/Yes/IL O6dz I RP WD integrated km4J8cm for

Table of contents

1. OA system

2. E-mail

3. Web middleware

4. Source code management

5. Project Management System

6. Open source operation and maintenance monitoring

7. Fortress

one,

OA system

Weaver-Ecology-OA

Fanwei OA E-cology (CNVD-2019-32204) remote command execution vulnerability

Vulnerability Analysis

The vulnerability occurs on the beanshell component of e-cology. Since the beanshell interface can be accessed unauthorized, and the interface does not filter accordingly when accepting user requests, ultimately leading to remote command execution. Beanshell, simply put, is a miniature java interpreter that can be embedded in other programs and used to dynamically execute java code, similar to the dynamic compilation feature in csharp.

Affect version

E-cology 7.0
E-cology 8.0
E-cology 8.1
E-cology 9.0

Repair suggestions

Official download patch

source

/r0eXpeR/redteam_vul

Fanwei OA WorkflowCenterTreeData interface injection

Vulnerability Analysis

This vulnerability is caused by the lack of security checking measures for SQL statements involving Oracle databases in the WorkflowCenterTreeData interface of the OA system. Any attacker can use the SQL statement splicing opportunity to inject malicious payloads, causing SQL injection attacks. When using Oracle databases, the WorkflowCenterTreeData interface of the generic microecology OA system is not decomposed closely, resulting in the SQL injection vulnerability of its existing SQL injection.

Affect version

All Panwei websites that use Oracle databases may be affected

Repair suggestions

The official has not released a vulnerable patch yet, and all Panwei websites that use Oracle database may be affected. Please ask the relevant website manager to offline the website in time before the official release of the patch.

source

/r0eXpeR/redteam_vul

Fanwei ecology OA database configuration information leaked

Vulnerability Analysis

The Panwei e-cology OA system/mobile/ has unauthorized access. Through decryption, the database configuration information can be directly obtained.

Repair suggestions

Disable access to /mobile/

source

/r0eXpeR/redteam_vul

Panwei OA Cloud Bridge is not authorized to read any file

Vulnerability Analysis

E-Bridge is a system integration middleware developed by Shanghai Fanwei Company in the context of "Internet+" to bridge the Internet open resources and enterprise information system. There is a vulnerability to read any file in Panwei Cloud Bridge. The attacker successfully exploited this vulnerability to realize the read of any file and obtain sensitive information.

Affect version

2018-2019 Multiple Versions

Repair suggestions

Close the program routing /file/fileNoLogin

source

/yuzly/p/

Fanwei ecology OA foreground SQL injection vulnerability

Vulnerability Analysis

This vulnerability is caused by the OA system's WorkflowCenterTreeData interface failing to perform secure filtering when receiving user input, and the oracle database passes malicious SQL statements, resulting in the SQL vulnerability.

Range of impact

Panwei e-cology OA system using oracle database

Repair suggestions

The official website has been updated with patches, please update as soon as possible

source

/ffx1/p/

Panwei OA system/ServiceAction/parameter keywordid SQL injection vulnerability

Vulnerability Analysis

The Panwei OA system is

The parameter keywordid filtering at /ServiceAction/ is not strict, resulting in SQL injection vulnerability. Remote attackers can use this vulnerability to read sensitive information.

Range of impact

Pan-microelectronics OA system using oracle database

Repair suggestions

The official website has been updated with patches, please update as soon as possible

source

/vuldb/ssvid-91089

Seeyon

Zhiyuan OA A8 htmlofficeservlet getshell vulnerability

Vulnerability Analysis

Zhiyuan OA also has a large number of users in China, and the htmlofficeservlet getshell vulnerability emerged in the 2019 offensive and defense drill.

Range of impact

Zhiyuan A8-V5 collaborative management software V6.1sp1
Zhiyuan A8+ collaborative management software V7.0, V7.0sp1, V7.0sp2, V7.0sp3
Zhiyuan A8+ collaborative management software V7.1

Repair suggestions

1. Update patches in a timely manner

2. Use waf to intercept

source

/nul1/p/

Zhiyuan OA A8 unauthorized access

Vulnerability Analysis

The Zhiyuan A8-V5 collaborative management software has unauthorized access, and you can use ordinary user permissions to access the system permission page to obtain a large amount of cached information, such as user information. Using the previously submitted vulnerability "Zhiyuan A8-V5 collaborative management software log information leak (Tongkill V5)", a weak password user was tested and found that Zhiyuan A8-V5 collaborative management software still has unauthorized access, and can use ordinary user permissions to access the system permission page to obtain a large amount of cache information.

Range of impact

Zhiyuan OA A8

Repair suggestions

Official download latest version

source

/AtesetEnginner/p/

Zhiyuan A8-V5 has a vulnerability to modify any user password

Vulnerability Analysis

There are two vulnerabilities in Zhiyuan A8-V5:

First, it ignores the verification code and bumps into the library. Zhiyuan A8-V5 has logical errors during design. The user verifies the original password when modifying the password, but the service used to verify the unauthorized access vulnerability. The system responds to the original password verification function of the illegal request, resulting in ignoring the verification code and no need to login page to try passwords.

The second is to modify any user password. Zhiyuan A8-V5 has logical errors during design. After verifying the original password in the previous step, the original password will no longer be detected in the next step, thereby directly modifying the user password, resulting in a vulnerability of parallel permissions.

Range of impact

Zhiyuan OA A8-V5

Repair suggestions

The vulnerability location is: /seeyon/htmlofficeservlet, and you can configure ACL rules for this address.

Or contact the official to obtain the patch, the official website address:

/Info/

source

/bug_detail.php?wybug_id=wooyun-2015-0104942

Tongda OA (TongDa OA)

Tongda OA any file deletion & file upload RCE

Vulnerability Analysis

Delete the authentication file contained in the upload point through any file vulnerability, resulting in unauthorized access to achieve arbitrary file upload.

Range of impact

Tongda OA V11.6

Repair suggestions

Upgraded version

source

/t/8430

Tongda OA any file upload/file contains GetShell

Vulnerability Analysis

By bypassing identity authentication, an attacker can upload any file and can start remote malicious code execution with the file included.

Range of impact

V11

2017

2106

2105

2013

Repair suggestions

Update the official patch

source

/t/7437

Tongda OA any user login vulnerability

Vulnerability Analysis

Unauthorized attackers can further attack take over server permissions by constructing malicious requests to log in to any user. An attacker exploits this vulnerability to take over server permissions.

Affect version

Tongda OA2017, <V11.5

Repair suggestions

The latest revised version has been released by the official website. Please update the patch in time

source

Tongda OA 11.2 backend getshell

Vulnerability Analysis

Tongda OA 11.2 "Organization"-"Administrator"-"Attachment upload vulnerability exists at the attachment upload. Combined with "System Management"-"Attachment Management"-"Address Directory"-"Address Management"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-"Address Directory"-""Address Directory"-""Address Directory"-""Address Directory""""Address Directory""""Address Directory"""""Address Directory"""""Address Directory""""""Address Directory""""""Address Directory""""""Address Directory"""""""Address Directory"""""""Address Directory""""""""Address Directory"""""""""Address Directory"""""""""""""Address Directory""""""""""""""""""""""""""""""""""""""""""""

Affect version

Tongda OA 11.2

Repair suggestions

Upgraded version

source

/yuzly/p/

Tongda OA 11.7 background SQL injection vulnerability

Vulnerability Analysis

Tongda OA 11.7 has SQL injection.

Affect version

Tongdaoa 11.7

Repair suggestions

Upgraded version

source

/yuzly/p/

Tongda OA 11.7 Unauthorized RCE

Vulnerability Analysis

Tongda OA (Office Anywhere Network Intelligent Office System) is a collaborative office automation software independently developed by Beijing Tongda Xinke Technology Co., Ltd., and is a comprehensive management office platform formed in combination with Chinese enterprise management practices. The vulnerability is mainly divided into two points, one is file upload and the other is file inclusion.

Affect version

Tongda OA V11 version <= 11.3 20200103
Tongda OA version 2017 <= 10.19 20190522
Tongda OA version 2016 <= 9.13 20170710
Tongda OA version 2015 <= 8.15 20160722
Tongda OA 2013 Enhanced Edition <= 7.25 20141211
Tongda OA version 2013 <= 6.20 20141017

Repair suggestions

Install official patches in time

Since Tongdaoa filters most functions that execute commands by default, if you want to execute commands, please refer to using the com component to bypass disable_function.

source

two,

E-mail

Exchange

Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-17083)

Vulnerability Analysis

The vulnerability allows remote attackers to execute arbitrary code on an affected Exchange Server installation. To exploit this vulnerability, you need to use the Exchange Server Certificate role for authentication.

There are specific flaws in the WriteCertiricate function during processing of the Export-ExchangeCertificate cmdlet. The reason for this problem is that the correct verification of user-provided data is missing when writing the file. An attacker can exploit this vulnerability to execute code in a SYSTEM context.

Range of impact

Microsoft Exchange Server

Repair suggestions

Microsoft has released an update to correct this vulnerability. More details can be found at:

/update-guide/zh-CN/vulnerability/CVE-2020-17083

source

/advisories/src-2020-0025/

Microsoft Exchange Remote Code Execution Breakthrough (CVE-2020-16875)

Vulnerability Analysis

Due to incorrect verification of cmdlet parameters, a remote code execution vulnerability exists in the Microsoft Exchange server. An attacker who successfully exploits this vulnerability can run arbitrary code in the context of a system user. To exploit this vulnerability requires user permissions to authenticate with an Exchange role.

Range of impact

microsoft:exchange_server_2016: cu16/cu17

microsoft:exchange_server_2019: cu5/cu6

Repair suggestions

Use the following link to find vulnerable patches that match the operating system version and download and install the patch.

CVE-2020-16875 | Microsoft Exchange Remote Code Execution Vulnerability:

/en-US/security-guidance/advisory/CVE-2020-16875

source

/weixin_45728976/article/details/108537236

Remote code execution vulnerability of Microsoft EXCHANGE service (CVE-2020-0688)

Vulnerability Analysis

An attacker sends specially processed emails to a flawed Exchange server to trigger an interrupt. This breakthrough is caused by the Exchange server not properly creating a unique encryption key when installed.

Specifically, unlike each software installation that generates a random key, all Exchange servers have the same validationKey and decryptionKey in the installed file files. These keys are used to ensure security in ViewState. ViewState is the server data stored on it in a serialized format by web applications. The client returns this data to the server through the __VIEWSTATE request parameter. An attacker can execute arbitrary .net code on a web application in the Exchange Control Panel.

Affect version

Exchange 2010, 2013, 2016, and 2019 are all killed.

Repair suggestions

To get the Exchange Server version number, you can refer to the following method:

/zh-cn/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

After obtaining the version, check whether it is affected:

/en-US/security-guidance/advisory/CVE-2020-16875

If affected, just download the corresponding security update package and update it.

source

/t/7321

Microsoft Exchange arbitrary user fake vulnerability

Vulnerability Analysis

This fake occurs because the SSRF vulnerability is combined with other vulnerabilities. Exchange allows any user to specify the desired URL for Push Subscription and the server will attempt to send notifications to that URL.

Repair suggestions

Microsoft assigned CVE-2018-8581 to the vulnerability and patched the issue in the November release sub-version. There are actually no patches to correct this issue. Instead, Microsoft states that the registry key should be deleted. Deleting this key will enable loopback checking.

source

/t/3670

Coremail

coremail configuration information leakage and interface unauthorized vulnerabilities

Vulnerability Analysis

The Coremail mail system is a large-scale enterprise mail system independently developed by Lunke Technology (Guangzhou) Co., Ltd. (hereinafter referred to as Lunke Company), providing customers with overall email technology solutions and corporate post office operation services.

As my country's first Chinese mail system, the Coremail mail system covers party and government agencies, universities, well-known enterprises, and important industries such as energy, electricity, and finance. It is widely used in my country. Due to the case sensitivity of the mailsms module of the Coremail mail system, the attacker took advantage of this vulnerability and learned the system configuration file of the Coremail server by remote accessing the URL address without authorization, causing system sensitive configuration information such as database connection parameters to be leaked.

Affect version

Coremail XT 3.0.1 to XT 5.0.9 versions

Repair suggestions

At present, Lunke has released patches for repair, for Coremail XT5 and Coremail XT3/CM5 versions, the patch number is CMXT5-2019-0002, and the program version 1.1.0-alphabuild20190524 (3813d273).

If the version number of the installed package is earlier than 20190524, it is recommended that users update the patch in a timely manner: users can download the patch management module of the Coremail Cloud Service Center according to the patch number and manually update it according to the operating instructions.

If you have any questions, you can also contact the manufacturer's after-sales personnel at 400-888-2488 or support@ for assistance.

source

/u012206617/article/details/109579890

three,

Web Middleware

Apache

Apache Solr RCE—（CVE-2019-0192）

Vulnerability Analysis

Apache Solr is an open source search server. It is highly reliable, scalable and fault-tolerant, and provides distributed indexing, replication and load balancing queries, automatic failover and recovery, centralized configuration and other functions.

Solr provides search and navigation capabilities to many of the world's largest Internet sites. Solr is developed in Java language, mainly based on HTTP and Apache Lucene to implement ConfigAPI allows setting up a one that will create a new JMXConnectorServerFactory and trigger a call to perform a "binding" operation on the target RMI/LDAP server. A malicious RMI server may respond to arbitrary objects and then deserialize the object on the Solr side using Java's ObjectInputStream, which is considered unsafe. This type of vulnerability can be exploited using the ysererial tool. Depending on the target classpath, an attacker can use one of the "widget chains" to trigger remote code execution on the Solr side.

Repair suggestions

Upgrade to Apache Solr 7.0 or later.

Disable ConfigAPI (if not used) by running Solr with system property = true.

If upgrading or disabling the Config API is not feasible, apply and recompile Solr.

Make sure that the network settings are configured so that only trusted traffic is allowed to enter/exit the host running Solr.

source

/yalecaltech/article/details/88829590

Apache Tika Command Injection (CVE-2018-1335)

Vulnerability Analysis

The Apache Tika™ tool set can detect and extract metadata and text from thousands of different file types (such as PPT, XLS, PDF, etc.). Users can send carefully constructed headers to tika-server, which can be used to inject some commands into the command line of the server running tika-server. This vulnerability only affects servers that are open to untrusted users and run tika-server.

Affect version

Version 1.18

Version 1.17

Repair suggestions

Apache official does not recommend users to run in unsafe environmentsTika-server, and exposed to untrusted users. The latest version is now 1.20, please update it now if you are still using the service!

source

/t/4452

Apache Axis1 RCE

Vulnerability Analysis

ache Axis™ is a Simple Object Access Protocol (SOAP) engine. In a recent Red Team operation, we found that the target was equipped with an older version of Apache Axis (1.4). The newer ones are Apache Axis2, Apache CXF, and Metro. Although Apache Axis is outdated, it is still used in many cases, such as projects constructed with Axis are difficult to rewrite or projects contain services that use SOAP encoding. Axis handles localhost requests with administrator privileges. Attackers can modify the HTTP GET request part through SSRF vulnerability to disguise themselves as localhost user.

Affect version

<= Version 1.4

Repair suggestions

The Apache team has launched a patch for Axis that prevents abuse of redirects.

source

/t/4768

Tomcat information leakage and remote code execution vulnerability (CVE-2017-12615/CVE-2017-12616)

Vulnerability Analysis

CVE-2017-12616：Information leakage vulnerability: When VirtualDirContext is enabled in Tomcat, the attacker will be able to bypass the set security restrictions by sending carefully constructed malicious requests, or obtain the JSP source code that supports resource services by VirtualDirContext, thereby causing code information to be leaked.

CVE-2017-12615：Remote Code Execution Vulnerability: When Tomcat is running on Windows operating system and the HTTP PUT request method is enabled (for example, setting the readonly initialization parameter to false by default), an attacker will likely upload a JSP file containing any code to the server through a carefully constructed attack request packet, and the malicious code in the JSP file will be executed by the server. Causes data breaches on the server or obtains server permissions.

Under certain conditions, the above two vulnerabilities can be used to execute arbitrary code on the user server, resulting in data leakage or obtaining server permissions, posing a high security risk.

Affect version

CVE-2017-12615 impact range:

Apache Tomcat 7.0.0 - 7.0.79 (windows environment)

CVE-2017-12616 Scope of impact:

Apache Tomcat 7.0.0 - 7.0.80

Repair suggestions

Currently, the official has released version 7.0.81 to fix two vulnerabilities, and it is recommended that users upgrade to the latest version as soon as possible;

Regarding the issue of bypassing the latest version, it is recommended that users continue to pay attention to official information and update to the latest version in a timely manner;

source

/t/54

Tomcat local privilege escalation vulnerability (CVE-2016-1240)

Vulnerability Analysis

Administrators on Linux on Debian systems usually use apt-get for package management. The problem with this vulnerability of CVE-2016-1240 is in the Tomcat deb package, which enables the Tomcat program installed in the deb package to automatically install a startup script for the administrator: /etc//tomcat<version number>.sh. Using this script can cause attackers to gain root privileges through low-privileged Tomcat users.

Repair suggestions

At present, Debian, Ubuntu and other related operating system manufacturers have repaired and updated the affected Tomcat installation package. Affected users can adopt the following solutions:

Update the Tomcat server version:

(1) Links for Ubuntu announcements

/usn/usn-3081-1/

(2) Links for Debian announcements

/debian-security-announce/2016/

/security/2016/dsa-3669

/security/2016/dsa-3670

source

/jlvsjp/article/details/52776377

Weblogic

Weblogic Unauthorized Bypass RCE (CVE-2020–14882)

Vulnerability Analysis

Remote attackers can construct special HTTP requests, take over the WebLogic Server Console without authentication, and execute arbitrary code in the WebLogic Server Console. Remote attackers can construct special HTTP requests, take over the WebLogic Server Console without authentication, and execute arbitrary code in the WebLogic Server Console.

Affect version

Oracle:Weblogic:

10.3.6.0.0

12.1.3.0.0

12.2.1.3.0

12.2.1.4.0

14.1.1.0.0

Repair suggestions

Update the patches in a timely manner, refer to the patches released by the official website of oracle:

Oracle Critical Patch Update Advisory - October 2020

/security-alerts/

source

/weixin_45728976/article/details/109359771

Weblogic remote command execution vulnerability analysis (CVE-2019-2725)

Vulnerability Analysis

Due to flaws in deserializing the process of processing input information, authorized attackers can send carefully constructed malicious HTTP requests, exploit the vulnerability to obtain server permissions, and realize remote code execution.

Affect version

Oracle WebLogic Server 10. *

Oracle WebLogic Server Version 12.1.3

Repair suggestions

The official has currently released an emergency repair patch for this breakthrough, and the following four methods can be used to protect it.

1. Timely print the official CVE-2019-2725 patch package. The official has released the emergency patch package on April 26. The download address is as follows:

/technetwork/security-advisory/?from=timeline

2. Upgrade the local JDK version

Because Weblogic uses the version of its version file JDK file, it belongs to the JDK version with an existing deserialization vulnerability, upgrading to JDK7u21 or above can avoid remote code execution caused by deserialization corruption of Java native class.

3. Configure URL access control policy

WebLogic servers deployed on public networks can prohibit access to /_async/* and /wls-wsat/* paths through ACLs.

4. Delete unsafe files

Delete wls9_async_response.war, files and related folders, and restart the Weblogic service.

source

/post/id/177381

WebLogic XMLDecoder deserialization vulnerability (CVE-2017-10271)

Vulnerability Analysis

There is a CVE-2017-10271 remote code execution vulnerability in WebLogic WLS components. It can construct requests to attack the host running WebLogic middleware. The method of exploiting this vulnerability is to propagate mining programs.

Affect version

10.3.6.0.0

12.1.3.0.0

12.2.1.1.0

12.2.1.2.0

Repair suggestions

Go to Oracle's official website to download the security patch provided in October

/technetwork/security-advisory/

For the upgrade process, please refer to:

/qqlifu/article/details/49423839

source

/xiaozi/p/

Weblogic arbitrary file reading vulnerability (CVE-2019-2615)) and file upload vulnerability (CVE-2019-2618) vulnerability

Vulnerability description

This vulnerability is an arbitrary file reading vulnerability, which can be read by an attacker in a WebLogic server with a known username and password.

Affect version

Weblogic 10.3.6.0

Weblogic 12.1.3.0

Weblogic 12.2.1.2

Weblogic 12.2.1.3

Repair suggestions

Upgrade patch

Oracle official update link address:

/technetwork/security-advisory/。

source

/new_type/aqldfx/20190417/

Weblogic coherence component ioip deserialization vulnerability (CVE-2020-14644)

Vulnerability Analysis

The core coherence component of WebLogic has a serious security vulnerability. It can perform a deserialization attack on remote arbitrary command execution by sending carefully malicious IIOP protocol packets without logging in.

Affect version

WebLogic 12.2.1.3.0

WebLogic 12.2.1.4.0

WebLogic 14.1.1.0.0

Repair suggestions

Official download patch

address:

/security-alerts/

source

/t/8155

Weblogic remote code execution vulnerability (CVE-2021-2109)

Vulnerability Analysis

WebLogic is one of the main products of Oracle in the United States. It is the main J2EE application server software in the commercial market. It is also the world's first successfully commercialized J2EE application server. It has a wide range of deployment and applications in Java application servers. The vulnerability allows unauthenticated attackers to access the network through IIOP, T3, and the unauthenticated attacker successfully exploits this vulnerability that could take over Oracle WebLogic Server.

Affect version

Weblogic Server 10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0、14.1.1.0.0

Repair suggestions

It is recommended that affected users refer to the announcement of Oracle's official website to repair it as soon as possible

source

/security-alerts/

WebLogic CVE-2020-14756 T3/IIOP Deserialization RCE

Vulnerability Analysis

A vulnerability in Oracle Coherence product (Component: Core Component) for Oracle Fusion Middleware. Easy-to-exploit vulnerability allows unauthenticated attackers to access the network through IIOP T3, thus endangering Oracle Coherence. A successful attack on this vulnerability could result in Oracle Coherence being taken over.

Affect version

3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0

Repair suggestions

Official download patch

address:

/security-alerts/

source

/vuln/detail/CVE-2020-14756

JBoss

CVE-2017-7504-JBoss JMXInvokerServlet Deserialization

Vulnerability Analysis

This is a classic JBoss deserialization vulnerability. JBoss reads the user-incoming object in the /invoker/JMXInvokerServlet request, and then uses Gadget in Apache Commons Collections to execute arbitrary code.

Affect version

JBoss Enterprise Application Platform 6.4.4,5.2.0,4.3.0_CP10
JBoss AS (Wildly) 6 and earlier
JBoss A-MQ 6.2.0
JBoss Fuse 6.2.0
JBoss SOA Platform (SOA-P) 5.3.1
JBoss Data Grid (JDG) 6.5.0
JBoss BRMS (BRMS) 6.1.0
JBoss BPMS (BPMS) 6.1.0
JBoss Data Virtualization (JDV) 6.1.0
JBoss Fuse Service Works (FSW) 6.0.0
JBoss Enterprise Web Server (EWS) 2.1,3.0

Repair suggestions

Update the Apache Commons Collections library lib address:

/ikkisoft/SerialKiller

After downloading this jar, place it in classpath, replace the application code with SerialKiller

Then configure it to allow or disable some problematic classes. SerialKiller has several features, Hot-Reload, Whitelisting, and Blacklisting, which controls the trusted types after deserialization of external inputs.

source

/312/

JBoss and Deserialization Vulnerability (CVE-2017-12149)

Vulnerability Analysis

JBOSS Application Server is an open source application server based on J2EE. JBoss code is under the LGPL license and can be used for free in any commercial application. This vulnerability is a Java deserialization error type and exists in the ReadOnlyAccessFilter filter in the HttpInvoker component of Jboss. The filter attempts to deserialize the data stream from the client without any security checks, resulting in an attacker being able to execute arbitrary code on the server.

Affect version

Vulnerability impact and version of JBOSSAS

Repair suggestions

It is recommended that users upgrade to JBOSS AS7. In addition, users who cannot upgrade in time can adopt the following temporary solutions:

1. Users who do not need the component can delete this component directly.

2. Add the following code to the security-constraint tag under : <url-pattern>/*</url-pattern> for access control of the http invoker component.

source

/Oran9e/p/

JBoss JBossMQ JMS Deserialization Vulnerability (CVE-2017-7504)

Vulnerability Analysis

JbossMQ implements the JMS on the HTTP calling layer, enabled by default in Red Hat Jboss Application Server <= Jboss, which does not restrict its class to perform deserialization, which allows remote attackers to execute arbitrary code through elaborate serialization data.

Affect version

Repair suggestions

1. Upgrade the JBoss version to the latest

2. Try not to map JBoss to the public network

source

/vuln/detail/CVE-2017-7504

JBOSS remote code execution vulnerability

Vulnerability Analysis

There will be a background vulnerability in the default configuration of JBOSS. The vulnerability occurs in the addURL() function in the namespace. This function can remotely download a war compressed package and decompress it.

Visit http://:8080/jmx-console/ background.

Repair suggestions

Add access password to jmx-console

1. Find the directory under ${}/deploy to edit the WEB-INF/file. Remove the comments of the security-constraint block to make it work.

2. Edit WEB-INF/classes/ or server/default/conf/props/(version >=4.0.2) and WEB-INF/classes/

or server/default/conf/props/(version >=4.0.2) add username and password

3. Edit WEB-INF/Remove the comments of the security-domain block. The mapping file of the security-domain value is (this file defines the login authorization method)

source

/Safe3/archive/2010/01/08/

Jboss Unauthorized Access Vulnerability

Vulnerability Analysis

JBoss is an open source application server based on J2EE. The code is subject to the LGPL license and can be used for free in any commercial application. JBoss is also a container and server that manages EJB, supporting EJB 1.1, EJB 2.0 and EJB3 specifications. In the lower version, the Jboss web console is accessible by default without a username and password.

Affect version

JBOSS full version

Repair suggestions

Close jmx-console and web-console to improve security.

source

/detail/

Four,

Source Code Management

GitLab

GitLab 12.9.0 arbitrary file read (CVE-2020-10977)

Vulnerability Analysis

When there is a problem with moving between projects, any local file can be read.

Affect version

Impact GitLab EE/CE 8.5 and above

Repair suggestions

It is strongly recommended to upgrade all installations running the above affected version to the latest version as soon as possible

source

/releases/2020/03/26/security-release-12-dot-9-dot-1-released/

GitLab remote code execution breakthrough - (CVE-2018-14364)

Vulnerability Analysis

File name regular expressions can be bypassed and enable attackers to create symbolic links in the Gitlab upload directory by importing specially crafted Gitlab exports. Additionally, Gitlab is designed to not currently delete the project upload directory. Therefore, an attacker can delete the imported project and then upload another specially crafted Gitlab export to the project with the same name, which will cause path traversal/arbitrary file uploads and ultimately enable the attacker to get the shell under the permission of the following users: System gitlab user.

Affect version

> = 8.9.0

Repair suggestions

It is recommended to download the patch officially

address:

/gitlab/gitlabhq/merge_requests/2440

source

/gitlab-org/gitlab-ce/issues/49133

GitLab arbitrary file read vulnerability (CVE-2016-9086) and any user token leak vulnerability

Vulnerability Analysis

itLab is an open source application developed using Ruby on Rails to implement a self-hosted Git project repository that can access public or private projects through the web interface. Research has found file reading vulnerabilities (CVE-2016-9086) and any user authentication_token leak vulnerabilities in multiple versions. Attackers can obtain administrator permissions through these two vulnerabilities and control all gitlab projects.

Affect version

Arbitrary file read vulnerability (CVE-2016-9086):

GitLab CE/EEversions 8.9, 8.10, 8.11, 8.12, and 8.13

Any user authentication_token leak vulnerability:

Gitlab CE/EE versions 8.10.3-8.10.5

Repair suggestions

Official download patch

address:

https://github.

source

/reports/178152

five,

Project Management System

Zen Tao

Zen Dao CMS file upload vulnerability (CNVD-C-2020-121325)

Vulnerability Analysis

There is a file upload vulnerability in the Zen CMS<=12.4.2 version. This vulnerability is due to the lack of strict filtering of link parameters by the developer, which makes the attacker controllable the download link, resulting in remote download of malicious script files on the server, causing arbitrary code execution and obtaining the webshell.

Affect version

Zen CMS <=12.4.2 version

Repair suggestions

It is recommended to upgrade to Zen Taoist version 12.4.3 or above

source

/qq_36197704/article/details/109385695

Zen 12.4.2 Backend Administrator Permissions Getshell

Vulnerability Analysis

There is a vulnerability to download any file in Zen 12.4.2. This vulnerability is because the filtering in the download method in the client class is not rigorous, and you can use ftp to achieve the purpose of downloading files. And the download file storage directory can parse the php file, causing getshell.

Affect version

Zen Tao ≤ 12.4.2

Repair suggestions

Upgrade to Zen 12.4.3 and later

source

/ly584521/p/

Zen Tao 9.12 permission control logic vulnerability

Vulnerability Analysis

ZenTaoPMS (ZenTao Project Management System), Chinese name is ZenTao Project Management Software. ZenTaoPMS is a set of project management software developed by Yiruan Tianchuang Company in order to solve the chaos and disorder in the management process of many enterprises.

Affect version

This loophole has currently affected the latest version of Zen Taoism 9.1.2

Repair suggestions

It is recommended to download the latest version officially

source

/t/186

Zen Tao remote code execution vulnerability

Vulnerability Analysis

The vulnerability discovered this time is caused by the common code in the ZenTaoPHP framework, so almost all projects in Zen Tao are affected by this vulnerability. Attackers with ordinary permissions (user groups of 1-10) can use the getModel method in module/api/ to call all model modules and methods in the module directory beyond their authority, thereby realizing attacks such as SQL injection, arbitrary file reading, and remote code execution.

Range of impact

Almost all projects in Zen

Repair suggestions

If you want to fix this vulnerability, the easiest way is to delete the getModel interface.

source

/archives/1410

Zen 11.6 Read any file

Vulnerability Analysis

Zendao Project Management Software is a domestically produced, based on the LGPL protocol and open source free project management software. It integrates product management, project management, and test management. It also includes many functions such as transaction management and organizational management. It is the first choice for small and medium-sized enterprises to project management. It is based on the independent PHP development framework - ZenTaoPHP. Third-party developers or enterprises can develop plug-ins or customize them very conveniently.

In Zen version 11.6, the filtering of user interface call permissions is incomplete, resulting in the calling interface executing SQL statements, resulting in SQL injection.

Affect version

Zen 11.6

Repair suggestions

Download the latest version on the official website

Download address:

source

/t/topic/3363

Jira

Jira SSRF jump vulnerability (CVE-2017-9506)

Vulnerability Analysis

The Atlassian OAuth plugin is part of most Atlassian products such as Jira and Confluence. It has a vulnerability that allows unverified HTTP GET requests from the server to be executed. You can use it to perform all kinds of interesting actions, such as accessing resources on your internal network or spoofing pages with a valid TLS connection.

Affect version

Jira < 7.3.5

Repair suggestions

If you find Atlassian products vulnerable to attacks, notify the administrator and ask him to block the URL or upgrade to a later version of the product.

source

http://dontpanic./2017/12/

Responsive information leakage vulnerability caused by traversing the Jira service workbench path

Vulnerability Analysis

JIRA Servcie Desk is the core product of Atlassian's JIRA application. It is a service desk management software, specially used to accept and handle problems or requests from teams or users. It also has other auxiliary functions similar to service centers, including handling service agreements, reports, queues, and receiving external problems and feedback through website portals or emails. JIRA Servcie Desk is designed specifically for end users to submit work orders to the customer support team. It is also suitable for development teams and can be used with similar products such as JIRA Software. If an attacker is an ordinary user who can access the Customer portal, he can traverse the list of all instance issues submitted by the JIRA project in the Administrative portal, including Jira Service Desk itself, Jira Core projects, and Jira Software.

Affect version

All versions before 3.9.16

3. before 3.16.8 (the fixed version for 3.)

4. before 4.1.3 (the fixed version for 4.)

4. before 4.2.5 (the fixed version for 4.)

4. before 4.3.4 (the fixed version for 4.)

4.4.0 before 4.4.1 (the fixed version for 4.)

Repair suggestions

Upgrade to Atlassian JIRA Service Desktop Server 3.9.16 / 3.16.8 / 4.1.3 / 4.2.5 / 4.3.4 / 4.4.1 or later

source

/developer/article/1529135

Jira Unauthorized SSRF Vulnerability Recovery (CVE-2019-8451)

Vulnerability Analysis

Jira's /plugins/servlet/gadgets/makeRequest resource has an SSRF vulnerability because of the logical flaw of JiraWhitelist. Remote attackers who successfully exploit this vulnerability can access intranet resources as the Jira server. After analysis, this vulnerability can be triggered without any credentials.

Affect version

< 8.4.

Repair suggestions

Upgrade to 8.4.0 and above

source

Qi'anxin CERT

Atlassian JIRA Server Template Injection Vulnerability Recurrence (CVE-2019-11581)

Vulnerability Analysis

Atlassian Jira is a defect tracking management system of Atlassian Australia. This system is mainly used to track and manage various problems and defects in work.

Atlassian Jira Server and Jira Data Center have server-side template injection vulnerabilities. Attackers who successfully exploit this vulnerability can execute arbitrary commands on servers running the affected version of Jira Server or Jira Data Center, thereby obtaining server permissions and seriously jeopardizing network assets.

Affect version

AtlassianJira 4.

AtlassianJira

AtlassianJira 7.

AtlassianJira 7. < 7.6.14

AtlassianJira 7.

AtlassianJira 7. < 7.13.5

AtlassianJira 8. < 8.0.3

AtlassianJira 8. < 8.1.2

AtlassianJira 8. < 8.2.3

Repair suggestions

1. Upgrade to a version that is not affected by the vulnerability.

2. Restrict access to source IP for http://ip:port/secure/admin/SendBulkMail!

source

/backlion/p/

JIRA Information Leakage Vulnerability (CVE-2019-8449)

Vulnerability Analysis

The /rest/api/latest/groupuserpicker interface before the Atlassian Jira version 8.4.0 allows unauthorized query of employee information, and attackers can obtain user information by blasting user name lists and other methods.

Affect version

7.12< Affected Version<8.4.0

Repair suggestions

Upgrade to the latest official version

2. Configure security groups to restrict access to only trusted source IPs

source

/t/7219

six,

Open source operation and maintenance monitoring

Jenkins

Jenkins path traversing arbitrary file write vulnerability (CVE-2019-10352)

Vulnerability Analysis

Users with Job/Configuration permissions can specify a relative path in the file name section defined by the file parameter to escape relative to the base directory. This path will be used to store uploaded files on the Jenkins controller, resulting in arbitrary file write vulnerability.

Affect version

Jenkins up to 2.185

Jenkins LTS up to 2.176.1 (inclusive)

Repair suggestions

Jenkins should update to version 2.186 every week

Jenkins LTS should be updated to version 2.176.2

source

/security/advisory/2019-07-17/#SECURITY-1424

Jenkins Git client plugin RCE (CVE-2019-10392)

Vulnerability Analysis

Jenkins is an open source software project, a continuous integration tool developed based on Java, used to monitor continuous repetitive work, aiming to provide an open and easy-to-use software platform to make continuous integration of software possible. System command execution vulnerability in Git client plugin, which implements command execution in a way that allows an attacker with Job/Configure permission to execute arbitrary system commands on the Jenkins main server as an OS user whose Jenkins process is running.

Affect version

Git client Plugin <= 2.8.4

Repair suggestions

Upgrade the Git client plug-in to version 2.8.4 or above

source

Anshi Technology Security Service Team

Zabbix

Zabbix Remote Code Execution Vulnerability (CVE-2020-11800)

Vulnerability Analysis

Zabbix SIA Zabbix is an open source monitoring system from Zabbix SIA, Latvia. The system supports network monitoring, server monitoring, cloud monitoring and application monitoring. Zabbix Server handles trapper commands, and there is a command injection vulnerability, which can lead to remote code execution.

Affect version

Zabbix 3.~3.0.30

Repair suggestions

Updated to version 3.0.31

source

/t/8991

Nagios

Nagios XI 5.6.9 Remote Code Execution Vulnerability (CVE-2019-20197)

Vulnerability Analysis

Nagios is an open source computer system and network monitoring tool that can effectively monitor the host status of Windows, Linux and Unix, network settings such as switch routers, printers, etc. Issue an email or SMS alarm when the system or service status is abnormal. Issuing an email or SMS alarm immediately notifying the website operation and maintenance personnel, and sending a normal email or SMS notification after the status is restored. In Nagios XI 5.6.9, an authenticated user can execute any OS commands into the id parameter of the shell metacharacter through the shell parameter in the context of the web server user account.

Affect version

<= v5.6.9

Repair suggestions

1. It is recommended that the server administrator configure complex password login to avoid exploiting Nagios XI remote command execution vulnerabilities after being blasted.

2. Configure a trusted source to access the service.

source

/vuln/detail/CVE-2019-20197

Nagios Code Injection Extension (CVE-2021-3273)

Vulnerability Analysis

Nagios XI below 5.7 are affected by code injection in /nagiosxi/admin/ component. In nagios xi 5.7, administrators can edit/delete/add templates, where the templates will be stored. It can be executed by accessing and executing/as PHP files in Apache's way and executing OS commands.

Affect version

Less than 5.7

Repair suggestions

Official download patch

address:

/downloads/nagios-xi/change-log/

source

/vuln/detail/CVE-2021-3273

seven,

Fortress

JumpServer

JumpServer remote execution vulnerability

Vulnerability Analysis

JumpServer is the world's first fully open source bastion machine, using the GNU GPL v2.0 open source protocol, and is a professional operation and maintenance audit system that complies with 4A. JumpServer is developed using Python/Django.

On January 15, 2021, JumpServer released an update that fixed a remote command execution vulnerability. Since some JumpServer interfaces do not have authorization restrictions, an attacker can construct a malicious request to obtain log files to obtain sensitive information, or perform relevant API operations to control all machines and execute arbitrary commands.

Affect version

JumpServer < v2.6.2

JumpServer < v2.5.4

JumpServer < v2.4.5

JumpServer = v1.5.9

Repair suggestions

1. Upgrade JumpServer to the latest version.

2. Set the whitelist limit for the console login IP address of the current product.

source

/home/detail/

Qizhi Fortress

Qizhi Fortress Fortress Front Desk Remote Code Execution Vulnerability

Vulnerability Analysis

Zhejiang Qizhi Technology Co., Ltd. is a company that mainly engages in technology development projects such as computer software and hardware and network products. There is a command execution vulnerability in the Qizhi Operation and Maintenance Fortress Server server, and the attacker can use this vulnerability to obtain server permissions.

Repair suggestions

The patch for fixing this vulnerability has been released. If the customer has not fixed the patch, please contact Qizhi Technology's technical support staff for specific assistance.

source

/flaw/show/1632201

Full text reference link:

/r0eXpeR/redteam_vul

Reprinted from Thunder Public Test