Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2316PUBLISHED: 2022-07-06HTML injection vulnerability in secure messages of Devolutions Server before 2022.2 allows attackers to alter the rendering of the page or redirect a user to another site.
CVE-2022-2318PUBLISHED: 2022-07-06There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges.
CVE-2022-33047PUBLISHED: 2022-07-06OTFCC v0.10.4 was discovered to contain a heap buffer overflow after free via otfccbuild.c.
CVE-2022-31111PUBLISHED: 2022-07-06
Frontier is Substrate's Ethereum compatibility layer. In affected versions the truncation done when converting between EVM balance type and Substrate balance type was incorrectly implemented. This leads to possible discrepancy between appeared EVM transfer value and actual Substrate value transferre...
CVE-2022-31124PUBLISHED: 2022-07-06
openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions prior to 0.0.6 if a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker a...
User Rank: Ninja
7/15/2021 | 1:21:20 PM
Was this a supply chain issue or was this a flaw in a program that is part of the application that Solarwinds happen to select (not sure why they did not use WinSCP or OpenSSH but that is for another conversation)? In addition, the software has a peer-to-peer file sharing capability and folder synchronization (that is your problem right there), not sure why this was allowed to be part of the application stack, OpenSSH gives you that capability over an encrypted tunnel or WinSCP does the same thing.
In addition, since this uses SSH and Key-Mgmt capabilities, this should have not been compromised because the key should have been unique during its creation process or unless someone created a backdoor in the key creation process, not sure there but not sure why they did not remove the "P2P" file-sharing process.
Oh well, too late to cry over spilled milk, the damage has already been done.
Todd