12/06/2023-12/13/2023 New Critical RCE Vulnerability, SLAM Attack, Atlassian Releases Critical Software Fixes And More.

1. New Critical RCE Vulnerability Discovered in Apache Struts 2 – Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed “file upload logic” that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software:

• Struts 2.3.37 (EOL)
• Struts 2.5.0 – Struts 2.5.32, and
• Struts 6.0.0 – Struts 6.3.0

Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue.

2. SLAM Attack: New Spectre-based Vulnerability Impacts Intel, AMD, and Arm CPUs

A new side-channel attack called SLAM has been disclosed. It could be exploited to leak sensitive information from kernel memory on current and upcoming CPUs from Intel, AMD, and Arm. SLAM exploits unmasked gadgets to let a userland process leak arbitrary ASCII kernel data. While LAM is presented as a security feature, the study found that it ironically degrades security and “dramatically” increases the Spectre attack surface, resulting in a transient execution attack, which exploits speculative execution to extract sensitive data via a cache covert channel. Described as the first transient execution attack targeting future CPUs, SLAM takes advantage of a new covert channel based on non-canonical address translation that facilitates the practical exploitation of generic Spectre gadgets to leak valuable information.

It impacts the following CPUs:

• Existing AMD CPUs vulnerable to CVE-2020-12965;
• Future Intel CPUs supporting LAM (both 4- and 5-level paging);
• Future AMD CPUs supporting UAI and 5-level paging;
• Future Arm CPUs supporting TBI and 5-level paging.

3. WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability

WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor. A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site. If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. In a similar advisory released by Patchstack, the company said an exploitation chain has been made available on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) project. It’s recommended that users manually check their sites to ensure that it’s updated to the latest version. 

4. Sierra:21 – Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks

A total of 21 security flaws, collectively named Sierra:21, have been identified in Sierra Wireless AirLink cellular routers and open-source software like TinyXML and OpenNDS. These vulnerabilities impact more than 86,000 devices in critical sectors worldwide, posing a significant cyber threat. Forescout Vedere Labs reveals that devices in the U.S., Canada, Australia, France, and Thailand are predominantly affected. The vulnerabilities could enable attackers to steal credentials, inject malicious code to take control of routers, persist on devices for unauthorized access, and serve as entry points to critical networks.The vulnerabilities have been addressed in ALEOS 4.17.0 (or ALEOS 4.9.9) and OpenNDS 10.1.3, but the outdated TinyXML requires downstream action by affected vendors. Exploitation of these flaws could lead to network disruption, espionage, lateral movement, and deployment of further malware, emphasizing the critical need for prompt mitigation.

5. Atlassian Releases Critical Software Fixes to Prevent Remote Code Execution

Atlassian has issued software patches to address four critical vulnerabilities, each posing a risk of remote code execution:

• CVE-2022-1471 (CVSS score: 9.8): Deserialization flaw in SnakeYAML library affecting multiple products.
• CVE-2023-22522 (CVSS score: 9.0): Remote code execution vulnerability in Confluence Data Center and Server (versions 4.0.0 and later).
• CVE-2023-22523 (CVSS score: 9.8): Remote code execution flaw in Assets Discovery for Jira Service Management Cloud, Server, and Data Center (versions up to 3.2.0-cloud / 6.2.0).
• CVE-2023-22524 (CVSS score: 9.6): Remote code execution vulnerability in Atlassian Companion app for macOS (versions up to 2.0.0).

Notably, CVE-2023-22522 allows authenticated attackers, even those with anonymous access, to inject unsafe input into Confluence pages for code execution. Additionally, CVE-2023-22524 could enable attackers to execute code by using WebSockets to bypass Atlassian Companion’s blocklist and macOS Gatekeeper protections. Users are strongly advised to apply the provided fixes promptly.