ÐÅÏ¢Çå¾²Öܱ¨-2020ÄêµÚ26ÖÜ

Ðû²¼Ê±¼ä 2020-06-29

> ±¾ÖÜÇ徲̬ÊÆ×ÛÊö


2020Äê06ÔÂ22ÈÕÖÁ06ÔÂ28ÈÕ¹²ÊÕ¼Çå¾²Îó²î56¸ö£¬£¬£¬ÖµµÃ¹Ø×¢µÄÊÇApache Dubbo hessianÔ¶³Ì´úÂëÖ´ÐÐÎó²î; ÓÃÓÑNC·´ÐòÁл¯Ô¶³Ì´úÂëÖ´ÐÐÎó²î£»£»£»£»Apache ShiroÉí·ÝÑéÖ¤ÈƹýÎó²î£»£»£»£»Apache Tomcat HTTP/2ÇëÇó¾Ü¾øЧÀÍÎó²î£»£»£»£»Atlassian JIRA Server and Data CenterЧÀÍÆ÷¶ËÄ£°å´úÂë×¢ÈëÎó²î¡£ ¡£¡£¡£


±¾ÖÜÖµµÃ¹Ø×¢µÄÍøÂçÇå¾²ÊÂÎñÊÇUnit 42Ðû²¼¶ñÒâÈí¼þAcidBoxµÄÆÊÎö±¨¸æ£»£»£»£»ÃÀ¹ú200¶à¸öµØ·½¾¯¾Ö24ÄêÊý¾Ýй¶£¬£¬£¬±»³ÆΪBlueLeaks£»£»£»£»Ä¦Âå¸çÕþ¸®»òÔÚʹÓÃNSO GroupµÄÌع¤Èí¼þ¼àÊӸùú¼ÇÕߣ»£»£»£»ºÚ¿ÍʹÓÃGoogle Analyticsƽ̨ÈƹýCSPÇÔÊØÐÅÓÿ¨ÐÅÏ¢£»£»£»£»DarkCrewFriends»Ø¹é£¬£¬£¬Ê¹ÓÃÄÚÈÝÖÎÀíϵͳ¹¹½¨½©Ê¬ÍøÂç¡£ ¡£¡£¡£


ƾ֤ÒÔÉÏ×ÛÊö£¬£¬£¬±¾ÖÜÇå¾²ÍþвΪÖС£ ¡£¡£¡£



>Ö÷ÒªÇå¾²Îó²îÁбí


1.Apache Dubbo hessianÔ¶³Ì´úÂëÖ´ÐÐÎó²î


Apache Dubbo hessian±£´æ·´ÐòÁл¯Îó²î£¬£¬£¬ÔÊÐíÔ¶³Ì¹¥»÷Õß¿ÉÒÔʹÓÃÎó²îÌá½»ÌØÊâµÄÇëÇ󣬣¬£¬¿ÉÒÔÓ¦ÓóÌÐòÉÏÏÂÎÄÖ´ÐÐí§Òâ´úÂë¡£ ¡£¡£¡£

https://github.com/apache/dubbo/releases/tag/dubbo-2.7.7


2. ÓÃÓÑNC·´ÐòÁл¯Ô¶³Ì´úÂëÖ´ÐÐÎó²î


ÓÃÓÑNC±£´æ·´ÐòÁл¯Îó²î£¬£¬£¬ÔÊÐíÔ¶³Ì¹¥»÷Õß¿ÉÒÔʹÓÃÎó²îÌá½»ÌØÊâµÄÇëÇ󣬣¬£¬¿ÉÒÔÓ¦ÓóÌÐòÉÏÏÂÎÄÖ´ÐÐí§Òâ´úÂë¡£ ¡£¡£¡£

https://www.yonyoucloud.com/


3. Apache ShiroÉí·ÝÑéÖ¤ÈƹýÎó²î


ʹÓÃSpring dynamic controllerµÄApache Shiro±£´æÇå¾²Îó²î£¬£¬£¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßʹÓÃÎó²îÌá½»ÌØÊâµÄÇëÇ󣬣¬£¬¿ÉÈƹýÉí·ÝÑé֤δÊÚȨ»á¼û¡£ ¡£¡£¡£

https://access.redhat.com/security/cve/cve-2020-11989


4. Apache Tomcat HTTP/2ÇëÇó¾Ü¾øЧÀÍÎó²î


ApacheTomcat´¦Öóͷ£HTTP/2ÇëÇó±£´æÇå¾²Îó²î£¬£¬£¬ÔÊÐíÔ¶³Ì¹¥»÷ÕßʹÓÃÎó²îÌá½»ÌØÊâµÄÇëÇ󣬣¬£¬¿ÉʹЧÀͳÌÐòÍ߽⣬£¬£¬Ôì³É¾Ü¾øЧÀ͹¥»÷¡£ ¡£¡£¡£

https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E


5. Atlassian JIRA Server and Data CenterЧÀÍÆ÷¶ËÄ£°å´úÂë×¢ÈëÎó²î


Atlassian JIRA Server and Data Center´¦Öóͷ£Ð§ÀÍÆ÷¶ËÄ£°å±£´æÇå¾²Îó²î£¬£¬£¬ÔÊÐíÔ¶³Ì¹¥»÷Õß¿ÉÒÔʹÓÃÎó²îÌá½»ÌØÊâµÄÇëÇ󣬣¬£¬¿É×¢Èëí§Òâ´úÂë²¢Ö´ÐС£ ¡£¡£¡£

https://jira.atlassian.com/browse/JRASERVER-70944



> Ö÷ÒªÇå¾²ÊÂÎñ×ÛÊö


1¡¢Unit 42Ðû²¼¶ñÒâÈí¼þAcidBoxµÄÆÊÎö±¨¸æ


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://unit42.paloaltonetworks.com/acidbox-rare-malware/


2¡¢ÃÀ¹ú200¶à¸öµØ·½¾¯¾Ö24ÄêÊý¾Ýй¶£¬£¬£¬±»³ÆΪBlueLeaks


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://www.bleepingcomputer.com/news/security/blueleaks-data-dump-exposes-over-24-years-of-police-records/


3¡¢Ä¦Âå¸çÕþ¸®»òÔÚʹÓÃNSO GroupµÄÌع¤Èí¼þ¼àÊӸùú¼ÇÕß


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://www.cyberscoop.com/nso-group-spyware-amnesty-international-omar-radi-morocco/


4¡¢ºÚ¿ÍʹÓÃGoogle Analyticsƽ̨ÈƹýCSPÇÔÊØÐÅÓÿ¨ÐÅÏ¢


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://www.bleepingcomputer.com/news/security/hackers-use-google-analytics-to-steal-credit-cards-bypass-csp/


5¡¢DarkCrewFriends»Ø¹é£¬£¬£¬Ê¹ÓÃÄÚÈÝÖÎÀíϵͳ¹¹½¨½©Ê¬ÍøÂç


¿­·¢¡¤k8(ÖйúÓÎ)¹Ù·½ÍøÕ¾


Ô­ÎÄÁ´½Ó£º

https://threatpost.com/darkcrewfriends-returns-botnet/156963/