Control Gap Vulnerability Roundup: October 22nd to October 28th

This week saw the publication of 360 new CVE IDs. Of those, 74 have not yet been assigned official CVSS scores, however, of the ones that were, approximately 30% were of critical severity, 37% were high, 32% were medium, and 1% were low. Listed below are the vulnerabilities that caught our attention:

• HyperSQL, a hugely popular relational database utilized by many massive Java projects was found to be affected by a remote code execution vulnerability.
• VMWare has released a rare out-of-band patch for its VMWare NSX product which is considered end-of-life to fix an unauthenticated remote code execution vulnerability.
• The French e-commerce and content management system Melis was found to be affected by a remote code execution vulnerability stemming from improper deserialization.
• The adversary emulation tool Cobalt Strike was found to be vulnerable to remote code execution after researchers at IBM found a bypass for a previously patched XSS vulnerability.

The modern threat landscape represents an ever-changing vista of vulnerabilities, tools, tactics, and procedures which pose an existential threat to the security of organizations’ IT infrastructures. A key part of an evergreen security program is to maintain an up-to-date knowledge base of actionable threat intelligence that an organization can leverage to improve its security posture. Where dozens of novel threats and vulnerabilities become public each week, it can be challenging for IT professionals to keep pace. Control Gap intends to separate the signal from the noise by highlighting in this weekly segment newly disclosed vulnerabilities that have been assigned a CVE ID and which may be exceedingly novel, widespread, critical, or otherwise noteworthy.

The available threat intelligence at time of writing is documented below. Updates will be clearly marked.

HyperSQL Remote Code Execution

The highly popular Java based relational database HyperSQl was found to be vulnerable to conditional remote code execution. Researchers at Code Intelligence identified the vulnerability and released a short technical writeup of their findings. Some applications which leverage HyperSQL could be configured in a way that allows remote code execution if they accept user-defined input, importantly, the application does not need to be vulnerable to SQL injection to be affected by this vulnerability. User defined input which is processed by the “java.sql.Statement” or “java.sql.PreparedStatement” classes could be crafted in such a way to achieve remote code execution. HyperSQL is utilized by thousands of Maven projects including huge projects such as: LibreOffice, JBoss, and Log4j. The vulnerability is currently being tracked as CVE-2022-41853.

VMWare NSX Remote Code Execution

Versions of VMWare NSX (network visualization and security platform) up to version 1.4.18 were found to be vulnerable to remote code execution stemming from a deserialization bug within the XStream library which is used by VMWare NSX. Security researcher Sina Kheirkhah discovered the vulnerability and developed a way to exploit it through unauthenticated channels, specifically, the password reset functionality. The vulnerability was deemed to be so severe by VMWare that they have released an out-of-band patch despite the effected product being end-of-life. The related vulnerabilities are being tracked as CVE-2021-39144 and CVE-2022-31678, VMWare has released an advisory, and remediation instructions through VMSA-2022-0027.

Melis E-Commerce and Content Management System Remote Code Execution

The French e-commerce and content management system (CMS) Melis, was found to have multiple vulnerabilities including path traversal and two unique deserialization vulnerabilities. Researchers at the Swiss firm “Sonar” released a blog post detailing how they came to discover the vulnerability and its precise root cause. The three vulnerabilities are being tracked as: CVE-2022-39297, CVE-2022-39296, and CVE-2022-3928. The vulnerabilities affect versions 2.2.0 to 5.0.0 and were disclosed to Melis in June 2021, version 5.0.1 of the application includes a patch and was released late September, 2022.

Cobalt Strike Remote Code Execution

An old cross-site scripting vulnerability in the threat emulation and command and control framework Cobalt Strike has resurfaced after researchers at IBM found that its original patch could be bypassed to achieve remote code execution. The original vulnerability CVE-2022-39197, was assigned a CVSS severity score of 6.1 by NVD and was patched out by HelpSystems (the developers of Cobalt Strike) in an out-of-band update with version 4.7.1. Researchers at IBM identified a way to bypass this patch and obtain remote code execution by crafting specialized payloads targeting the Java Swing toolkit which is utilized by Cobalt Strike. The IBM researchers aided HelpSystems in creating a comprehensive patch and requested a unique CVE ID CVE-2022-42948, however HelpSystems is contesting this CVE. Another out-of-band patch was released for Cobalt Strike, 4.7.2, and implements comprehensive mitigations for the vulnerability.