Threat Signal ReportCISA Adds CVE-2022-28810, CVE-2022-33891 and CVE-2022-35914 to the Known Exploited Vulnerabilities Catalog
Description
FortiGuard Labs is aware that the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2022-28810 (Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability), CVE-2022-33891 (Apache Spark Command Injection Vulnerability) and CVE-2022-35914 (Teclib GLPI Remote Code Execution Vulnerability) to their Known Exploited Vulnerabilities catalog on March 7, 2023. The catalog lists vulnerabilities that are being actively exploited in the wild.
Why is this Significant?
This is significant because CVE-2022-28810 (Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability), CVE-2022-33891 (Apache Spark Command Injection Vulnerability) and CVE-2022-35914 (Teclib GLPI Remote Code Execution Vulnerability) are on the CISA's Known Exploited Vulnerabilities Catalog which are being actively exploited in the wild. As such, patches should be applied to the vulnerabilities as soon as possible.
What is CVE-2022-28810?
CVE-2022-28810 is a Remote Code Execution (RCE) vulnerability in Zoho ManageEngine ADSelfService Plus. A remote attacker may be able to exploit this to execute arbitrary remote code within the context of the application, via a malicious HTTP request.
The vulnerability is rated "high" by Zoho and affects builds 6121 and below.
What is CVE-2022-33891?
CVE-2022-33891 is a Command Injection Vulnerability in Apache Software Foundation Spark. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability can result in the execution of arbitrary commands in the security context of the user running the vulnerable server.
The vulnerability is rated "important" by Apache and affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.
What is CVE-2022-35914?
CVE-2022-35914 a code injection vulnerability in GLPI-Project GLPI. The vulnerability is due to improper validation of user configuration data sent to the endpoint htmLawedTest.php. A remote unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in arbitrary code execution in the security context of the web server process.
Have the Vendors Released a Patch for CVE-2022-28810, CVE-2022-33891 and CVE-2022-35914?
Yes. Patches for CVE-2022-28810, CVE-2022-33891 and CVE-2022-35914 are available.
What is the Status of Protection?
FortiGuard Labs has the following IPS protection in place for CVE-2022-28810, CVE-2022-33891 and CVE-2022-35914:
- Zoho.ManageEngine.ADSelfService.Plus.Custom.Script.Execution (CVE-2022-28810)
- Apache.Spark.getUnixGroups.Command.Injection (CVE-2022-33891)
- GLPI-Project.GLPI.htmLawedTest.php.Code.Injection (CVE-2022-35914)
Outbreak Alert
A vulnerability is observed in the 3rd-party HTMLAWED module for GLPI through 10.0.2 which allows PHP code injection.
Appendix
Known Exploited Vulnerabilities Catalog (CISA)
Alert: CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA)
CVE-2022-28810 (MITRE)
CVE-2022-33891 (MITRE)
CVE-2022-35914 (MITRE)
