the wrapped util_json_new_u64() cxl/monitor: fix include paths for tracefs and traceevent cxl/monitor: Make libtracefs dependency optional
Preface: Online banking cannot lack of load balancing solution today. However in terms of life cycle of operation system and software libaries , Java language development platform and on-demand custom fuctions. Does it bother the load balancing functions? The most challenging parts is the layer 7 load balancing. Perhaps you can do the healt check on appliation functions. However, it is difficult to garantee the non stop function on application side (availability).
Background: The load-balancing algorithms supported are round-robin, weighted least request, random, ring-hash and more. An additional function includes client non interrupt services using application & service availability (health-checks performance).
My focus: Online banking platform (Hong Kong) Error 500: java.lang.RuntimeException: no EntityContext found in existing session Date: Around 8:15 am 5/3/2022
Fundamentally, Web server load balancing function in correct way make no downtime. Therefore when you connected to web server had problem. The load balancing function will keep persistence (SSL Sticky) then redirect your connection to the web server which is available. My experience operating in online banking system in today morning (3rd May, 2022) hints the technical information to me. I encountered error my web services. (Reminded – it successful logged on and doing operations). However an error 500 display on my screen. Thereafter. even I close the browser, make new established connection to Banking system. It still redirect my new connection to e-banking1.hangseng.com. But in round robin setup architecture, I can connect to e-banking2.hangseng.com by chance.
Observation: Perhaps, load balancer capable web application health check function. But for online banking system, it do a health check on web server front page. On java server page. For example: The EntityContext interface contains the getEjbObject and getPrimaryKey methods that a bean can use to find out about the object it is associated with. The client communicates with the bean via the EJBObject. If one of the java service had error occur. May be the load balancer health check function not know what’s happening.
Whether there is concerns on vulnerable Java SE Embedded versions. So, apply tight protection and causes this technical problem occurs. Or there is an software configuration problem in web application itself?
Preface: On 2014, Amazon Web Services (AWS) is asking those that write code and use GitHub to go back and check their work to make sure they didn’t forget to remove login credentials. The warning comes as news is circulating about the availability of nearly 10,000 AWS keys in plain sight on GitHub just by running a simple query.
Background: Security expert found that search for it through source-code on the web, you can find further words by doing find the word ‘AKIA’ to find the Access Key and you can get the Secret key too, if you have found it you can do AWS Configuration.
GitHub does not allow searching of regular expressions in code, and thus the naive approach to search for such patterns is to create a clone of every repository – essentially a mirror of GitHub – and then search their contents for such patterns.
Ref:IAM access key IDs beginning with AKIA are long-term credentials, and access key IDs beginning with ASIA are temporary credentials. ASIA credentials are used with AWS Security Token Service (AWS STS) operations for temporary access to AWS services.
Best practice recommended by vendor:
-Note that we recommended against using the root user for everyday work in AWS.
-As a security best practice, we recommended that you regularly rotate (change) IAM user access keys.
-You can review the AWS access keys in your code to determine whether the keys are from an account that you own.
Preface: IPython offers an enhanced read-eval-print loop (REPL) environment particularly well adapted to scientific computing. In other words, IPython is a powerful interface to the Python language.
Background: IPython provides a rich toolkit to help you make the most out of using Python, with:
Powerful Python shells (terminal and Qt-based).
A web-based notebook with the same core features but support for code, text, mathematical expressions, inline plots and other rich media.
Support for interactive data visualization and use of GUI toolkits.
Flexible, embeddable interpreters to load into your own projects.
Easy to use, high performance tools for parallel computing.
Vulnerability details: IPython could allow a remote attacker to execute arbitrary code on the system, caused by improper permission assignment. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code from the current working directory.
Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.
Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.
Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.
IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.
Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.
Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t. Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.
Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.
Preface: CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021.
Background: A Supply Chain Attack Gone Undetected for 2 Months.Codecov has over 29,000 enterprise customers, including reputed names like Atlassian, Washington Post, GoDaddy, Royal Bank of Canada, and Procter & Gamble.
Vulnerability details: Regarding to this cyber security incident, Through vendor investigation, they are now have additional information concerning what environment variables may have been obtained without authorization and how they may have been used. The issue occurred due to an error in Codecov’s Docker image creation process that enabled the actors to extract sensitive credentials and modify the Bash Uploader script. Meanwhile it let the attacker exfiltrate sensitive information. For more details, please refer to link – https://about.codecov.io/security-update/
Preface: SAML 2.0 implementation for Service Providers based on etree and goxmldsig, a pure Go implementation of XML digital signatures.
Background: “nil” in Go that represents zero values for pointers, interfaces, channels, maps, slices and function types.
Vulnerability Details: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
Reference: When “Go” initializes the pointer, it assigns the value of pointer i to nil, but the value of i represents the address of *i. If nil, the system has not assigned an address to *i. So at this time, * i assignment will have problem occur.
Remedy: Official announcement not announce yet. See whether it can apply the similar syntax to do a short term remediation of this design weakness? The gosmal2 package has encountered the similar technical matter (nil point dereference) on Aug 14, 2019 . For more details, please refer to diagram.