Preface: From a investment market perspective, blockchain might become next-generation investment tool. So called investment will contain risk. For instance, Hedge Fund and currencies buy and sell on markets are risky. This atmosphere we are living in long time. So no feeling any special.

BTCPay server background:
– MIT License.
– Anyone can deploy a server. Become a self-hosted payment processor and receive payments directly to your wallet.
– Your private key is never required. Non-custodial. BTCPay only needs xpubkey (public key) to generate invoices.
– Code is open-source and can be inspected by security auditors and developers.

Vulnerability details: The data is shared only between two parties – the buyer and a seller. However, due to a vulnerability, it may allow outsiders (via API) to create invoices in your store. So it is possible for people to read the data in your store.

Impact: BTCPay Server before 1.0.6.0 when the payment button is used, has vulnerability occurred.

Remedy: Due to a vulnerability occur, users of the payment button are strongly encouraged to update to 1.0.6.0 as soon as possible.

Preface: If you are doubts of this OpenSSL vulnerability (CVE-2021-3449 & CVE-2021-3450), you should update your current installations to OpenSSL 1.1.1k.

Background: With OpenSSL, you can apply for your digital certificate (Generate the Certificate Signing Request) and install the SSL files on your server. You can also convert your certificate into various SSL formats, as well as do all kind of verifications.

Vulnerability Details: The exploitation of these vulnerabilities could allow an attacker to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition.
The design defect has problem occur when the X509_V_FLAG_X509_STRICT flag enable. Error occurs in additional security checks of the certificates present in a certificate chain).
Perhaps a defect found in presence of elliptic curve parameters.
Details require vendor provided.

Official details: https://www.openssl.org/news/secadv/20210325.txt

Background: You can refer to Amazon’s Creating an IAM User in Your AWS Account page to create this IAM user. Once this is done, you can add new credentials of type Aws Credentials (specifying your Access key ID and a Secret access key).Whereby it can store Amazon IAM access keys (AWSAccessKeyId and AWSSecretKey) within the Jenkins Credentials.

Vulnerability details: Jenkins CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins in some circumstances.

One of the possible reasons: In Java, the java. lang. NullPointerException is thrown when a reference variable is accessed (or de-referenced) and is not pointing to any object. This error can be resolved by using a try-catch block or an if-else condition to check if a reference variable is null before dereferencing it.

Impact: the attacker might be able to use the resulting exception to bypass security logic.

Official announcement – https://www.jenkins.io/security/advisory/2021-03-18/#SECURITY-2032

Preface: The Secure Development Lifecycle – From requirements to design, coding to test, the SDL strives to build security into a product or application at every step in the development process.

Background: VMware View Planner is a workload generator that simulates typical user operations such as typing in Microsoft Word, playing a PowerPoint slideshow, reading Outlook emails, browsing PDF and Web pages and watching video.

Vulnerability details: The VMware View Planner Web management interface has an entry for uploading log function files.
The path of the log file written without authentication is user-controllable.
By overwriting the uploading log function file by crafted python script, RCE can be realized.

Remedy: Official details refer to link – https://www.vmware.com/security/advisories/VMSA-2021-0003.html

Synopsis: The package xmlhttprequest before 1.7.0 had vulnerability occurs. The CVE-2020-28502 was published on 5th March, 2021.

Background: node-XMLHttpRequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object.
This can be used with JS designed for browsers to improve reuse of code and allow the use of existing libraries.

Vulnerability details: This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Official details: https://nvd.nist.gov/vuln/detail/CVE-2020-28502

Current status: There is no fixed version for org.webjars.npm:xmlhttprequest-ssl.

Hints: Enhance preventive and detective control.Using something like filter (example ^\w+) base on speical chars will be allowed. Such as regular expression.

Preface: F5 network products are commonly deployed in data center and on-premises Internet facing infrastructure.

Background: F5 Network’s Traffic Management Operating System (TMOS) is not a separate operating system. It is the software foundation for all of F5’s network or traffic (not data) products including both physical or virtual platform. TMM is the core component of TMOS as it handles all network activities and communicates directly with the network switch hardware (or vNICs for VE (Virtual Edition)). TMM also controls communications to and from the HMS. Local Traffic Manager (LTM) and other modules run within the TMM.

Vulnerability details: Vulnerability found allow attacker use of uninitialized memory. Uninitialized memory means reading data from the buffer that was allocated but not filled with initial values. It means that the data are starting to be used before they are initialized. Finally using `wrapped_umem_alloc` for heap allocations, it will also lead to a direct crash of the TMM due to the heap buffer overflow.

Official announcement: https://support.f5.com/csp/article/K56715231

Preface: From technical point of view, attacker cast the returned void* to an int* and start using it. It is one of the modern cyber attack technique.

Background: Attacker would have to overwrite the return address to an address such as ”…………….“ where there would be a “JMP RSP” instruction, and continue with their shellcode after this address. In such a way let some hardening system appliance also become vulnerable. Can we say this is a design weakness of coding? Or whether is the memory protection not been enough.

Technical details: The F5 BIG-IP offers many programmable interfaces, from control-plane to data-plane.
iControl REST – REST-based API for imperative configuration and service control of BIG-IP from remote applications.
iControl (SOAP) – SOAP-based API for imperative configuration and service control of BIG-IP from remote applications.

Vulnerability details:

CVE-2021-22986 – The iControl REST interface has an unauthenticated remote command execution vulnerability. CVSS score: 9.8 (Critical)
CVE-2021-22987 – When running in Appliance mode, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has an authenticated remote command execution vulnerability in undisclosed pages. CVSS score: 9.9 (Critical)

Official announcement: https://support.f5.com/csp/article/K02566623

Preface: In SAP Business Client history, rare to offer a Chromium web browser control based on CefSharp (CEF – Open Source Version of Google Chrome) as an alternative rendering engine to Microsoft IE. In 2018, the dream come true happened.

SAP business clinet software technical background: If local client web browser not work, SAP client software will enforce the default browser control falls back to Internet Explorer. Unfortunately, Chrome Vulnerability is being exploited in the wild. According to CVE-2021-2116, a remote attacker could exploit some of these vulnerabilities to trigger denial of service, remote code execution, security restriction bypass and sensitive information disclosure on the targeted system.

Reference: When Chrome OS is vulnerable to malicious extensions by bad 3rd party apps programming. It can also put your system at risk if you choose to run an extension “unsandboxed.”

Official announcement : (SAP Security Patch Day – March 2021) – please refer to the link – https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107