Preface: If attacker dexterous to use Server Side Request Forgery and Arbitrary file write vulnerability. It will boots up their risk impact.

Background: Photon OS, a lightweight Linux distribution created and maintained by VMware, is designed specifically to run as a container host and has been optimized for cloud-native applications and cloud platforms, and has been optimized to run on VMware infrastructure and in public clouds.

Vulnerability Details: On March 31, 2021, VMware officially released the risk notice of vmsa-2021-0004. The vulnerability numbers are cve-2021-21975 and cve-2021-21983. The vulnerability level is high risk and the vulnerability score is 8.6.

Remedy: For official announcement, please refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0004.html

Supplement: If you have interested of the scenario on exploit those vulnerabilities. Please refer to attached diagram.

Preface: Once upon a time, Citrix Hypervisor was known as XenServer. “Xen” is the name of the hypervisor technology first developed by the University of Cambridge and eventually improved by Citrix.

Background:

Recommendation 1: It is recommended to use paravirtualized devices instead of emulated devices for virtual machines running I/O intensive applications.

Recommendation 2: Persistent grants feature provides high scalability. On some small systems, however, it could incur data copy overheads and thus it is required to be disabled.

Vulnerability details:

CVE-2021-28688 An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. Avoiding the use of persistent grants will also avoid the vulnerability. This can be achieved by passing the “feature_persistent=0” module option to the xen-blkback driver.

CVE-2021-28038 An attacker with the ability to execute privileged mode code in a guest can perform a denial of service attack against the host. Linux versions from at least 2.6.39 onwards are vulnerable, when run in PV mode. Earlier versions differ significantly in behavior and may
therefore instead surface other issues under the same conditions. Linux
run in HVM / PVH modes is not vulnerable.

Official details: Two security issues have been identified in Citrix Hypervisor – https://support.citrix.com/article/CTX306565

Preface: A system with a serious kernel memory leak will quickly become unusable. Tracking down memory leaks can be painful work.

How do you find memory leaks in Linux?
Kmemleak provides a way of detecting possible kernel memory leaks in a way similar to a tracing garbage collector. CONFIG_DEBUG_KMEMLEAK in “Kernel hacking” has to be enabled. A kernel thread scans the memory every 10 minutes (by default). For more details please refer to link – https://www.kernel.org/doc/html/latest/dev-tools/kmemleak.html

Vulnerability details: An issue was discovered in the Linux kernel before 5.11.11. The user mode driver (UMD) has a copy_process() memory leak, related to a lack of cleanup steps in kernel/usermode_driver.c and kernel/bpf/preload/bpf_preload_kern.c.

Official details:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f60a85cad677c4f9bb4cadd764f1d106c38c7cf8

Impact: This vulnerability is currently awaiting analysis.

Preface: From a investment market perspective, blockchain might become next-generation investment tool. So called investment will contain risk. For instance, Hedge Fund and currencies buy and sell on markets are risky. This atmosphere we are living in long time. So no feeling any special.

BTCPay server background:
– MIT License.
– Anyone can deploy a server. Become a self-hosted payment processor and receive payments directly to your wallet.
– Your private key is never required. Non-custodial. BTCPay only needs xpubkey (public key) to generate invoices.
– Code is open-source and can be inspected by security auditors and developers.

Vulnerability details: The data is shared only between two parties – the buyer and a seller. However, due to a vulnerability, it may allow outsiders (via API) to create invoices in your store. So it is possible for people to read the data in your store.

Impact: BTCPay Server before 1.0.6.0 when the payment button is used, has vulnerability occurred.

Remedy: Due to a vulnerability occur, users of the payment button are strongly encouraged to update to 1.0.6.0 as soon as possible.

Preface: If you are doubts of this OpenSSL vulnerability (CVE-2021-3449 & CVE-2021-3450), you should update your current installations to OpenSSL 1.1.1k.

Background: With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kind of verifications.

Vulnerability Details: The exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.
The design defect has problem occur when the X509_V_FLAG_X509_STRICT flag enable. Error occurs in additional security checks of the certificates present in a certificate chain).
Perhaps a defect found in presence of elliptic curve parameters.
Details require vendor provided.

Official details: https://www.openssl.org/news/secadv/20210325.txt

Background: You can refer to Amazon’s Creating an IAM User in Your AWS Account page to create this IAM user. Once this is done, you can add new credentials of type Aws Credentials (specifying your Access key ID and a Secret access key).Whereby it can store Amazon IAM access keys (AWSAccessKeyId and AWSSecretKey) within the Jenkins Credentials.

Vulnerability details: Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

One of the possible reasons: In Java, the java. lang. NullPointerException is thrown when a reference variable is accessed (or de-referenced) and is not pointing to any object. This error can be resolved by using a try-catch block or an if-else condition to check if a reference variable is null before dereferencing it.

Impact: the attacker might be able to use the resulting exception to bypass security logic.

Official announcement – https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2032

Preface: The Secure Development Lifecycle – From requirements to design, coding to test, the SDL strives to build security into a product or application at every step in the development process.

Background: VMware View Planner is a workload generator that simulates typical user operations such as typing in Microsoft Word, playing a PowerPoint slideshow, reading Outlook emails, browsing PDF and Web pages and watching video.

Vulnerability details: The VMware View Planner Web management interface has an entry for uploading log function files.
The path of the log file written without authentication is user-controllable.
By overwriting the uploading log function file by crafted python script, RCE can be realized.

Remedy: Official details refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0003.html

Synopsis: The package xmlhttprequest before 1.7.0 had vulnerability occurs. The CVE-2020-28502 was published on 5th March, 2021.

Background: node-XMLHttpRequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object.
This can be used with JS designed for browsers to improve reuse of code and allow the use of existing libraries.

Vulnerability details: This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Official details: https://nvd.nist.gov/vuln/detail/CVE-2020-28502

Current status: There is no fixed version for org.webjars.npm:xmlhttprequest-ssl.

Hints: Enhance preventive and detective control.Using something like filter (example ^\w+) base on speical chars will be allowed. Such as regular expression.