Chasing Vulnerabilities
There is a gap between Security Team, Sysadmin Team, Database Admin Team & Developer Team.
For whatever reason, dba's and dev's can be a bit obtuse in their practices and setup.
In addition, computer languages like Java, Python, VS Code, etc are just directories with files and can be moved to a custom location or in multiple locations and/or installed along side of another package as a dependency.
This leaves their systems in complete disarray with outdated versions and vulnerabilities with possible various locations.
Microsoft Defender for Cloud does a good job at listing vulnerabilities.
Below are the vulnerabilities I've come across recently with dba's and dev's and Microsoft Defender for Cloud.
LOG4J
Google created and released a scanner:
wget https://github.com/google/log4jscanner/releases/download/v0.5.0/log4jscanner-v0.5.0-windows-amd64.zip -outfile log4jscanner-v0.5.0-windows-amd64.zip
Expand-Archive .\log4jscanner-v0.5.0-windows-amd64.zip
.\log4jscanner.exe -v c:\
.\log4jscanner.exe -v -w c:\path\to\file
The first command finds the bad JAR file and the second line fixes the base JAR file.
Or:
gci 'c:' -rec -force -include *.jar -ea 0 |%{select-string "JndiLookup.class" $_} |select -exp Path
Or manual remediate:
https://www.dell.com/support/kbdoc/en-rs/000194903/data-protection-advisor-dpa-manual-remediation-for-log4j-cve-2021-44228-cve-2021-45046-vulnerabilities-windows-commands-only
UPDATING VS CODE
By default, VS Code is installed as a USER SETUP under c:\Users\{Username}\AppData\Local\Programs\Microsoft VS Code
It should update itself automatically but when VS Code is running as Administrator, updates are disabled.
To update and work of the account, you can manually download the SYSTEM INSTALLER EXE for a SYSTEM SETUP. This will install on the system and override the USER-SETUP. This will fix for the account so when they run the shortcut should go the SYSTEM-INSTALL but will leave the existing install at the USER-INSTALL location of c:\Users\{Username}\AppData\Local\Programs\Microsoft VS Code
https://code.visualstudio.com/download
https://vscode.download.prss.microsoft.com/dbazure/download/stable/7d842fb85a0275a4a8e4d7e040d2625abbf7f084/VSCodeSetup-x64-1.105.1.exe
Or to update and work of the account, VS Code the package is in the MS winget repo. By default, it performs a USER-INSTALL but changing the scope will install as a SYSTEM-INSTALL. This will fix for the account so when they run the shortcut should go the SYSTEM-INSTALL but will leave the existing install at the USER-INSTALL location of c:\Users\{Username}\AppData\Local\Programs\Microsoft VS Code
winget install microsoft.visualstudiocode --scope machine
To update the USER-INSTALL, you can download the ZIP and extract/unzip to c:\Users\{Username}\AppData\Local\Programs\Microsoft VS Code:
cd c:\windows\SystemTemp\
wget https://code.visualstudio.com/sha/download?build=stable"&"os=win32-x64-archive -outfile VSCode-win32-x64-1.105.1.zip
Expand-Archive -force .\VSCode-win32-x64-1.105.1.zip "C:\Users\{Username}\AppData\Local\Programs\Microsoft VS Code"
OPENSSL (libcrypto-3-x64.dll & libssl-3-x64.dll)
C:\foo\externals\git\mingw64\bin\libcrypto-3-x64.dll
C:\foo\externals\git\mingw64\bin\libssl-3-x64.dll
C:\foo2\externals\git\mingw64\bin\libcrypto-3-x64.dll
C:\foo2\externals\git\mingw64\bin\libssl-3-x64.dll
Files coming from:
https://github.com/niXman/mingw-builds-binaries/releases
Newest version is openssl v3.6.0
https://github.com/openssl/openssl
The product team of mingw should update their product and release an update. But even on MS product teams, that can be delayed for months.
If that does not happen, you should be able to manually replace the openssl files as long as the MajorVersionNumber is the same (v3.x.x->v3.x.x will probably work while v1.x.x->v3.x.x will probably not work).
The OpenSSL project does not provide binaries or an installable package (exe, msi, etc). That is left to other companies. The project has a list on their wiki here:
https://github.com/openssl/openssl/wiki/Binaries
I find that most will use the ShiningLight which can be installed like this (light for most and dev for extended advanced capabilities):
winget install ShiningLight.OpenSSL.Light
winget install ShiningLight.OpenSSL.Dev
This will install into C:\Program Files\OpenSSL-Win64
You can see some details with the following:
openssl version -a
The files (libcrypto-3-x64.dll & libssl-3-x64.dll) can be copied to where needed:
cp C:\Program Files\OpenSSL-Win64\libcrypto-3-x64.dll c:\foo\externals\git\mingw64\bin\
cp C:\Program Files\OpenSSL-Win64\libssl-3-x64.dll c:\foo\externals\git\mingw64\bin\
NODE.JS
For some reason, winget isn't upgrading node.js. We can force it:
winget upgrade node.js --force
PYTHON
Ugh...
NOTES:
https://github.com/openssl/openssl
https://discuss.python.org/t/how-are-the-openssl-binaries-built-for-pythons-windows-x64-installers/6909
https://learn.microsoft.com/en-us/answers/questions/2279636/microsoft-defender-detected-that-the-libssl-3-dll