Forum

Message Boards Message Boards

Announcements

Security vulnerability notification

Security vulnerability notification
security
Answer
25 July 2022 7:43
Dear Creodias Users,

In the Security section customers will find information about latest and most critical security vulnerabilities, published in the last month by the SANS Institute (www.sans.org). Security vulnerabilities in software and hardware are very often used by cybercriminals to attack IT infrastructure and steal or destroy company's data, that is why companies are advice to fix those vulnerabilities as soon as possible. 

ID: CVE-2022-2068 Title: Command injection vulnerability in OpenSSL Description: The vulnerability exists due to improper input validation in the c_rehash script distributed by some operating systems. A remote attacker with the ability to pass data to c_rehash script can execute arbitrary OS commands with the privileges of the script. 

ID: CVE-2022-30308 Title: OS command injection vulnerability in Festo Controller CECC-X-M1 Description: In Festo Controller CECC-X-M1 product family in multiple versions, the http-endpoint "cecc-x-web-viewer-request-on" POST request doesn't check for port syntax. This can result in unauthorized execution of system commands with root privileges due to improper access control command injection.

ID: CVE-2022-25900 Title: Command injection vulnerability in git-clone Description: All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git. The use of the --upload-pack feature of git is also supported for git clone and allows users to execute arbitrary commands on the OS.

ID: CVE-2022-2274 Title: Heap memory corruption with RSA private key operation Description: The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048-bit private keys incorrect on such machines and memory corruption will happen during the computation. Because of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048-bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

ID: CVE-2022-33936 Title: Remote code execution vulnerability in Dell EMC Storage Description: Cloud Mobility for Dell EMC Storage, 1.3.0.XXX contains an RCE vulnerability. A non-privileged user could potentially exploit this vulnerability, leading to achieving a root shell. This is a critical issue; so, Dell recommends customers upgrade at the earliest opportunity.

ID: CVE-2022-31137 Title: Remote code execution vulnerability in Roxy-WI Description: Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers.  Roxy-WI versions older than 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Attackers need not be authenticated to exploit this vulnerability.  
0 (0 Votes)