September 24, 2022

COSFONE

Networking, PBX, IT, DIY Solution

Apache Multiple Components Vulnerability Disclosure (CVE-2022-32533)

3 min read

Apache Multiple Components Vulnerability Disclosure (CVE-2022-32533)



 

Apache Multiple Components Vulnerability Disclosure (CVE-2022-32533).

 

On July 6th, OSCS detected the disclosure of vulnerabilities in multiple projects of the Apache Foundation. Users of the corresponding components are requested to pay attention.

 

Vulnerability Overview

1、Apache Portals Jetspeed-2(CVE-2022-32533)

Apache Portals Jetspeed-2 does not handle user input securely, causing many problems including XSS, CSRF, XXE and SSRF.

  • Vulnerability Impact Rating: Medium Critical

  • Utilization cost: low

  • Affected Components:


org.apache.portals.jetspeed-2:jetspeed-2

  • Affected versions:

    \*2.3.1\*,2.3.1

    , the official is no longer maintained, no repair version

  • CVE Number: CVE-2022-32533

Taking XSS as an example, when the registered user name is set to , a pop-up window will be triggered every time the user name is loaded after registration and login. Configuring xss.filter.post = true can mitigate the risk.

 

However, it is officially stated that Apache Portals Jetspeed-2 is a project that is no longer maintained in Apache Portals and will not provide updates. OSCS recommends developers to replace it.

 

Reference link:


https://www.oscs1024.com/hd/MPS-2022-17607/?src=wx

https://nvd.nist.gov/vuln/detail/CVE-2022-32533


2、Apache Commons Configuration(CVE-2022-33980)

Apache Commons Configuration is a component used to manage configuration files. In some versions before 2.8, it supports a variety of variable value methods, including javax.script, dns and url, resulting in arbitrary code execution or network access.

  • Vulnerability Impact Rating: Medium Critical

  • Utilization cost: high

  • Affected Components:


org.apache.commons:commons-configuration2

  • Affected versions: \[2.4, 2.8.0), the official has fixed this problem by disabling dangerous methods in version 2.8.0

  • CVE Number: CVE-2022-33980

Strings in the form ${prefix:name}of can be parsed. When the strings of the interpolate operation are controllable, the vulnerability can be exploited. The supported prefixes are shown in the figure below.

Apache Multiple Components Vulnerability Disclosure (CVE-2022-32533)

It can be triggered in the following code

Apache Multiple Components Vulnerability Disclosure (CVE-2022-32533)

Reference link:


https://www.oscs1024.com/hd/MPS-2022-19214/?src=wx

https://nvd.nist.gov/vuln/detail/CVE-2022-33980


3、Apache Superset(CVE-2021-37839)

Apache Superset is a data visualization and data exploration platform.

In affected versions of Apache Superset, authenticated users have unauthorized access to dataset-related metadata information, including dataset names, columns, and metrics.

  • Vulnerability Impact Rating: Medium Critical

  • Utilization cost: medium

  • Affected Components:


apache-superset

  • Affected version: \[\*, 1.5.1), the official has fixed this problem in version 1.5.1

  • CVE Number: CVE-2021-37839


参考链接:

https://www.oscs1024.com/hd/MPS-2021-28604/?src=wx

https://nvd.nist.gov/vuln/detail/CVE-2021-37839

Disposal advice

OSCS recommends users who use the above components to repair to a safe version as soon as possible according to the above risk tips.

For more vulnerability information, see: https://www.oscs1024.com/hl



Copyright © All rights reserved. | Newsphere by AF themes.