Multiple Apple watchOS, tvOS, macOS Monterey, iOS and iPadOS Vulnerabilities
January 27, 2022Rewterz Threat Alert – APT-28 FancyBear – Active IOCs
January 27, 2022Severity
High
Analysis Summary
CVE-2022-21279; CVE-2022-21280;
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Management API. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21288; CVE-2022-21290
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a access past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account
CVE-2022-21287
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21286; CVE-2022-21285
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21289; CVE-2022-21284
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21307
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21308
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21309; CVE-2022-21310
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21311
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service user.
CVE-2022-21312
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21313
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21314
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21315
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21316
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21317
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account
CVE-2022-21318
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21319
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account
CVE-2022-21320
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21321
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21322
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21323
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21324
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21325
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21326
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21327
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21328
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21329
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21330
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21331
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21332
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21333
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21334
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21335
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account
CVE-2022-21336
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account
CVE-2022-21337
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21346
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle Business Intelligence. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the ReportTemplateService endpoint, which listens on TCP port 9502 by default. Due to the improper restriction of XML External Entity (XXE) references, a crafted document specifying a URI causes the XML parser to access the URI and embed the contents back into the XML document for further processing. An attacker can leverage this vulnerability to disclose information in the context of the service account.
CVE-2022-21355
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21357
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21356
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the service account.
CVE-2022-21380
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an array. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.
CVE-2022-21394
This vulnerability allows local attackers to disclose sensitive information on affected installations of Oracle VirtualBox. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability.
The specific flaw exists within the implementation of the TFTP server. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the hypervisor
Impact
- Information Disclosure
- Remote Code Execution
- Buffer Overflow
Affected Vendors
Oracle
Affected Products
- MySQL Cluster
Remediation
Visit the Vendor Website to download the updates and patches published in January critical patches