Apache log4j Deserialization and SQL Injection Vulnerability (CVE-2022-23302/CVE-2022-23305/CVE-2022-23307) Alert

janeiro 26, 2022

Overview On January 19, NSFOCUS CERT detected that Apache released a security bulletin that disclosed three Log4j vulnerabilities, all of which affected the Apache Log4j 1.x version, and the official support and maintenance are no longer available. Please take measures as soon as possible to protect the relevant users. Apache log4j JMSSink Deserialization Code Execution […]

Apache Solr ConfigSet API Upload Function Vulnerability (CVE-2020-13957) Threat Alert

novembro 3, 2020


Recently, Apache Solr fixed a vulnerability (CVE-2020-13957) in the Configsets API upload function. Attackers could perform unauthorized operations by using a combination of UPLOAD/CREATE actions, which might eventually lead to command execution.

Apache Solr is an enterprise search server that is based on Lucene.


Apache DolphinScheduler High-Risk Vulnerabilities (CVE-2020-11974, CVE-2020-13922) Threat Alert

setembro 23, 2020

1. Vulnerability Description

On September 11, 2020, NSFOCUS detected that the Apache Software Foundation released security advisories fixing Apache DolphinScheduler permission overwrite vulnerability (CVE-2020-13922) and Apache DolphinScheduler remote code execution vulnerability (CVE-2020-11974). CVE-2020-11974 is related to mysql connectorj remote code execution vulnerability. When choosing mysql as database, an attacker could execute code remotely on the DolphinScheduler server by inputting {“detectCustomCollations”:true, “autoDeserialize”:true} through jdbc connect parameters. CVE-2020-13922 allows an ordinary user to overwrite other users’ passwords in the DolphinScheduler system through api interface /dolphinscheduler/users/update. Affected users are advised to upgrade without delay.


Apache Dubbo Remote Code Execution Vulnerability (CVE-2020-1948) Patch Bypass Threat Alert

julho 6, 2020


On June 23, NSFOCUS reported that Apache Dubbo contained a remote code execution vulnerability (CVE-2020-1948) resulting from deserialization.

Apache Dubbo is a high-performance Java RPC framework. The vulnerability exists in Hessian, a default deserialization tool used by Apache Dubbo. An attacker may exploit it by sending malicious RPC requests which usually contain unidentifiable service or method names and some malicious parameter loads. When malicious parameters are deserialized, the vulnerability is triggered, allowing the attackers to remotely execute code.


Apache Tomcat Session Deserialization Code Execution Vulnerability (CVE-2020-9484) Threat Alert

junho 5, 2020

Overview Recently, Apache Tomcat released a security advisory, announcing the fix of a remote code execution vulnerability (CVE-2020-9484) due to persistent session. An attacker can exploit this vulnerability only when the following conditions are met: The attacker can take control of the contents and name of a file on the server. The server is configured […]

Apache Dubbo Deserialization Vulnerability (CVE-2019-17564) Threat Alert

fevereiro 25, 2020


Recently, researchers from the Chekmarx team discovered and released a deserialization vulnerability (CVE-2019-17564) existing in Apache Dubbo.

Apache Dubbo is a high-performance Java RPC framework. This vulnerability exists in Dubbo application which has the HTTP protocol enabled for communication. An attacker could exploit this vulnerability by submitting a POST request with a Java object, thereby completely compromising a Provider instance of Apache Dubbo. (mais…)

Apache Log4j Deserialization Remote Code Execution (CVE-2019-17571) Vulnerability Threat Alert

janeiro 6, 2020

Vulnerability Description

On December 19 local time, Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Log4j has a deserialization issue that could cause remote code execution (CVE-2019-17571). Log4j is a Java-based open-source logging tool from the Apache Software Foundation. Log4j 1.2 includes a SocketServer class which can easily accept serialized log events and deserialize them without authentication. With the aid of deserialization tools, an attacker could use this class to remotely execute arbitrary code. (mais…)

Apache Flink Arbitrary Jar Package Upload Threat Alert

dezembro 10, 2019


Recently, researchers have discovered the Apache Flink Jar package to upload the attack data. Attackers can exploit this vulnerability to upload a Jar package containing malicious code without authorization, thereby taking control of the target server. (mais…)

Advisory: Apache Flink Remote Code Execution Vulnerability

dezembro 2, 2019


Recently, a security researcher announced a remote code execution vulnerability in Apache Flink Dashboard. The vulnerability does not require an attacker to authenticate, and a malicious Jar package can be uploaded via the dashboard to execute the code remotely. NSFOCUS researchers also made a successful re-enactment through research, confirming that they can attack the latest version of Flink. (mais…)

Advisory: Apache Shiro RememberMe Padding Oracle Vulnerability

novembro 30, 2019

Vulnerability Description

In September 2019, Apache officially released a vulnerability topic “RememberMe Padding Oracle Vulnerability” numbered SHIRO-721. The issue pointed out that because the RememberMe field of the Apache Shiro cookie is encrypted by the AES-128-CBC mode, Shiro is vulnerable to Padding Oracle attacks. An attacker can use the Legal RememberMe cookie as the Padding Oracle attack prefix to construct RememberMe to trigger a Java deserialization attack. The attacker does not need to know the RememberMe encryption key when executing an attack. Apache Shiro is a powerful and easy-to-use Java security framework for performing authentication, authorization, passwords, and session management. Recently, it has been found that the use of this vulnerability has been spread in a small scope, and relevant users should take measures to protect against this vulnerability as soon as possible. (mais…)


Inscreva-se no Blog da NSFOCUS