This month's security highlights feature critical vulnerabilities in Adobe ColdFusion, Confluence, Apache Struts, WebRTC, and SSH, alongside incidents involving APT29, MongoDB, the 8220 gang, and Barracuda ESG.
This month we’ve seen several vulnerabilities and security incidents that have left users affected. We know you're busy too, so we've sifted through the noise to bring you the real game-changers.
CVE-2023-26360 is a critical vulnerability in Adobe ColdFusion that was published in March 2023. This vulnerability could allow an attacker to execute arbitrary code on the remote server in the context of the current user. On December 5, 2023, CISA announced that threat actors were actively exploiting this vulnerability in order to gain initial access to government-owned servers. Customers should update Adobe ColdFusion to the latest version.
According to Wiz data, less than 1% of cloud environments have publicly exposed instances vulnerable to CVE-2023-26360.
Critical RCE vulnerability in Confluence Data Center and Server
CVE-2023-22522 is a critical RCE vulnerability in Confluence Data Center and Confluence Server. The security flaw is a template injection that allows an attacker to inject input into a Confluence Page that could lead to a code execution on the remote server. Customers should update their Confluence Data Center and Confluence Server to the latest version.
According to Wiz data, 1.5% of cloud environments have publicly exposed instances vulnerable to CVE-2023-22522.
Critical RCE vulnerability in Apache Struts exploited in-the-wild
Apache Struts is affected by a critical vulnerability tracked as CVE-2023-50164 that could lead to remote code execution (RCE). The security flaw exists in the file upload mechanism and enables unauthorized path traversal and malicious file upload. Researchers have observed several IP addresses engaged in exploitation attempts of this vulnerability which indicates that threat actors are actively attempting to leverage this flaw. Customers are advised to update Apache Struts to the latest version.
According to Wiz data, 4% of cloud environments have publicly exposed resources vulnerable to CVE-2023-50164.
CVE-2023-48795 (AKA Terrapin) is a vulnerability in the SSH cryptographic network protocol that could allow an attacker to impact the integrity of transmitted data or downgrade the connection’s security level by truncating the extension negotiation message. However, exploitation of this vulnerability seems unlikely as an attacker must be capable of enacting a Man-in-the-Middle (MitM) attack. Moreover, exploitation would only be valuable to an attacker aiming to cause a denial of service or an attacker capable of breaking the downgraded encryption.
Buffer overflow vulnerability in WebRTC exploited in the wild
CVE-2023-7024 is a critical vulnerability in WebRTC which affects products utilizing this library, such as Google Chrome and other Chromium-based browsers. The vulnerability is a heap-based buffer overflow bug that could be exploited to result in program crashes or arbitrary code execution. The vulnerability has been observed exploited in the wild, and it is recommended to apply the patch urgently. In cloud environments, this is most likely to pose a risk to virtual desktops since user interaction is required (i.e., visiting a malicious webpage).
Russian threat actor APT29 targeting TeamCity servers
APT29, a hacking group linked to Russia's Foreign Intelligence Service (SVR), has been targeting TeamCity servers since September 2023. They are exploiting CVE-2023-42793, a critical vulnerability that allows unauthenticated remote code execution on the targeted server. Customers are advised to update TeamCity to the patched version and search for indicators of compromise in their environment.
MongoDB is investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which may have led to exposure of some customer account metadata. However, there is no known impact to data stored by customers in MongoDB instances or MongoDB Atlas clusters, and no customer action is required at this time.
8220 gang exploiting vulnerability in Oracle WebLogic
8220 Gang, a financially-motivated Chinese threat actor known for their cryptojacking activity, has been observed by researchers to be exploiting CVE-2020-14883, a remote code execution (RCE) vulnerability in Oracle WebLogic Server. The attackers seem to be exploiting the vulnerability to infect the victims with cryptojacking malware. It is recommended to update WebLogic to the latest version and check for indicators of compromise in your environment.
RCE vulnerability in Barracuda ESG exploited by Chinese threat actor
CVE-2023-7102 is a zero-day vulnerability exploited by Chinese threat actor UNC4841 to execute arbitrary code on vulnerable Barracuda ESG appliances. The bug stems from a vulnerability in a third-party library called `Spreadsheet::ParseExcel` used by Amavis virus scanner, which is included in ESG.
Barracuda released a security update on December 21, 2023, to automatically fix this vulnerability in all Internet-connected ESG instances. Therefore, no customer action is required.