Critical ../ -> RCE in Apache Struts? Nice. The bulletin is from a couple weeks ago but the CVE was just published today: https://cwiki.apache.org/confluence/display/WW/S2-067

https://nvd.nist.gov/vuln/detail/CVE-2024-53677

@cR0w paging equifax

There sure is a lot public exposure of important-looking systems that run Struts still, here in the year of our Sasquatch 2024.

@Viss @cR0w
That would be "hilarious" if Equifax got popped by the same unpatched box just a different vuln.

@FritzAdalis @cR0w id fully expect it to be the same box, and just 'the new struts bug, which they will have failed to patch, AGAIN, because there are no consequences'

@Viss @cR0w
Same intern gets fired, too.

@cR0w Glad they finally got rid of all those ../ exploits.

#DirectoryTraversalMemes

Another hit for Apache. This time it's a perfect 10 ( 🍻 @screaminggoat ) in Solr: https://cvefeed.io/vuln/detail/CVE-2024-21574

Note: Apache Solr does not list the CVE on their site ( yet? ) and I have not confirmed that this Comfy-UI-Manager vuln does indeed impact Solr. I'm relying on CVE Feed for this one. But it's a 10 so it's worth putting out there to look into.

@screaminggoat I just noticed the patch commit in Github was on 23 September so again, the CVE is way behind the fix.

Apache incubator projects have always been gold mines, but Solr stands out based on the traffic it generates on Full-Disclosure...

@cR0w @screaminggoat
Is that the right cve? It looks like a different product.

@FritzAdalis @screaminggoat CVE Feed lists it as Apache Solr Remote Code Execution but I'm not sure if it's mislabeled or if Solr is impacted by the ComfyUI-Manager bug in that CVE.

@buherator Solr is also used in some interesting locations that may or may not get much maintenance attention.

@cR0w I agree with @FritzAdalis, it looks like cvefeed.io dun goofed and wrote CVE-2024-21574 as Apache Solr when the vendor is ltdrdata and product ComfyUI-Manager.

I don't go off assumptions so I will rely on the public record of ComfyUI-Manager (which I've never heard of).

@cR0w Yeah I wonder if anyone tracks the frequency and impact of its bugs when doing supply chain analysis...

@GossiTheDog @screaminggoat @FritzAdalis Well that looks like a shit sandwich.

@buherator What is this "supply chain analysis" you speak of? 😏

@screaminggoat @FritzAdalis I'm with you. I'll poke around a bit but I'm guessing it's a mistake.

@screaminggoat @cR0w @FritzAdalis Apache Solr is mostly Java based, this product seems a web app client/server built in python, just the vendor is mistagged imo

@ciaranmak @screaminggoat @FritzAdalis That's what it's looking like. Not sure I can celebrate a perfect 10 in something appears to be on par with Wordpress plugins. :-(

@ciaranmak @screaminggoat @FritzAdalis I didn't realize that CVE Feed was a side project run by a single researcher. I thought it was provided by some vendor. An occasional error is acceptable, but now I know not to use it as a source, just a resource. TIL.

@cR0w @ciaranmak @screaminggoat
It's all good. I just wanted to be sure before I emailed my boss and product teams. Besides, I rely on you, and I suspect you're just a side project by a single researcher.

@FritzAdalis @ciaranmak @screaminggoat Oh shit, don't rely on me. I'm a shitposter. The goat can be relied on but not me. This is just an outlet for $dayJob.

@cR0w @ciaranmak @screaminggoat
$dayJob? So you're vendor-supported!

@cR0w @FritzAdalis @ciaranmak don't rely on me either, a sceaming goat is not a credible source.

@FritzAdalis @ciaranmak @screaminggoat I get better support here than I do from my vendors.

@screaminggoat @FritzAdalis @ciaranmak But it's so convincing.

@cR0w @FritzAdalis @screaminggoat My personal side project of 5-6 years of RSS/CVE/Feed collection contributed to this startup product *plug*

https://recon.cytidel.com

@ciaranmak @FritzAdalis @screaminggoat Creds plz 😏

@cR0w @screaminggoat Does anyone actually USE Apache Solr? I don't think CNET even uses it any more.

@cR0w @ciaranmak @screaminggoat
Yeah, needs an invite code.

@Sempf @screaminggoat A lot of Sitecore sites do, along with struts. And other oddball, unmaintained systems. I'm in utilities so...

@cR0w @screaminggoat Oh yeah I remember speccing a project for AEP, our power utility, and was like "you are using WHAT?"

@Sempf @screaminggoat It's been interesting to see the utilities with the budget change to buying the latest greatest new hot garbage based on MITRE and Gartner while the underfunded ones are still using random old shit because the billing clerk's nephew used it in a college class and it works great and it's "free".

@cR0w @screaminggoat That's not specific to utilities. Many companies have a crapload of open source stuff installed, and no one on staff who even has the slightest idea of how to run it. Open source software is not free like beer. It's free like puppies.

@Sempf @screaminggoat Free like mattresses.

@ciaranmak @screaminggoat @FritzAdalis Okay, this is funny. We also have a critical ../ in ComfyUI: https://nvd.nist.gov/vuln/detail/CVE-2024-21575

@cR0w @Sempf @screaminggoat TIL IBM QRadar is built with Solr (at least it used to):
- https://www.ibm.com/support/pages/security-bulletin-apache-solr-used-ibm-qradar-siem-and-incident-forensics-vulnerable-denial-service-cve-2014-0050
- https://ssd-disclosure.com/ssd-advisory-qradar-remote-command-execution/

@buherator @cR0w @screaminggoat Woah holy cow! I had no idea!

@Sempf @buherator @screaminggoat That's kind of funny. I did not know that.