本文整理了网上关于 PAN-OS 在野攻击漏洞 CVE-2024-3400 的各种技术细节信息，包括 Cookie 中的路径穿越漏洞和 Telemetry 中的命令注入漏洞的组合利用，以及攻击者 Post-Exploitation 相关的细节信息。此外，Bishop Fox 发现了新的命令注入漏洞，因此带有漏洞的系统仅仅是禁用 Telemetry 服务是没有用的。

近日，绿盟科技CERT监测到Oracle发布安全公告，修复了Oracle WebLogic Server中存在的两个信息泄露漏洞（CVE-2024-21006/CVE-2024-21007）。

近日，绿盟科技CERT监测到Palo Alto Networks发布安全公告，修复了PAN-OS中存在的命令注入漏洞（CVE-2024-3400）。

近期来自 Flatt Security Inc. 的 RyotaK 披露了 Windows 下多个编程语言的命令注入漏洞（漏洞被命名为 BatBadBut），其中 Rust 语言对应的漏洞编号为 CVE-2024-24576，因为 Rust 语言自带流量属性，国内安全/科技自媒体可能会使用一些怪异的标题来进行宣传。实际上，这个漏洞跟内存安全没有关系，是 Windows 下 cmd.exe 对命令行参数的特殊解析逻辑所导致的逻辑漏洞；此外，这个漏洞也不仅仅影响 Rust，像 PHP、Python 等语言均受影响。

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 6.1.6, 6.0.19 and 5.3.34 are available now: Spring Framework 6.1.6 ships with 41 fixes and documentation improvements. This version will be shipped with Spring Boot 3.2.5, to be released next week. Spring Framework 6.0.19 ships with 14 fixes and documentation improvements. This version will be shipped with Spring Boot 3.1.11, to be released next week. Spring Framework 5.3.34 ships with 10 fixes and documentation improvements. The releases address CVE-2024-22262 for "URL Parsing with Host Validation (3rd report)". Important CVEs on popular projects, like the original CVE-2024-22243, often get attention from the security community. We received many reports and helpful feedback about new attack variants over the last weeks. The security of Spring applications is our priority and we will keep addressing vulnerabilities in a transparent and timely fashion. We are actively working on a new approach that will completely revisit the implementation. Upgrading your project Commercial customers using Spring Boot 2.7 or 3.0 can make use of Spring Boot Hotfix releases 2.7.20.3 and 3.0.15.3. Releases are available now on the Spring commercial artifact repository and can be accessed with a Spring Enterprise Subscription. Commercial customers and OSS users of Spring Boot 3.1 and 3.2 should manually upgrade to Spring Framework 6.0.19 and 6.1.6 now, and to Spring Boot 3.1.11 and 3.2.5 next week when those become available. Project Page | GitHub | Issues | Documentation

The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical if you are invoking batch files on Windows with untrusted arguments. No other platform or use is affected. This vulnerability is identified by CVE-2024-24576. Overview The Command::arg and Command::args APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is cmd.exe (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Mitigations Due to the complexity of cmd.exe, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API guarantees, we improved the robustness of the escaping code, and changed the Command API to return an InvalidInput error when it cannot safely escape an argument. This error will be emitted when spawning the process. The fix will be included in Rust 1.77.2, to be released later today. If you implement the escaping yourself or only handle trusted inputs, on Windows you can also use the CommandExt::raw_arg method to bypass the standard library's escaping logic. Affected Versions All Rust versions before 1.77.2 on Windows are affected, if your code or one of your dependencies executes batch files with untrusted arguments. Other platforms or other uses on Windows are not affected. Acknowledgments We want to thank RyotaK for responsibly disclosing this to us according to the Rust security policy, and Simon Sawicki (Grub4K) for identifying some of the escaping rules we adopted in our fix. We also want to thank the members of the Rust project who helped us disclose the vulnerability: Chris Denton for developing the fix; Mara Bos for reviewing the fix; Pietro Albini for writing this advisory; Pietro Albini, Manish Goregaokar and Josh Stone for coordinating this disclosure; Amanieu d'Antras for advising during the disclosure.

This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces. The post Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting appeared first on The GitHub Blog.

漏洞预警丨XZ Utilѕ工具库恶意后门植入漏洞(CVE-2024-3094)【内含自检方式】

近日，绿盟科技CERT监测到JumpServer发布安全公告，修复了两个远程代码执行漏洞。

近日，绿盟科技CERT监测到安全社区披露XZ-Utils工具库存在后门漏洞（CVE-2024-3094），CVSS评分10。