CVE-2022-45462 Alarm instance management has command injection when there is a specific command configured. It is only for logged-in users.

after the release of 2.0.5, the version 2.0.5 is not supported any more. An upgraded version is always recommended.

After upgrading to version 2.0.6 (or higher), please make sure the alarm implementation is implemented correctly by checking the implementation status in the alarm implementation page. If the implementation is not right, you will get alarm command injection when you login to the system. An example of alarm implementation that may result in command injection is as follows: a href=”javascript:alert('XSS');“>Click here to view code/a> An example of alarm implementation that may result in command injection is as follows: If you are interested in learning more about this, please read the following articles:
In order to upgrade to the latest version, please perform the following steps: 1. Go to “Administer > Settings”, click on “Upgrade alarm version” to upgrade. 2. Now that you upgraded to the latest version, please login to the system and check the implementation status of the alarm implementation. If the implementation is not right, you will get alarm command injection when you login to the system. An example of alarm implementation that may result in command injection is as follows: a href=”javascript:alert('XSS');“>Click here to view code/a> An example of alarm implementation that may result in command injection is as follows: If you are interested

How to check the implementation status?

If you want to check the implementation status of the alarm, please perform the following steps: 1. Go to “Administer > Settings”, click on “Alarm implementation status”.

How to detect if my browser is vulnerable to XSS?

To detect if your browser is vulnerable, please follow the following steps: 1. Open Chrome and go to the URL: https://xss-lab.net/ 2. After you see the page, press F12 key on your keyboard;
a href=”javascript:alert('XSS');”>Click here to view code/a> a href=”javascript:alert('XSS');”>Click here to view code/a> 3. In the console window that pops up, you will see an error message with the XSS key;
a href=”javascript:alert('XSS');”>Click here to view code/a> a href=”javascript:alert('XSS');”>Click here to view code/a> 4. If you get any of these messages , then your browser is not vulnerable to XSS attacks.

How to check the status of alarm implementation?

1. Login to Spring Cloud using SSH and run the following command:
2. Check the “ALARM IMPLEMENTATION STATUS” in the output of this command.

Status of Upgrading Alarm Implementation

If you are interested in learning more about this, please read the following articles:

Timeline

Published on: 11/23/2022 09:15:00 UTC
Last modified on: 11/26/2022 03:38:00 UTC

References

• https://lists.apache.org/thread/2f126y32bf1v3mvxkdgt2jr5j3l1t01w
• http://www.openwall.com/lists/oss-security/2022/11/23/1
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45462