Preface: Oracle Database 19c is the current long term release, and it provides the highest level of release stability and longest time-frame for support and bug fixes. Oracle Database 21c, also available for production use today as an innovation release, provides an early insight into the many enhancements and new capabilities.

Background: Use the CREATE PROCEDURE statement to create a standalone stored procedure or a call specification.
A procedure is a group of PL/SQL statements that you can call by name. A call specification (sometimes called call spec) declares a Java method or a third-generation language (3GL) routine so that it can be called from SQL and PL/SQL. The call spec tells Oracle Database which Java method to invoke when a call is made. It also tells the database what type conversions to make for the arguments and return value.

In Oracle Database, use loadjava utility to load JAR file. The loadjava utility creates schema objects in Oracle database and then load JAR file contents into it.
About Designating Database Privileges and JVM Permissions
You must have the following SQL database privileges to load classes:

• CREATE PROCEDURE and CREATE TABLE privileges to load into your schema.
• CREATE ANY PROCEDURE and CREATE ANY TABLE privileges to load into another schema.
• oracle.aurora.security.JServerPermission.loadLibraryInClass.classname

Vulnerability details: Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 19c and 21c. Easily exploitable vulnerability allows low privileged attacker having Create Procedure privilege with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java VM accessible data.

Official announcement – Oracle Critical Patch Update Advisory – July 2022. See the link for details – https://www.oracle.com/security-alerts/cpujul2022.html

Preface: A growing number of Chinese chip design firms have adopted open-source RISC-V in their chip designs as an alternative to Intel’s proprietary X86 and Arm’s architecture, in a bid to minimise potential damage from US sanctions and to save on licensing fees.

Background: If you still remember? The RISC System/6000 (RS/6000) is a family of RISC-based Unix servers, workstations and supercomputers made by IBM in the 1990s.
Who uses RISC-V today? The organization has grown to 2,000+ members from more than 70 countries over the span of just a few years. Members of RISC-V International include founding partners Google, Qualcomm and Western Digital, to name a few, as well as Arduino, Hitachi and Samsung.

What is PMP RISC-V? Physical Memory Protection (PMP) is a part of the RISC-V Privileged Architecture Specification which discribes the interface for a standard RISC-V memory protection unit. The PMP defines a finite number of PMP regions which can be individually configured to enforce access permissions to a range of addresses in memory.

What is a load access fault? Access faults happen as a result of failing a PMP check. Roughly speaking, it means that the processor is trying to use memory that it does not have permission to use. This can only occur in machines with at least User mode, since in Machine mode the processor is always allowed to access everything.

The machine level has the highest privileges and is the only mandatory privilege level for a RISC-V hardware platform. Code run in machine-mode (M-mode) is usually inherently trusted, as it has low-level access to the machine implementation. M-mode can be used to manage secure execution environments on RISC-V.

Vulnerability details:

CVE-2022-34642 – The component mcontrol.action in RISCV ISA Sim commit ac466a21df442c59962589ba296c702631e041b5 contains the incorrect mask which can cause a Denial of Service (DoS).
Reference: https://github.com/riscv-software-src/riscv-isa-sim/issues/1032

CVE-2022-34641 – CVA6 commit d315ddd0f1be27c1b3f27eb0b8daf471a952299a and RISCV-Boom commit ad64c5419151e5e886daee7084d8399713b46b4b implements the incorrect exception type when a PMP violation occurs during address translation.
Reference: https://github.com/openhwgroup/cva6/issues/906 Weakness Enumeration – unknown

CVE-2022-34643 – RISCV ISA Sim commit ac466a21df442c59962589ba296c702631e041b5 implements the incorrect exception priotrity when accessing memory.
https://github.com/riscv-software-src/riscv-isa-sim/issues/971 Weakness Enumeration – unknown

Preface: A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. Furthermore, NULL pointer dereference issues can occur through a number of flaws including race conditions.

Background: D-Bus is an inter-process communication (IPC) mechanism initially designed to replace the software component communications systems used by the GNOME and KDE Linux desktop environments. The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification.

Project using D-Bus

• KDE: A desktop environment based on Qt
• Gnome: A desktop environment based on gtk
• Systemd: An init system
• Network-manager: A daemon to manage network interfaces
• Bluez: A project adding Bluetooth support under Linux

dbus-broker is an implementation of the D-Bus Message Bus Specification. Each instance provides a single, unique message bus that clients can connect to, and send messages over. The broker takes care of message mediation, access control, subscriptions, and bus control, according to the D-Bus specification.

Vulnerability details: An issue was discovered in dbus-broker before 31. Multiple NULL pointer dereferences can be found when supplying a malformed XML config file.

Ref: Expat is a library, written in C, for parsing XML documents. The goal of a parser is to transform XML into a readable code. XML parser is a software library or a package that provides interface for client applications to work with XML documents. It checks for proper format of the XML document and may also validate the XML documents.

Solution: Update to the latest version – https://github.com/bus1/dbus-broker/releases/tag/v31

Proof of concept and related technical matters – refer to the link
https://sec-consult.com/vulnerability-lab/advisory/memory-corruption-vulnerabilities-dbus-broker/

Preface: Server-side request forgery (SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. Additionally, SSRF attacks against other backend systems are also an evasion path. Sometimes an SSRF risk rating is medium risk, so it goes unnoticed (contempt).

Background: vCenter Server manages VMware vSphere environments, giving IT administrators simple and automated control over the virtual environment to deliver infrastructure with confidence. VMware vSphere Web Client plug-in is the program that extends the user interface for VMware vSphere Web Client to a browser. The VMware vSphere Web Client allows an administrator to connect to a vCenter Server system and manage a vSphere environment.

Vulnerability details: The vCenter Server contains a server-side request forgery (SSRF) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Impact: A malicious actor with network access to 443 on the vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service. For more details, please refer to attached diagram.

Solutions: Before installation of the software, please visit the vendor web-site for more details – https://www.vmware.com/security/advisories/VMSA-2022-0018.html

Preface: We known that so called vulnerability may be found few months or year ago. But zero-day vulnerability have different. A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Because of it urgency, it need to announce or release the fix shortly.

Background: What does Site Recovery do?

Site Recovery contributes to your business continuity and disaster recovery (BCDR) strategy, by orchestrating and automating replication of Azure VMs between regions, on-premises virtual machines and physical servers to Azure, and on-premises machines to a secondary datacenter.

Vulnerability details: Azure Site Recovery Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30181, CVE-2022-33641, CVE-2022-33642, CVE-2022-33643, CVE-2022-33650, CVE-2022-33651, CVE-2022-33652, CVE-2022-33653, CVE-2022-33654, CVE-2022-33655, CVE-2022-33656, CVE-2022-33657, CVE-2022-33658, CVE-2022-33659, CVE-2022-33660, CVE-2022-33661, CVE-2022-33662, CVE-2022-33663, CVE-2022-33664, CVE-2022-33665, CVE-2022-33666, CVE-2022-33667, CVE-2022-33668, CVE-2022-33669, CVE-2022-33671, CVE-2022-33672, CVE-2022-33673, CVE-2022-33674, CVE-2022-33675.

As usual, vendor has the right not to release vulnerability details. See whether we can find out the one of the possible causes?

For disaster recovery of VMware VMs to Azure, system administrator should deploy the configuration server as a VMware VM. Based on my speculation of existing design flaws. So just focus on suspicious components.
Software requirements: IIS (Web server)

• No pre-existing default website
• No pre-existing website/application listening on port 443
• Enable anonymous authentication
• Enable FastCGI setting

When using TCP sockets, as long as the default configuration file (php-frm.conf) options (listen.user/list.group) with privileges permission.

Local attacker is possible to exploit this vulnerability. It is as simple as pointing some FastCGI clients to the socket. Then it will execute priviliges escalation. Please refer to attached diagram for reference.

Azure Site Recovery Elevation of Privilege Vulnerability. For official announcement, please refer to the link – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-33677

Remedy: What can I do to protect myself from this vulnerability? You can follow the steps here to update to version 9.49.

Preface: There is no limit according to the HTTP protocol itself, but implementations will have a practical upper limit. I have sent data exceeding 4 GB using POST to Apache, but some servers did have a limit of 4 GB at the time.

Background: KubeEdge consumes less resources and provides both edge-cloud collaboration and device management. So, it is suitable for internet big data center. KubeEdge is an open source system extending native containerized application orchestration and device management to hosts at the Edge. It is built upon Kubernetes and provides core infrastructure support for networking, application deployment and metadata synchronization between cloud and edge.
Core edge part of KubeEdge, which contains six modules: devicetwin, edged, edgehub, eventbus, metamanager, and servicebus.

Vulnerability details:
CVE-2022-31073 – the ServiceBus server on the edge side may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it. https://github.com/kubeedge/kubeedge/security/advisories/GHSA-vwm6-qc77-v2rh
CVE-2022-31075 – EdgeCore may be susceptible to a DoS attack on CloudHub if an attacker was to send a well-crafted HTTP request to /edge[.]crt.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-x3px-2p95-f6jr
CVE-2022-31074 – several endpoints in the Cloud AdmissionController may be susceptible to a DoS attack if an HTTP request containing a very large Body is sent to it.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-w52j-3457-q9wr
CVE-2022-31078 – the CloudCore Router does not impose a limit on the size of responses to requests made by the REST handler. An attacker could use this weakness to make a request that will return an HTTP response with a large body and cause DoS of CloudCore.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-qpx3-9565-5xwm
CVE-2022-31079 – the Cloud Stream server and the Edge Stream server reads the entire message into memory without imposing a limit on the size of this message. An attacker can exploit this by sending a large message to exhaust memory and cause a DoS.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-wrcr-x4qj-j543
CVE-2022-31080 – a large response received by the viaduct WSClient can cause a DoS from memory exhaustion.
https://github.com/kubeedge/kubeedge/security/advisories/GHSA-6wvc-6pww-qr4r

Preface: The use of the custom HTTP header “SOAP Action” for SOAP web services, and cookies, and E-tags, and … well, the list goes on. HTTP headers carry data used by applications and therefore should be considered a viable transport mechanism for malicious code.

Background: CICS TX 11.1 offers an enhanced inbound SOAP XML web services capability. This includes support for the channels and container interface for CICS TX inbound web services. CICS TX applications that use the APIs of channels and containers can be exposed as inbound SOAP XML web services. This provides pipeline configuration that enables the processing of SOAP messages through a sequence of predefined message handlers.

Remark: Capability to pass more than 32K bytes of data through SOAP XML web services using channel and container APIs

Vulnerability details: IBM CICS TX Standard and Advanced 11.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

Affected Products and Versions: IBM CICS TX Advanced 11.1

Remediation: Download fix from here – https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FOther+software%2FCICS+TX+on+Cloud&fixids=ibm-cics-tx-advanced-image-11.1.0.0-ifix2&source=SAR&function=fixId&parent=ibm/Other%20software

Usage of CICS TX Standard and CICS TX Advanced (Example):

• Load a CICS TX container on Docker, open a port to connect to the container through a 3270-terminal, deploy a simple CICS COBOL application on the CICS TX container and run the application by using a 3270 terminal.
• Deploy CICS TX on a container
• Deploy CICS TX Standard on a Red Hat OpenShift Container Platform

Preface: NVM Express is highly optimized for memory-based storage. There are many distinct benefits associated with NVM Express. It significantly improves sequential and random performance thanks to reduction in latency. It is capable of accessing more data per CPU cycle.

Background: The Dell EMC PowerMax family is the first Dell EMC hardware platform that uses an end- to-end Non-Volatile Memory Express (NVMe) architecture for customer data.

Cloud Mobility for Dell EMC PowerMax is configured within an embedded guest running on the PowerMaxOS hypervisor. Management of Cloud Mobility is performed using the Embedded Management (eManagement) Unisphere for PowerMax. Communication between the embedded Unisphere and Cloud Mobility is through REST API over a PowerMax internal private network connection.

Example:
The most recent PowerMax REST documentation can found by going to your embedded management instance of Unisphere for PowerMax at:
https://{ip-address|hostname}:8443/univmax/restapi/docs

Vulnerability details: Cloud Mobility for Dell EMC Storage, 1.3.0.XXX contains a RCE vulnerability. A non-privileged user could potentially exploit this vulnerability, leading to achieving a root shell. This is a critical issue; so Dell recommends customers to upgrade at the earliest opportunity.

For official announcement details, please refer to the link – https://www.dell.com/support/kbdoc/zh-hk/000201258/dsa-2022-182-cloud-mobility-for-dell-emc-storage-security-update-for-a-path-traversal-rce-vulnerability

Preface: When you do the fix for CVE-2022-26365, CVE-2022-33740, CVE-2022-33741& CVE-2022-33742. You should consider this matter.

Patch 1 introduces a new field to the disk and nic configurations that allow signaling on a per-device basis whether the backend should be trusted. This is an ABI incompatible change, and cannot be applied to stable branches.
Patch 2 introduces support to libxl for libxl_{disk,nic}_backend_untrusted environment variable to be used in order to set whether disk and network frontends should be trusted in the absence of a per-device setting.

Background:Citrix Hypervisor is based on the Xen Project hypervisor, with extra features and supports provided by Citrix. Citrix XenServer is an open source server virtualization platform based on the Xen hypervisor. Citrix also offers a supported version that you can purchase, with two options: Standard and Enterprise.
Citrix Hypervisor requires at least two separate physical x86 computers: one to be the Citrix Hypervisor server and the other to run the XenCenter application or the Citrix Hypervisor Command-Line Interface (CLI).

Vulnerability details: Linux Block and Network PV device frontends don’t zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn’t allow sharing less than a 4K page,leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

The following 2 files need to be enhanced. For details, please refer to the official announcement. Linux disk/nic frontends data leaks – https://xenbits.xen.org/xsa/advisory-403.html

xen-blkfront.c – CVE-2022-33742 CVE-2022-26365
xen-netfront.c – CVE-2022-33741 CVE-2022-33740

IMPACT: An untrusted backend can access data not intended to be shared. If such mappings are made with write permissions the backend could also cause malfunctions and/or crashes to consumers of contiguous data in the shared pages.

Preface: Registering callback in C means you are providing function pointer to any module. When any event arises, registered function will be called to serve this event.

Background: The netfilter hooks are a framework inside the Linux kernel that allows kernel modules to register callback functions at different locations of the Linux network stack. The registered callback function is then called back for every packet that traverses the respective hook within the Linux network stack.

Connction tracking in Linux kernel is implemented as a module in Netfilter framework. Netfilter is a packet manipulating and filtering framework inside the kernel. It provides several hooking points inside the kernel, so packet hooking, filtering and many other processings could be done.

Vulnerability details: An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.)

Ref: The user namespace is a way for a container (a set of isolated processes) to have a different set of permissions than the system itself. Every container inherits its permissions from the user who created the new user namespace. For example, in most Linux systems, regular user IDs start at or above 1000.

Remedy: This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api[.]c. For details please refer to link – https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6

Additional information: For Linux drivers, it is difficult to know who called a certain callback function. Is there a way to know? Tracking can be done through the dump_stack() function provided by the kernel. Dump_stack() in Linux Kernel is used to output call stack information when there is a kernel crash/panic but we can also use it for debugging/tracing.