We hope that with every sharing, the threshold for technology will be lowered and implementation will be easier. — around
Background
The author’s company has 8 cloud servers and 2 local physical servers, and they are all connected to the Internet. The security protection of the cloud server has expired, and the company does not want to renew it, so it has added a series of software protections to the code. However, vulnerabilities keep popping up, and no one can guarantee that it will always be safe, so this article will continue to be included in time. vulnerabilities and provide command fixes.
Environment parameters
-
Operating system: Centos 7.6, Centos7.9
-
Running environment: Java, Node, Python, Postgresql…
If you have the same situation, you can refer to the following content to fix it.
Vulnerability list (reverse chronological order)
2023-11-3
Linux kernel buffer error vulnerability (CVE-2023-35788)
Software: kernel-headers, version: 3.10.0-1160.83.1.el7 Repair command sudo yum update kernel-headers
libssh2 buffer error vulnerability (CVE-2020-22218)
Software: libssh2, version: 1.8.0-4.el7 Repair command sudo yum update libssh2
2023-10-27
ISC BIND security vulnerability (CVE-2023-2828)
Software: bind-libs-lite, version: 32:9.11.4-26.P2.el7_9.13 Software: bind-utils, version: 32:9.11.4-26.P2.el7_9.13 Software: bind-export-libs, Version: 32:9.11.4-26.P2.el7_9.13 Software: bind-license, version: 32:9.11.4-26.P2.el7_9.13 Software: bind-libs, version: 32:9.11.4-26.P2.el7_9.13 Repair command sudo yum update bind-libs-lite sudo yum update bind-utils sudo yum update bind-export-libs sudo yum update bind-license sudo yum update bind-libs
Linux kernel resource management error vulnerability (CVE-2023-3609, CVE-2023-35001)
Software: kernel-tools, version: 3.10.0-1160.99.1.el7 Software: kernel-devel, version: 3.10.0-1160.99.1.el7|3.10.0-1160.71.1.el7|3.10.0-1160.83.1.el7 Software: kernel-tools-libs, version: 3.10.0-1160.99.1.el7 Software: bpftool, version: 3.10.0-1160.99.1.el7 Software: python-perf, version: 3.10.0-1160.99.1.el7 Software: kernel, version: 3.10.0-1160.99.1.el7|3.10.0-1160.83.1.el7|3.10.0-1160.71.1.el7 Repair command sudo yum update kernel-tools sudo yum update kernel-devel sudo yum update kernel-tools-libs sudo yum update bpftool sudo yum update python-perf sudo yum update kernel
Python urllib.parse security feature bypass vulnerability (CVE-2023-24329)
Software: python-libs, version: 2.7.5-92.el7_9 Software: python, version: 2.7.5-92.el7_9 Software: python3-libs, version: 3.6.8-18.el7 Software: python-devel, version: 2.7.5-92.el7_9 Software: python3, version: 3.6.8-18.el7 Repair command sudo yum update python-libs sudo yum update python sudo yum update python3-libs sudo yum update python-devel sudo yum update python3
grub2 security vulnerabilities (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27779, CVE-2021-20233)
Software: grub2-pc, version: 1:2.02-0.87.0.2.el7.centos.11 Software: grub2, version: 1:2.02-0.87.0.2.el7.centos.11 Software: grub2-common, version: 1:2.02-0.87.0.2.el7.centos.11 Software: grub2-pc-modules, version: 1:2.02-0.87.0.2.el7.centos.11 Software: grub2-tools, version: 1:2.02-0.87.0.2.el7.centos.11 Software: grub2-tools-extra, version: 1:2.02-0.87.0.2.el7.centos.11 Software: grub2-tools-minimal, version: 1:2.02-0.87.0.2.el7.centos.11 Repair command sudo yum update grub2-pc sudo yum update grub2 sudo yum update grub2-common sudo yum update grub2-pc-modules sudo yum update grub2-tools sudo yum update grub2-tools-extra sudo yum update grub2-tools-minimal
OpenSSH code issue vulnerability (CVE-2023-38408)
Software: openssh-clients, version: 7.4p1-22.el7_9 Software: openssh-server, version: 7.4p1-22.el7_9 Software: openssh, version: 7.4p1-22.el7_9 Repair command sudo yum update openssh-clients sudo yum update openssh-server sudo yum update openssh
History
Linux kernel denial of service vulnerability (CVE-2022-4378) (CVE-2022-42703)
Software: python-perf, version: 3.10.0-1160.83.1.el7 Repair command sudo yum update python-perf
FasterXML jackson-databind code issue vulnerability (CVE-2022-42003)
jackson-databind-2.11.4.jar It is recommended that affected customers upgrade to the secure version 2.14.0-rc2 or above. The link to obtain the version is: https://github.com/FasterXML/jackson-databind The FasterXML jackson-databind version that Ehcache 2. https://www.ehcache.org/downloads/
FastJson code execution vulnerability (CVE-2022-25845)
fastjson-1.2.47.jar Currently, the manufacturer has released an upgrade patch to fix the vulnerability. The link to obtain the patch is: https://github.com/alibaba/fastjson/wiki/security_update_20220523
Spring Security RegexRequestMatcher Authentication Bypass Vulnerability (CVE-2022-22978)
spring-security-web-5.4.6.jar Currently, the manufacturer has released an upgrade patch to fix the vulnerability. The link to obtain the patch is: https://github.com/spring-projects/spring-security/releases Users of version 5.4.x are recommended to upgrade to 5.4.11 and above. Users of version 5.5.x are recommended to upgrade to 5.5.7 or above. Users of version 5.6.x are recommended to upgrade to 5.6.4 or above.
Jackson-databind Denial of Service Vulnerability (CVE-2021-46877)
jackson-databind-2.11.4.jar Users using versions 2.12 and earlier are recommended to upgrade the component com.fasterxml.jackson.core:jackson-databind to version 2.12.6 and above; Users using 2.13.x are recommended to upgrade the component com.fasterxml.jackson.core:jackson-databind to version 2.13.1 and above. https://github.com/FasterXML/jackson-databind/tags
Spring Framework Authentication Bypass Vulnerability (CVE-2023-20860)
spring-webmvc-5.3.24.jar spring-webmvc-5.3.6.jar spring-webmvc-5.3.24.jar The manufacturer has released a security patch version to fix the vulnerability. Reference link: https://spring.io/security/cve-2023-20860 (1) Spring Framework 5.3.X series users are recommended to upgrade Spring Framework to 5.3.26 or above security version to fix this vulnerability (2) Spring Framework 6.0.X series users are recommended to upgrade Spring Framework to 6.0.7 or above secure version to fix this vulnerability
FasterXML jackson-databind code vulnerability (CVE-2022-42004)
jackson-databind-2.11.4.jar Affected customers are advised to upgrade to the latest version. The link to obtain the latest version is: https://github.com/FasterXML/jackson-databind The FasterXML jackson-databind version that Ehcache 2. https://www.ehcache.org/downloads/
Apache Commons Fileupload Denial of Service Vulnerability (CVE-2023-24998)
commons-fileupload-1.4.jar:1.4 Affected users are recommended to upgrade Apache Commons FileUpload to version 1.5 or higher, reference link: https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi
Mozilla Firefox security vulnerability (CVE-2023-0767)
Software: nss, version: 3.67.0-4.el7_9 Software: nss-tools, version: 3.67.0-4.el7_9 Software: nss-sysinit, version: 3.67.0-4.el7_9 Repair command sudo yum update nss sudo yum update nss-tools sudo yum update nss-sysinit
MIT Kerberos input validation error vulnerability (CVE-2022-42898)
Software: libkadm5, version: 1.15.1-51.el7_9 Software: krb5-libs, Version: 1.15.1-51.el7_9 Software: krb5-devel, version: 1.15.1-51.el7_9 Repair command sudo yum update libkadm5 sudo yum update krb5-libs sudo yum update krb5-devel
ISC BIND security vulnerability (CVE-2022-38177)
Software: bind-libs-lite, version: 32:9.11.4-26.P2.el7_9.9 Software: bind-license, version: 32:9.11.4-26.P2.el7_9.9 Software: bind-utils, version: 32:9.11.4-26.P2.el7_9.9 Software: bind-export-libs, Version: 32:9.11.4-26.P2.el7_9.9 Software: bind-libs, version: 32:9.11.4-26.P2.el7_9.9 Repair command sudo yum update bind-libs-lite sudo yum update bind-license sudo yum update bind-utils sudo yum update bind-export-libs sudo yum update bind-libs
device-mapper-multipath security vulnerability (CVE-2022-41974)
Software: kpartx, version: 0.4.9-135.el7_9 Repair command sudo yum update kpartx
OpenSSL Denial of Service Vulnerability (CVE-2023-0286)
Software: openssl, version: 1:1.0.2k-25.el7_9 Software: openssl-libs, version: 1:1.0.2k-25.el7_9 Software: openssl-devel, version: 1:1.0.2k-25.el7_9 Repair command sudo yum update openssl sudo yum update openssl-libs sudo yum update openssl-devel
Linux kernel resource management error vulnerability (CVE-2022-32250, CVE-2022-2964, CVE-2022-4378)
Software: bpftool, version: 3.10.0-1160.66.1.el7 Software: kernel-devel, version: 3.10.0-1160.62.1.el7|3.10.0-1160.66.1.el7 Software: kernel-tools, version: 3.10.0-1160.66.1.el7 Software: python-perf, version: 3.10.0-1160.66.1.el7 Software: kernel-tools-libs, version: 3.10.0-1160.66.1.el7 Repair command sudo yum update bpftool sudo yum update kernel-devel sudo yum update kernel-tools sudo yum update python-perf sudo yum update kernel-tools-libs
Sudo security feature bypass vulnerability (CVE-2023-22809)
Software: sudo, version: 1.8.23-10.el7_9.2 Repair command sudo yum update sudo
SSSD injection vulnerability (CVE-2022-4254)
Software: sssd-client, version: 1.16.5-10.el7_9.12 Software: libsss_nss_idmap, Version: 1.16.5-10.el7_9.12 Software: libsss_idmap, Version: 1.16.5-10.el7_9.12 Repair command sudo yum update sssd-client sudo yum update libsss_nss_idmap sudo yum update libsss_idmap
grub2 Numeric Error Vulnerability (CVE-2022-28733)
Software: grub2-pc, version: 1:2.02-0.87.0.1.el7.centos.9 Software: grub2-tools-minimal, version: 1:2.02-0.87.0.1.el7.centos.9 Software: grub2-tools-extra, version: 1:2.02-0.87.0.1.el7.centos.9 Software: grub2-tools, version: 1:2.02-0.87.0.1.el7.centos.9 Software: grub2-common, version: 1:2.02-0.87.0.1.el7.centos.9 Software: grub2-pc-modules, version: 1:2.02-0.87.0.1.el7.centos.9 Software: grub2, version: 1:2.02-0.87.0.1.el7.centos.9 Repair command sudo yum update grub2-pc sudo yum update grub2-tools-minimal sudo yum update grub2-tools-extra sudo yum update grub2-tools sudo yum update grub2-common sudo yum update grub2-pc-modules sudo yum update grub2
zlib Security Vulnerability (CVE-2022-37434)
Software: zlib, version: 1.2.7-20.el7_9 Software: zlib-devel, version: 1.2.7-20.el7_9 Repair command sudo yum update zlib sudo yum update zlib-devel
Systemd use-after-free vulnerability (CVE-2022-2526)
Software: systemd-libs, version: 219-78.el7_9.5 Software: systemd, version: 219-78.el7_9.5 Software: systemd-python, version: 219-78.el7_9.5 Software: systemd-sysv, version: 219-78.el7_9.5 Software: systemd-devel, version: 219-78.el7_9.5 Repair command sudo yum update systemd-libs sudo yum update systemd sudo yum update systemd-python sudo yum update systemd-sysv sudo yum update systemd-devel
libexpat code execution vulnerability (CVE-2022-40674)
Software: expat, version: 2.1.0-14.el7_9 Repair command sudo yum update expat
ISC BIND security vulnerability (CVE-2022-38178)
Software: bind-export-libs, version: 32:9.11.4-26.P2.el7_9.9 Software: bind-libs, version: 32:9.11.4-26.P2.el7_9.9 Software: bind-libs-lite, Version: 32:9.11.4-26.P2.el7_9.9 Software: bind-license, version: 32:9.11.4-26.P2.el7_9.9 Software: bind-utils, version: 32:9.11.4-26.P2.el7_9.9 Repair command sudo yum update bind-export-libs sudo yum update bind-libs sudo yum update bind-libs-lite sudo yum update bind-license sudo yum update bind-utils