VULNERA Pulse

Apache — Log4j2

CVE-2021-45046 / Added: May 1, 2023

CRITICAL CVSS 9.00

Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

Headlines

• May 2, 2023 - CISA warns of Mirai botnet exploiting TP-Link routers
• May 2, 2023 - CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog
• May 2, 2023 - Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected
• Feb. 22, 2023 - Most vulnerabilities associated with ransomware are old
• Oct. 25, 2022 - Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Quarterly Report: Incident Response Trends in Q3 2022
• April 19, 2022 - Reported Apache Log4j Hotpatch Issues
• Dec. 17, 2021 - Update for Apache Log4j2 Security Bulletin (CVE-2021-44228)
• Dec. 12, 2021 - Microsoft’s Response to CVE-2021-44228 Apache Log4j 2 | MSRC Blog |

Back to top ↑

TP-Link — Archer AX21

CVE-2023-1389 / Added: May 1, 2023

HIGH CVSS 8.80

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Headlines

• May 4, 2023 - Patch now! The Mirai IoT botnet is exploiting TP-Link routers
• May 3, 2023 - TP-Link routers targeted by Mirai botnet once again, US government warns
• May 2, 2023 - CISA warns of Mirai botnet exploiting TP-Link routers
• May 2, 2023 - CISA Warns of Attacks Exploiting Oracle WebLogic Vulnerability Patched in January
• May 2, 2023 - CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog
• May 2, 2023 - Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected
• April 30, 2023 - newsletter Round 417 by Pierluigi Paganini – International edition
• April 27, 2023 - Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware
• April 26, 2023 - Mirai malware targeting top TP-Link routers to hijack into DDoS attacks
• April 25, 2023 - A new Mirai botnet variant targets TP-Link Archer A21
• April 25, 2023 - TP-Link Archer WiFi router flaw exploited by Mirai malware

Back to top ↑

Oracle — WebLogic Server

CVE-2023-21839 / Added: May 1, 2023

HIGH CVSS 7.50

Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server.

Headlines

• May 2, 2023 - CISA warns of Mirai botnet exploiting TP-Link routers
• May 2, 2023 - CISA Warns of Attacks Exploiting Oracle WebLogic Vulnerability Patched in January
• May 2, 2023 - CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog

Back to top ↑

CVE-2023-1968

CRITICAL CVSS 10.00

Risk Context N/A

Published: April 28, 2023

Instruments with Illumina Universal Copy Service v2.x are vulnerable due to binding to an unrestricted IP address. An unauthenticated malicious actor could use UCS to listen on all IP addresses, including those capable of accepting remote communications.

Quotes

• Anything that touches DNA — yes, it's a privacy concern — but also think about digital forensics or think about custom cancer treatments, right
• An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product
• Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network

Headlines

• May 3, 2023 - DNA Sequencing Equipment Vulnerability Adds New Twist to Medical Device Cyber Threats
• May 1, 2023 - DNA sequencing platform hit by serious security flaws
• April 29, 2023 - CISA warns of a critical flaw affecting Illumina medical devices

CVE-2021-44228

CRITICAL CVSS 10.00

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Dec. 10, 2021

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Vendors Impacted: Apache, Cisco, Debian, Intel, Bentley, Snowsoftware, Netapp, Siemens, Fedoraproject, Percussion

Products Impacted: Sd-Wan Vmanage, Siveillance Vantage, Mobility Services Engine, Firepower 4150, Unified Computing System, Fedora, Prime Service Catalog, Sppa-T3000 Ses3000 Firmware, Debian Linux, Operation Scheduler, Finesse, Firepower 1150, Fxos, Virtual Topology System, Identity Services Engine, Solid Edge Harness Design, Siveillance Identity, Firepower 2110, Mendix, Network Services Orchestrator, Sensor Solution Firmware Development, Industrial Edge Management, Teamcenter, Unified Contact Center Express, Vesys, Solid Edge Cam Pro, Cloud Insights, Customer Experience Cloud Agent, Crosswork Platform Infrastructure, Firepower 2120, Head-End System Universal Device Int, Ontap Tools, Synchro, Unity Connection, Log4j2, Unified Workforce Optimization, Ucs Central Software, Captial, Data Center Manager, Nx, Data Center Network Manager, Wan Automation Engine, Energyip, Firepower 9300, Unified Intelligence Center, Unified Communications Manager, Firepower 4145, Optical Network Controller, Packaged Contact Center Enterprise, Computer Vision Annotation Tool, Connected Analytics For Network Depl, Siguard Dsa, Energyip Prepay, Firepower 4112, Crosswork Network Controller, Unified Contact Center Management Po, Dna Spaces Connector, E-Car Operation Center, Comos, Oneapi Sample Browser, Spectrum Power 7, Unified Communications Manager Im An, Dna Center, Active Iq Unified Manager, Vm Access Proxy, Mindsphere, Webex Meetings Server, Desigo Cc Advanced Reports, Navigator, Firepower 1140, Unified Customer Voice Portal, Firepower 2140, System Studio, Cloudcenter, Logo\! Soft Comfort, Video Surveillance Manager, Virtualized Infrastructure Manager, Advanced Malware Protection Virtual , Firepower 2130, Intersight Virtual Appliance, Video Surveillance Operations Manage, Siveillance Control Pro, Cloud Connect, Audio Development Kit, Nexus Insights, Paging Server, Common Services Platform Collector, Cx Cloud Agent, Business Process Automation, Unified Sip Proxy, Evolved Programmable Network Manager, Contact Center Management Portal, Crosswork Zero Touch Provisioning, Emergency Responder, Siveillance Command, Log4j, Nexus Dashboard, Opcenter Intelligence, Virtualized Voice Browser, Cloud Secure Agent, Firepower Threat Defense, Workload Optimization Manager, Smart Phy, Firepower 4120, Firepower 1010, Sppa-T3000 Ses3000, Industrial Edge Management Hub, Synchro 4d, Network Insights For Data Center, Sipass Integrated, Integrated Management Controller Sup, Sentron Powermanager, Ucs Central, Xpedition Enterprise, Rhythmyx, Snapcenter, Firepower 4115, Energy Engage, Network Assurance Engine, Spectrum Power 4, Gma-Manager, Siveillance Viewpoint, Secure Device Onboard, Cloudcenter Suite, Ucs Director, Firepower 4140, Firepower 4110, Cyber Vision, System Debugger, Crosswork Data Gateway, Connected Mobile Experiences, Automated Subsea Tuning, Dna Spaces, Enterprise Chat And Email, Dna Spaces\, Cloudcenter Workload Manager, Desigo Cc Info Center, Firepower 4125, Cloudcenter Cost Optimizer, Crosswork Optimization Engine, Broadworks, Cloud Manager, Cyber Vision Sensor Management Exten, Oncommand Insight, Contact Center Domain Manager, Unified Contact Center Enterprise, Genomics Kernel Library, Firepower 1120, Fog Director, Cloudcenter Suite Admin, Xpedition Package Integrator, Iot Operations Dashboard, Unified Communications Manager Im \&, Crosswork Network Automation, Network Dashboard Fabric Controller, Snow Commander

Quotes

• That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in the enterprise
• Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server

Headlines

• May 2, 2023 - CISA warns of Mirai botnet exploiting TP-Link routers
• May 2, 2023 - CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog
• May 2, 2023 - Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

CVE-2018-9995

CRITICAL CVSS 9.80

Public Exploits Available

Published: April 10, 2018

TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.

Quotes

• A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges, eventually leading access to camera video feeds
• According to the NIST NVD database, TBK DVR4104 and DVR4216 devices are also rebranded and sold as other brands such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR
• The 5-year-old vulnerability (CVE-2018-9995) is due to an error when handling a maliciously crafted HTTP cookie
• [We are] not aware of any patches provided by the vendor and recommend organizations to review installed models of CCTV camera systems and related equipment for vulnerable models
• Level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with upto more than 50,000+ unique IPS detections in the month of April 2023
• With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers. The recent spike in IPS detections shows that network camera devices remain a popular target for attackers

Headlines

• May 3, 2023 - Hackers target years-old surveillance camera security flaw
• May 3, 2023 - Attackers are trying to exploit old DVR vulnerabilities (CVE-2018-9995, CVE-2016-20016)
• May 3, 2023 - Hackers Exploiting 5-year-old Unpatched Vulnerability in TBK DVR Devices
• May 2, 2023 - Hackers Exploit High Severity Flaw in TBK DVR Camera System
• May 2, 2023 - Hackers exploit 5-year-old unpatched flaw in TBK DVR devices
• May 2, 2023 - Fortinet warns of a spike in attacks against TBK DVR devices
• May 2, 2023 - Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes

CVE-2023-20126

CRITICAL CVSS 9.80

Actively Exploited Remote Code Execution

Published: May 4, 2023

A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability.

Quotes

• This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware
• This vulnerability is due to a missing authentication process within the firmware upgrade function
• An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware
• A missing authentication process within the firmware upgrade function

Headlines

• May 5, 2023 - Critical RCE vulnerability in Cisco phone adapters, no update available (CVE-2023-20126)
• May 5, 2023 - Cisco Warns of Vulnerability in Popular Phone Adapter, Urges Migration to Newer Model
• May 4, 2023 - Cisco EoL SPA112 2-Port Phone Adapters are affected by critical RCE
• May 4, 2023 - Cisco phone adapters vulnerable to RCE attacks, no fix available
• May 4, 2023 - Cisco Warns of Critical Vulnerability in EoL Phone Adapters

CVE-2016-20016

CRITICAL CVSS 9.80

Remote Code Execution

Published: Oct. 19, 2022

MVPower CCTV DVR models, including TV-7104HE 1.8.4 115215B9 and TV7108HE, contain a web shell that is accessible via a /shell URI. A remote unauthenticated attacker can execute arbitrary operating system commands as root. This vulnerability has also been referred to as the "JAWS webserver RCE" because of the easily identifying HTTP response server field. Other firmware versions, at least from 2014 through 2019, can be affected. This was exploited in the wild in 2017 through 2022.

Vendor Impacted: Mvpower

Products Impacted: Tv-7104he, Tv7108he, Tv7108he Firmware, Tv-7104he Firmware

Quotes

• According to the NIST NVD database, TBK DVR4104 and DVR4216 devices are also rebranded and sold as other brands such as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR
• A remote attacker may be able to exploit this flaw to bypass authentication and obtain administrative privileges, eventually leading access to camera video feeds
• Level of attack attempts to exploit an Authentication Bypass Vulnerability in TBK DVR devices (4104/4216) with upto more than 50,000+ unique IPS detections in the month of April 2023
• With tens of thousands of TBK DVRs available under different brands, publicly-available PoC code, and an easy-to-exploit makes this vulnerability an easy target for attackers. The recent spike in IPS detections shows that network camera devices remain a popular target for attackers

Headlines

• May 3, 2023 - Attackers are trying to exploit old DVR vulnerabilities (CVE-2018-9995, CVE-2016-20016)
• May 3, 2023 - Hackers Exploiting 5-year-old Unpatched Vulnerability in TBK DVR Devices
• May 2, 2023 - Hackers exploit 5-year-old unpatched flaw in TBK DVR devices
• May 2, 2023 - Fortinet warns of a spike in attacks against TBK DVR devices
• May 2, 2023 - Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes

CVE-2021-45046

CRITICAL CVSS 9.00

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Dec. 14, 2021

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Vendors Impacted: Apache, Debian, Intel, Siemens, Fedoraproject

Products Impacted: Secure Device Onboard, 6bk1602-0aa42-0tp0 Firmware, 6bk1602-0aa12-0tp0 Firmware, 6bk1602-0aa52-0tp0, 6bk1602-0aa32-0tp0, Tracealertserverplus, Siveillance Vantage, Fedora, 6bk1602-0aa12-0tp0, 6bk1602-0aa22-0tp0 Firmware, 6bk1602-0aa42-0tp0, Siveillance Control Pro, Audio Development Kit, System Debugger, Debian Linux, Operation Scheduler, 6bk1602-0aa32-0tp0 Firmware, Siveillance Command, Log4j, Opcenter Intelligence, Solid Edge Harness Design, 6bk1602-0aa52-0tp0 Firmware, Siveillance Identity, Mendix, Sensor Solution Firmware Development, Computer Vision Annotation Tool, 6bk1602-0aa22-0tp0, Industrial Edge Management, Teamcenter, Siguard Dsa, Desigo Cc Info Center, Vesys, Energyip Prepay, Industrial Edge Management Hub, Siveillance Viewpoint, Solid Edge Cam Pro, E-Car Operation Center, Head-End System Universal Device Int, Spectrum Power 4, Comos, Sipass Integrated, Datacenter Manager, Spectrum Power 7, Log4j2, Genomics Kernel Library, Sentron Powermanager, Mindsphere, Captial, Xpedition Enterprise, Xpedition Package Integrator, Desigo Cc Advanced Reports, Nx, Navigator, System Studio, Energy Engage, Oneapi, Logo\! Soft Comfort, Energyip, Gma-Manager

Quotes

• That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in the enterprise
• Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server

Headlines

• May 2, 2023 - CISA warns of Mirai botnet exploiting TP-Link routers
• May 2, 2023 - CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog
• May 2, 2023 - Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected

CVE-2023-1389

HIGH CVSS 8.80

CISA Known Exploited Actively Exploited Remote Code Execution

Published: March 15, 2023

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.

Vendor Impacted: Tp-Link

Products Impacted: Archer Ax21 Firmware, Archer Ax21

Quotes

• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in the enterprise
• Oracle WebLogic Server contains an unspecified vulnerability that allows an unauthenticated attacker with network access via T3, IIOP, to compromise Oracle WebLogic Server

Headlines

• May 4, 2023 - Patch now! The Mirai IoT botnet is exploiting TP-Link routers
• May 3, 2023 - TP-Link routers targeted by Mirai botnet once again, US government warns
• May 2, 2023 - CISA warns of Mirai botnet exploiting TP-Link routers
• May 2, 2023 - CISA Warns of Attacks Exploiting Oracle WebLogic Vulnerability Patched in January
• May 2, 2023 - CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog
• May 2, 2023 - Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected
• April 30, 2023 - newsletter Round 417 by Pierluigi Paganini – International edition

CVE-2023-21839

HIGH CVSS 7.50

CISA Known Exploited Public Exploits Available

Published: Jan. 18, 2023

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vendor Impacted: Oracle

Product Impacted: Weblogic Server

Quotes

• That said, this is nothing new for the maintainers of the Mirai botnet, who are known for quickly exploiting IoT devices to maintain their foothold in the enterprise

Headlines

• May 2, 2023 - CISA warns of Mirai botnet exploiting TP-Link routers
• May 2, 2023 - CISA Warns of Attacks Exploiting Oracle WebLogic Vulnerability Patched in January
• May 2, 2023 - CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog

CVE-2023-1966

HIGH CVSS 7.40

Risk Context N/A

Published: April 28, 2023

Instruments with Illumina Universal Copy Service v1.x and v2.x contain an unnecessary privileges vulnerability. An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product.

Quotes

• Anything that touches DNA — yes, it's a privacy concern — but also think about digital forensics or think about custom cancer treatments, right
• An unauthenticated malicious actor could upload and execute code remotely at the operating system level, which could allow an attacker to change settings, configurations, software, or access sensitive data on the affected product
• Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; a threat actor could interact through the affected product via a connected network

Headlines

• May 3, 2023 - DNA Sequencing Equipment Vulnerability Adds New Twist to Medical Device Cyber Threats
• May 1, 2023 - DNA sequencing platform hit by serious security flaws
• April 29, 2023 - CISA warns of a critical flaw affecting Illumina medical devices

CVE-2023-21932

HIGH CVSS 7.20

Actively Exploited Remote Code Execution

Published: April 18, 2023

Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: OXI). The supported version that is affected is 5.6. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. While the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L).

Quotes

• Difficult to exploit vulnerability allows high privileged attacker
• This vulnerability does not require any authentication to exploit, despite what Oracle claims
• RCE is possible without any special access or knowledge. All steps performed in the exploitation of this vulnerability were without any authentication. This vulnerability should have a CVSS score of 10.0

Headlines

• May 5, 2023 - This Week In Security: Oracle Opera, Passkeys, And AirTag RFC
• May 3, 2023 - Hotels at Risk From Bug in Oracle Property Management Software
• May 2, 2023 - Easily exploitable flaw in Oracle Opera could spell trouble for hotel chains (CVE-2023-21932)