Skip to the main content.
Contact
Contact

3 min read

Control Gap Vulnerability Roundup: November 12th to November 18th

Control Gap Vulnerability Roundup: November 12th to November 18th

This week saw the publication of 500 new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 18% were of critical severity, 35% were high, 45% were medium, and 2% were low. Listed below are the vulnerabilities that caught our attention:

  • F5 Big-IP and Big-IQ products were found to be affected by a cross-site request forgery vulnerability which could lead to remote code execution. Exploitation of the vulnerability is highly conditional.
  • Liferay, the “digital experience” provider, has had 17 vulnerabilities of varying severity disclosed this week affecting a wide array of products and product versions.
  • IBM InfoSphere DataStage was found to be vulnerable to unauthenticated command injection. Customers are encouraged to patch immediately.
  • Atlassian BitBucket users who can control their username can achieve command execution with crafted username payloads.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.


F5 Big-IP and Big-IQ Remote Code Execution

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

No

Available Public Exploits 

Yes

 

Researchers at Rapid7 have discovered a pair of vulnerabilities which could be leveraged to achieve remote code execution on F5’s Big-IP and Big-IQ products. The first vulnerability, CVE-2022-41622 is very similar to the Plesk vulnerability disclosed last week. The SOAP API on the appliances lacks typical CSRF protections allowing attackers who can convince an administrator to visit a malicious website to take attacker defined actions on the API. The second vulnerability, CVE-2022-41800, described in F5’s support article states that an attacker with valid administrator credentials could bypass “appliance mode restrictions”, Rapid7 has indicated that this could lead to remote code execution. Despite F5’s devices being utilized widely across the industry, Rapid7 wrote in their blog post that “widespread exploitation of the issues in this disclosure is unlikely”.


Liferay Multiple Vulnerabilities

CG_Critical_sm-1

Real-World Exploitability

High

Exploited in the Wild

No

Available Public Exploits 

No

 

Liferay is a digital solutions developer who specializes in building tailored “digital experiences” for its clients. Liferay’s website claims the company works across the globe with corporations such as Honda and Airbus. This week 17 unique vulnerabilities were disclosed for multiple Liferay products and product versions. The worst of these vulnerabilities are CVE-2022-42122, and CVE-2022-42120, which describe SQL injection vulnerabilities that could allow an attacker to execute arbitrary SQL commands on affected versions of Liferay Portal and Liferay DXP. Other vulnerabilities which were disclosed for the products include cross-site scripting, information disclosure, access control bypass and filesystem modification. A complete list of vulnerabilities can be found here.


IBM InfoSphere DataStage Command Injection

CG_Critical_sm-1

 

Real-World Exploitability

High

Exploited in the Wild

No

Available Public Exploits

No

 

IBM InfoSphere is an information management server which helps organizations more easily understand, cleanse, monitor, and transform data. IBM has addressed the vulnerability, tracked as CVE-2022-40752, in an X-Force disclosure and released a patch. While information on the vulnerability is currently limited, the vulnerability affects InfoSphere DataStage version 11.7 and would allow an unauthenticated attacker to achieve command execution through command injection. IBM has assigned the vulnerability a CVSS score of 9.8 on its X-Force platform. IBM is encouraging customers to apply the relevant patch immediately.


Atlassian BitBucket Command Injection

CG_Critical_sm-1

 

Real-World Exploitability

High

Exploited in the Wild

No

Available Public Exploits

No

 

Atlassian’s BitBucket server is a Git platform for developers with strong Jira integration. The vulnerability, CVE-2022-43781, is a command injection vulnerability stemming from improperly handled environment variables. A user or attacker who can control their username can achieve command execution on the affected server by changing their username to a crafted value. It should be noted that an attacker can exploit this vulnerability from an unauthenticated context if the BitBucket server has public sign-ups enabled. Atlassian has addressed the vulnerability and is encouraging users to update their product to the latest available version.

Control Gap Vulnerability Roundup: November 5th to November 11th

Control Gap Vulnerability Roundup: November 5th to November 11th

This week saw the publication of 507 new CVE IDs. Of those, 133 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More
Control Gap Vulnerability Roundup: November 19th to November 25th

Control Gap Vulnerability Roundup: November 19th to November 25th

This week saw the publication of 343new CVE IDs. Of those, 144 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More
Control Gap Vulnerability Roundup: October 29th to November 4th

Control Gap Vulnerability Roundup: October 29th to November 4th

This week saw the publication of 517 new CVE IDs. Of those, 9 have not yet been assigned official CVSS scores, however, of the ones that were,...

Read More