Kostya Kortchinsky

Name of the Vulnerable Software and Affected Versions: Apache Avro versions 1.11.3 and previous versions Apache Avro versions prior to 1.11.4 Bamboo Data Center and Server versions 9.2.1, 9.6.0, and 10.0.0-rc3 Bitbucket Data Center and Server versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, and 9.2.0 Confluence Data Center and Server version 6.5 Description: The vulnerability in the Apache Avro Java SDK is related to schema parsing, which allows bad actors to execute arbitrary code. This issue affects versions prior to 1.11.4 and can be exploited by unauthenticated attackers, potentially exposing assets in the environment to exploitation. The vulnerability has a low impact on confidentiality, integrity, and availability, and requires no user interaction. It is recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. Recommendations: For Apache Avro versions 1.11.3 and previous versions, upgrade to version 1.11.4 or 1.12.0. For Bamboo Data Center and Server versions 9.2.1, 9.6.0, and 10.0.0-rc3, upgrade to a release greater than or equal to 9.2.20, 9.6.8, or 10.0.3, respectively. For Bitbucket Data Center and Server versions 8.6.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 9.0.0, 9.1.0, and 9.2.0, upgrade to a release greater than or equal to 8.9.21 or 8.19.11, respectively. For Confluence Data Center and Server version 6.5, upgrade to a release greater than or equal to 7.19.30, 8.5.18, or 9.1.1, respectively. As a temporary workaround, consider disabling schema parsing in the Java SDK until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Hive versions 4.0.0-alpha-1 through 4.0.0 **Description** The issue affects the Hive JDBC driver component and can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver (client) is running. The malicious user must have sufficient permissions to specify/edit JDBC URL(s) in an endpoint relying on the Hive JDBC driver and the JDBC client process must run under a privileged user to fully exploit the issue. An attacker can setup a malicious HTTP server and specify a JDBC URL pointing towards this server. When a JDBC connection is attempted, the malicious HTTP server can provide a special response with customized payload that can trigger the execution of certain commands in the JDBC client. **Recommendations** To resolve the issue, upgrade to version 4.0.0, which fixes the problem. As a temporary workaround, consider restricting access to the Hive JDBC driver component to minimize the risk of exploitation. Avoid using the JDBC URL parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Hive versions 1.2.0 and later Apache Spark versions 2.0.0 and later **Description** The issue is related to the exposure of digital signatures in cookie data, which can lead to security vulnerabilities and exploitation. The vulnerable CookieSigner logic was introduced in Apache Hive and Apache Spark, allowing malicious actors to modify cookie values. The affected components include org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver 2.11, and org.apache.spark:spark-hive-thriftserver 2.12. Exposing the correct cookie signature can lead to further exploitation. **Recommendations** For Apache Hive version 1.2.0 and later, update to a version that fixes the vulnerable CookieSigner logic. For Apache Spark version 2.0.0 and later, update to a version that fixes the vulnerable CookieSigner logic. As a temporary workaround, consider disabling the `CookieSigner` function until a patch is available. Restrict access to the affected components, including org.apache.hive:hive-service, org.apache.spark:spark-hive-thriftserver 2.11, and org.apache.spark:spark-hive-thriftserver 2.12, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Ivy versions 2.4.0 through 2.5.0 **Description** The issue is related to the extraction of archives in Apache Ivy, where the target path is not verified for artifacts using "zip", "jar", or "war" packaging. This allows an archive with absolute paths or paths that traverse "upwards" using ".." sequences to write files to any location on the local file system that the user executing Ivy has write access to. **Recommendations** For Apache Ivy versions 2.4.0 to 2.5.0, upgrade to Ivy version 2.5.1 to resolve the issue. As a temporary workaround, consider restricting the use of the archive extraction feature until the upgrade is applied. Avoid using archives with absolute paths or paths that traverse "upwards" using ".." sequences in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Ivy versions 2.0.0 through 2.5.1 **Description** The issue is related to the incorrect restriction of the directory path name in the Apache Ivy package manager. This can allow a remote attacker to gain unauthorized access to the file system. When Apache Ivy downloads artifacts from a repository, it stores them in the local file system based on a user-supplied pattern that may include placeholders for artifact coordinates. If these coordinates contain "../" sequences, it is possible for artifacts to be stored outside of Ivy's local cache or repository, or to overwrite different artifacts inside the local cache. To exploit this issue, an attacker needs collaboration from the remote repository, as Ivy will issue HTTP requests containing ".." sequences that a normal repository will not interpret as part of the artifact coordinates. **Recommendations** For Apache Ivy versions 2.0.0 through 2.5.1, upgrade to Ivy 2.5.1 to resolve the issue. As a temporary workaround, consider restricting the use of user-supplied patterns that may include "../" sequences in artifact coordinates until the upgrade is applied. Additionally, restrict access to the local cache or repository to minimize the risk of exploitation. Avoid using patterns that contain "../" sequences in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Hadoop versions prior to 2.10.2 Apache Hadoop versions prior to 3.2.4 Apache Hadoop versions prior to 3.3.3 **Description** The issue is related to the `FileUtil.unTar(File, File)` API in Apache Hadoop, which does not escape the input file name before being passed to the shell, allowing an attacker to inject arbitrary commands. This API is used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only run by a local user, and in Hadoop 2.x for yarn localization, enabling remote code execution. It is also used in Apache Spark from the SQL command ADD ARCHIVE, but executing shell scripts does not confer new permissions to the caller. **Recommendations** To resolve the issue, users should upgrade to Apache Hadoop 2.10.2 or upper. To resolve the issue, users should upgrade to Apache Hadoop 3.2.4 or upper. To resolve the issue, users should upgrade to Apache Hadoop 3.3.3 or upper. As a temporary workaround, consider restricting the use of the `FileUtil.unTar(File, File)` API until a patch is available. Avoid using the SQL command ADD ARCHIVE in Apache Spark until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache Spark versions 3.0.3 and earlier Apache Spark versions 3.1.1 to 3.1.2 Apache Spark versions 3.2.0 to 3.2.1 **Description** The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as. **Recommendations** For Apache Spark versions 3.0.3 and earlier, upgrade to a supported version of Apache Spark, such as version 3.4.0. For Apache Spark versions 3.1.1 to 3.1.2, upgrade to a supported version of Apache Spark, such as version 3.4.0. For Apache Spark versions 3.2.0 to 3.2.1, upgrade to a supported version of Apache Spark, such as version 3.4.0. As a temporary workaround, consider disabling the `spark.acls.enable` option until a patch is available. Restrict access to the HttpSecurityFilter to minimize the risk of exploitation. Avoid using arbitrary user names in the authentication filter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** hostapd versions 0.7.0 through 2.4 wpa supplicant versions 0.7.0 through 2.4 **Description** The issue is related to the WPS UPnP function in hostapd and wpa supplicant, which can be exploited by remote attackers to cause a denial of service (crash) via a negative chunk length. This triggers an out-of-bounds read or heap-based buffer overflow. The vulnerability can be exploited by a remote attacker, allowing them to cause a denial of service. **Recommendations** For hostapd versions 0.7.0 through 2.4, consider disabling the WPS UPnP function as a temporary workaround until a patch is available. For wpa supplicant versions 0.7.0 through 2.4, restrict the use of the WPS external registrar (ER) feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** hostapd versions 0.5.5 through 2.4 wpa supplicant versions 0.7.0 through 2.4 **Description** The issue is caused by an integer underflow in the WMM Action frame parser. This can be exploited by remote attackers to cause a denial of service (crash) via a crafted frame, triggering an out-of-bounds read. **Recommendations** For hostapd versions 0.5.5 through 2.4, consider disabling the WMM Action frame parser until a patch is available. For wpa supplicant versions 0.7.0 through 2.4, restrict access to the AP mode MLME/SME functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** hostapd and wpa supplicant versions 1.0 through 2.4 **Description** The issue allows remote attackers to cause a denial of service, resulting in an out-of-bounds read and crash, via a crafted message payload. This can be achieved by sending a specially crafted (1) Commit or (2) Confirm message. The problem is caused by a buffer overflow in the EAP-pwd server and peer implementation. **Recommendations** For hostapd and wpa supplicant versions 1.0 through 2.4, consider disabling the EAP-pwd functionality until a patch is available to prevent remote attackers from exploiting this issue. Restrict access to the EAP-pwd server and peer implementation to minimize the risk of exploitation. Avoid using crafted message payloads in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hostapd and wpa supplicant versions 1.0 through 2.4 **Description** The issue is caused by a buffer overflow in the EAP-pwd server and peer implementation. It allows remote attackers to cause a denial of service (crash) via a specially crafted message. **Recommendations** For hostapd and wpa supplicant versions 1.0 through 2.4, consider disabling the EAP-pwd server and peer implementation until a patch is available to prevent potential denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** hostapd and wpa supplicant versions 1.0 through 2.4 **Description** The issue concerns the EAP-pwd server and peer implementation, which fails to validate if a fragment is already being processed. This allows remote attackers to cause a denial of service, specifically a memory leak, by sending a crafted message. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For hostapd and wpa supplicant versions 1.0 through 2.4, consider applying a patch or update that addresses the EAP-pwd server and peer implementation issue to prevent the denial of service caused by the memory leak. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hostapd and wpa supplicant versions 1.0 through 2.4 **Description** The issue concerns the EAP-pwd peer implementation in hostapd and wpa supplicant, where the L (Length) and M (More) flags are not cleared before determining if a response should be fragmented. This allows remote attackers to cause a denial of service (crash) via a crafted message. **Recommendations** For hostapd and wpa supplicant versions 1.0 through 2.4, consider applying a patch that clears the L (Length) and M (More) flags before determining response fragmentation to prevent denial of service attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Suricata versions prior to 2.0.8 **Description** The issue is related to the DER parser in Suricata, which can be exploited by remote attackers to cause a denial of service, resulting in a crash. This can be achieved through vectors related to SSL/TLS certificates. **Recommendations** For versions prior to 2.0.8, update to version 2.0.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Quagga versions prior to 1.0.20160309 **Description** The issue arises from the `bgp nlri parse vpnv4` function in `bgp mplsvpn.c` within the VPNv4 NLRI parser in `bgpd` when a specific VPNv4 configuration is used. It relies on a Labeled-VPN SAFI routes-data length field during a data copy, allowing remote attackers to execute arbitrary code or cause a denial of service through a crafted packet, resulting in a stack-based buffer overflow. **Recommendations** For versions prior to 1.0.20160309, update to version 1.0.20160309 or later to resolve the issue. As a temporary workaround, consider restricting the use of the VPNv4 configuration that triggers this issue until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Microsoft Windows versions 2000 SP4, XP SP2, and 2003 SP1 Microsoft Office versions 2000 SP3, XP SP3, 2003 SP2, and Office 2004 for Mac Learning Essentials for Microsoft Office versions 1.0, 1.1, and 1.5 Description: A remote code execution issue exists in the RichEdit components provided with Microsoft Windows and Microsoft Office. This issue can be exploited when a user interacts with a malformed embedded OLE object within a Rich Text Format (RTF) file or a Rich Text e-mail message, which triggers memory corruption. Recommendations: For Microsoft Windows versions 2000 SP4, XP SP2, and 2003 SP1, update to a newer version that contains a fix for this issue. For Microsoft Office versions 2000 SP3, XP SP3, 2003 SP2, and Office 2004 for Mac, update to a newer version that contains a fix for this issue. For Learning Essentials for Microsoft Office versions 1.0, 1.1, and 1.5, update to a newer version that contains a fix for this issue. As a temporary workaround, consider avoiding the use of RichEdit components when interacting with RTF files or Rich Text e-mail messages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows versions 2000 SP4, XP SP2, and 2003 SP1 **Description** The issue allows remote attackers to execute arbitrary code via an RTF file with a malformed OLE object, triggering memory corruption. **Recommendations** For Microsoft Windows 2000 SP4, consider applying a patch to fix the OLE Dialog component issue. For Microsoft Windows XP SP2, consider applying a patch to fix the OLE Dialog component issue. For Microsoft Windows 2003 SP1, consider applying a patch to fix the OLE Dialog component issue.

Name of the Vulnerable Software and Affected Versions: Microsoft Windows versions prior to the fixed version Description: A buffer overflow issue in the SNMP Service allows remote attackers to execute arbitrary code via a crafted SNMP packet. Recommendations: For Microsoft Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1, update to a version that includes the fix for the SNMP Memory Corruption issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Office versions 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2 Microsoft Office for Mac versions 2004, X Description: The issue allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption. It is a remote code execution vulnerability that can be exploited by constructing a specially crafted PowerPoint file. Recommendations: For Microsoft Office 2000 SP3, update to a version that is not affected by this issue. For Microsoft Office XP SP3, update to a version that is not affected by this issue. For Microsoft Office 2003 SP1 and SP2, update to a version that is not affected by this issue. For Microsoft Office 2004 for Mac, update to a version that is not affected by this issue. For Microsoft Office X for Mac, update to a version that is not affected by this issue.

Name of the Vulnerable Software and Affected Versions: Microsoft Windows XP versions SP1 through SP2 Microsoft Windows Server 2003 versions up to SP1 Description: A buffer overflow issue in the Web Client service allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests. This could enable an attacker to take complete control of the affected system. Recommendations: For Microsoft Windows XP versions SP1 through SP2, update to a newer service pack to resolve the issue. For Microsoft Windows Server 2003 versions up to SP1, update to a newer service pack to resolve the issue. As a temporary workaround, consider restricting access to the Web Client service until a patch is available.