米国土安全保障省サイバーセキュリティ・インフラストラクチャセキュリティ庁(CISA: Cybersecurity and Infrastructure Security Agency)は8月25日(米国時間)、「CISA Adds Ten Known Exploited Vulnerabilities to Catalog|CISA」において、「Known Exploited Vulnerabilities Catalog」に10個の脆弱性を追加したと伝えた。これら脆弱性はサイバー犯罪者によって積極的に悪用されていることが確認されているので注意が必要。
-
CISA Adds Ten Known Exploited Vulnerabilities to Catalog|CISA
影響を受ける主な製品やサービスは次のとおり。
- CVE-2022-26352 dotCMS - dotCMS
- CVE-2022-24706 Apache - CouchDB
- CVE-2022-24112 Apache - APISIX
- CVE-2022-22963 VMware Tanzu - Spring Cloud
- CVE-2022-2294 WebRTC - WebRTC
- CVE-2021-39226 Grafana Labs - Grafana
- CVE-2021-38406 Delta Electronics - DOPSoft 2
- CVE-2021-31010 Apple - iOS, macOS, watchOS
- CVE-2020-36193 PEAR - Archive Tar
- CVE-2020-28949 PEAR - Archive Tar
脆弱性の主な内容は次のとおり。
| CVE番号 | 脆弱性内容 |
|---|---|
| CVE-2022-26352 | dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage location. Exploitation allows for remote code execution. |
| CVE-2022-24706 | Apache CouchDB contains an insecure default initialization of resource vulnerability which can allow an attacker to escalate to administrative privileges. |
| CVE-2022-24112 | Apache APISIX contains an authentication bypass vulnerability that allows for remote code execution. |
| CVE-2022-22963 | When using routing functionality in VMware Tanzu's Spring Cloud Function, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. |
| CVE-2022-2294 | WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability which allows an attacker to perform shellcode execution. This vulnerability impacts web browsers using WebRTC including but not limited to Google Chrome. |
| CVE-2021-39226 | Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss. |
| CVE-2021-38406 | Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution. |
| CVE-2021-31010 | In affected versions of Apple iOS, macOS, and watchOS, a sandboxed process may be able to circumvent sandbox restrictions. |
| CVE-2020-36193 | PEAR Archive_Tar Tar.php allows write operations with directory traversal due to inadequate checking of symbolic links. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux. |
| CVE-2020-28949 | PEAR Archive_Tar allows an unserialization attack because phar: is blocked but PHAR: is not blocked. PEAR stands for PHP Extension and Application Repository and it is an open-source framework and distribution system for reusable PHP components with known usage in third-party products such as Drupal Core and Red Hat Linux. |
今回カタログに追加された脆弱性は、最近公表されたものから2020年に公表されたものまで幅広い。カタログには、攻撃者に積極的に悪用されている脆弱性が追加される仕組みになっているが、古い脆弱性が含まれることも多い。リスクが高いものが追加されることから、カタログに追加された製品に関しては再度情報を確認するとともに、必要に応じてアップデートを適用することが望まれる。
メルカリで相次ぐ不正行為、どう対処しているのか? 不正対策部門の責任者に直撃
