What is Jackson Databind used for? Data Binding API is used to convert JSON to and from POJO (Plain Old Java Object) using property accessor or using annotations. It is of two type. Simple Data Binding – Converts JSON to and from Java Maps, Lists, Strings, Numbers, Booleans and null objects.

What is Ehcache? Ehcache is an open source, standards-based cache that boosts performance, offloads your database, and simplifies scalability.

Vulnerability details: A vulnerability in the FasterXML jackson-databind library could allow an unauthenticated remote attacker to execute arbitrary code on the target system. This defect exists because the SubTypeValidator.java source code file of the affected software incorrectly handles the default type when using Ehcache. An attacker could exploit this vulnerability by sending a request to submit a malicious input to the target system to execute arbitrary code.

Remedy: Update to jackson-databind release 2.9.9.2

Preface: Are GPU vulnerable to hacker attacks?

Background: On virtual machines running VMware Fusion provides support for OpenGL 2.1 to support 3D accelerated desktops. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion.

Vulnerability details:

CVE-2019-5521 – may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host.

CVE-2019-5684 – This vulnerability can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host.

Security Focus: Since no additional details provided by vendor. But believe that the possible way let hacker exploit CVE-2019-5521 design weakness is Perfect Timing Attacks (Please refer to photo). Apart from that the hacker can exploit out of bound read / write to bypass address space layout randomization (ASLR). So, be alerted!

Vendor announcement: please refer to the url – https://www.vmware.com/security/advisories/VMSA-2019-0012.html

Preface: The Freescale hypervisor management driver provides several services to drivers and applications related to the Freescale hypervisor.

About: Integer overflows and other integer manipulation vulnerabilities frequently result in buffer overflows. An integer overflow occurs when an arithmetic operation results in a number that is too large to be stored in the space allocated for it.

Vulnerability details: The vulnerability exists due to integer overflow within the freescale hypervisor manager implementation in drivers/virt/fsl_hypervisor.c. A local guest user can send specially crafted data to the affected IOCTL , trigger integer overflow and execute arbitrary code on the target system.

Remedy: Kernel.org has released a software patch at the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6a024330650e24556b8a18cc654ad00cfecf6c6c

Prefect: Headlines new – Critical VxWorks flaws expose millions of devices to hacking.

What is VxWorks? The VxWorks RTOS comprises the core capabilities of the wind microkernel(not monolithic) along with advanced networking support, powerful file system and I/O management, and C++ and other standard run-time support.

Vulnerability details: The vulnerabilities found on Wind River VxWorks so called Urgent11, it include 6 remote code defects and 5 less serious flaws. The design limitation of TCP/IP (IPnet) network stack let hackers to bypass traditional border and device security, remotely exploit and take over Key equipment, including SCADA equipment, industrial controllers, patient monitors, MRI machines, firewalls, VOIP phones and printers, etc.

Vendor response – Please refer to url: https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/

Reference:

The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

The heap is memory that the programmer can use for the application in non automatic way. Programmer might build a mechanism to free up memory after use.

Preface: Internet of Vehicles (IoV) growth rapidly, meanwhile they are also the potential target of the cyber attacker.

About Mitsubishi Electric FR Configurator2: From inverter startup to maintenance, FR Configurator2 allows the user to specify settings easily at the computer.

Vulnerability details:

CVE-2019-10976 – This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

CVE-2019-10972 – This vulnerability can be triggered when an attacker provides the target with a rogue project file (.frc2). Once a user opens the rogue project, CPU exhaustion occurs, which causes the software to quit responding until the application is restarted.

Our comment – The impact of these vulnerabilities depends on the source of the infection. If malicious project file (.frc2) send with large scale of scam email. Because of the software design weakness (XML parser is not sanitized while parsing the XML project). Refer to attached infographic, perhaps it will provide a way to attacker exploit malware to infect the car CPU. Because the interconnect in between Car CPU and inverter is USB. So we must stay alert of these vulnerabilities.

Preface: Refer to market statistic on 2018, the growth in cloud revenues appear to be the strongest for Microsoft and weakest for IBM.

Vulnerability details: In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces

Remedy: For IBM Cloud Private 3.1.1 or 3.1.2:

To resolve the issue, run the following kubectl commands on the master node:

1. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “remove”, “path”: “/groups”}]’
2. kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “add”, “path”: “/users”, “value”: [“system:serviceaccount:kube-system:default”,”system:serviceaccount:istio-system:default”, “system:serviceaccount:icp-system:default”,”system:serviceaccount:cert-manager:default”] }]’

Reference:

The privileged SCC allows:

• Users to run privileged pods
• Pods to mount host directories as volumes
• Pods to run as any user
• Pods to run with any MCS label
• Pods to use the host’s IPC namespace
• Pods to use the host’s PID namespace
• Pods to use any FSGroup
• Pods to use any supplemental group
• Pods to use any seccomp profiles
• Pods to request any capabilities

The restricted SCC:

• Ensures that pods cannot run as privileged.
• Ensures that pods cannot mount host directory volumes.
• Requires that a pod run as a user in a pre-allocated range of UIDs.
• Requires that a pod run with a pre-allocated MCS label.
• Allows pods to use any FSGroup.
• Allows pods to use any supplemental group.

Supplement: CVE-2019-4439 – IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system.

Remedy – For IBM Cloud Private 3.1.2, apply patch: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build520356-23797&includeSupersedes=0

Preface: Message queues are unnecessary and cause a lot of overhead (setup such system cab be a lot of work).

Product background: Zeromq libzmq
A simple synchronous system will just receive a request from the client, perform an operation (anything from retrieving some data from the server to uploading an image) and return a response.

Vulnerability details: A vulnerability in ZeroMQ libzmq could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The problem was that a stack overflow and
overwrite the stack with arbitrary data, due to a buffer overflow in
the library. All versions from 4.0.0 and upwards are affected.

Reference: The stack is the temporary memory where variables are stored while a function is executing. The memory will be cleaned up automatically when job done.

Remedy: ZeroMQ has released a software update. For more information, see url: https://github.com/zeromq/libzmq/releases