Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-7288-01

Red Hat Security Advisory 2022-7288-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full strength general purpose cryptography library. Issues addressed include a buffer overflow vulnerability.

Packet Storm
#vulnerability#linux#red_hat#js#php#perl#buffer_overflow#ssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: openssl security update
Advisory ID: RHSA-2022:7288-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:7288
Issue date: 2022-11-01
CVE Names: CVE-2022-3602 CVE-2022-3786
====================================================================

  1. Summary:

An update for openssl is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64

  1. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full strength
general purpose cryptography library.

Security Fix(es):

  • OpenSSL: X.509 Email Address Buffer Overflow (CVE-2022-3602)

  • OpenSSL: X.509 Email Address Variable Length Buffer Overflow
    (CVE-2022-3786)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted.

  1. Bugs fixed (https://bugzilla.redhat.com/):

2137723 - CVE-2022-3602 OpenSSL: X.509 Email Address Buffer Overflow
2139104 - CVE-2022-3786 OpenSSL: X.509 Email Address Variable Length Buffer Overflow

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:
openssl-debuginfo-3.0.1-43.el9_0.aarch64.rpm
openssl-debugsource-3.0.1-43.el9_0.aarch64.rpm
openssl-devel-3.0.1-43.el9_0.aarch64.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.aarch64.rpm
openssl-perl-3.0.1-43.el9_0.aarch64.rpm

ppc64le:
openssl-debuginfo-3.0.1-43.el9_0.ppc64le.rpm
openssl-debugsource-3.0.1-43.el9_0.ppc64le.rpm
openssl-devel-3.0.1-43.el9_0.ppc64le.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.ppc64le.rpm
openssl-perl-3.0.1-43.el9_0.ppc64le.rpm

s390x:
openssl-debuginfo-3.0.1-43.el9_0.s390x.rpm
openssl-debugsource-3.0.1-43.el9_0.s390x.rpm
openssl-devel-3.0.1-43.el9_0.s390x.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.s390x.rpm
openssl-perl-3.0.1-43.el9_0.s390x.rpm

x86_64:
openssl-debuginfo-3.0.1-43.el9_0.i686.rpm
openssl-debuginfo-3.0.1-43.el9_0.x86_64.rpm
openssl-debugsource-3.0.1-43.el9_0.i686.rpm
openssl-debugsource-3.0.1-43.el9_0.x86_64.rpm
openssl-devel-3.0.1-43.el9_0.i686.rpm
openssl-devel-3.0.1-43.el9_0.x86_64.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.i686.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.x86_64.rpm
openssl-perl-3.0.1-43.el9_0.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:
openssl-3.0.1-43.el9_0.src.rpm

aarch64:
openssl-3.0.1-43.el9_0.aarch64.rpm
openssl-debuginfo-3.0.1-43.el9_0.aarch64.rpm
openssl-debugsource-3.0.1-43.el9_0.aarch64.rpm
openssl-libs-3.0.1-43.el9_0.aarch64.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.aarch64.rpm

ppc64le:
openssl-3.0.1-43.el9_0.ppc64le.rpm
openssl-debuginfo-3.0.1-43.el9_0.ppc64le.rpm
openssl-debugsource-3.0.1-43.el9_0.ppc64le.rpm
openssl-libs-3.0.1-43.el9_0.ppc64le.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.ppc64le.rpm

s390x:
openssl-3.0.1-43.el9_0.s390x.rpm
openssl-debuginfo-3.0.1-43.el9_0.s390x.rpm
openssl-debugsource-3.0.1-43.el9_0.s390x.rpm
openssl-libs-3.0.1-43.el9_0.s390x.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.s390x.rpm

x86_64:
openssl-3.0.1-43.el9_0.x86_64.rpm
openssl-debuginfo-3.0.1-43.el9_0.i686.rpm
openssl-debuginfo-3.0.1-43.el9_0.x86_64.rpm
openssl-debugsource-3.0.1-43.el9_0.i686.rpm
openssl-debugsource-3.0.1-43.el9_0.x86_64.rpm
openssl-libs-3.0.1-43.el9_0.i686.rpm
openssl-libs-3.0.1-43.el9_0.x86_64.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.i686.rpm
openssl-libs-debuginfo-3.0.1-43.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-3602
https://access.redhat.com/security/cve/CVE-2022-3786
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/RHSB-2022-004

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY2HAAtzjgjWX9erEAQhehw//duD77noGgos0Im/p1+bLe9WBnnZH217W
qYLyvRA1Bi2nvjH8vf7yht68BxcuTAuTNT1LMnQUSRsueG+iWlPf/YPZ035s77ml
TjNXKZdzEwDptMmqe7oFYrT5NsS1/9D9f7H59ypBnWso7a8t8g0kW+875oGcqevE
5PSAtbtgQLtgPSU9aYu3WoTvjqSdu9EO3yO9YN57WynafRbCZF/HD4rJgCMx5mYr
MqqDuWlrCp/Zh8T9GcqYQKTF+SqhB9CEEzpO/VE+VgmTayI28nnGvs9cWnd9FtQ/
9AWRqEmOQtDjOL33+G6IVtx/gkY9X+2gTd69hxDRr8PARsT9CazVkXaG1uYh7jaz
izYq9T33WIpqmGyER8S3abPx8crs4V8t8ieRDRV0bp/6xhAYGU6EN2UQpaj3oLwL
Mp99+1+ELogRQUlcNeSCIJpJSCrO/GKedEpWr/7RkFPUNT2dwrqd1jJyXQwI72YF
oFHJAmZd0yLrsCZB9hyT6RhuHDZjh9ELOSmdZEHHY5SgGoS6OWmEr1vetD633HPB
xFpgIzQ7Z+1ILX0hpzb+gvnc5aq3rSDWDk8Hx0CgXMQie+WC78HL66bnrDuM244R
ikqBEWE2WkP1iXxMQc4PcDTOoe1l0bmoe+/JRxTlEn9AGZzeYD6pakHPDPhPYWin
x1K3qU347A8=oamc
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

CVE-2023-30967: Palantir | Trust and Security Portal

Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system.

CVE-2023-30961: Palantir | Trust and Security Portal

Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link.

CVE-2023-30962: Palantir | Trust and Security Portal

The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 .

CVE-2023-30950: Palantir | Trust and Security Portal

The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint

CVE-2023-30958: Palantir | Trust and Security Portal

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.225.0.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

CVE-2023-30960: Palantir | Trust and Security Portal

A security defect was discovered in Foundry job-tracker that enabled users to query metadata related to builds on resources they did not have access to. This defect was resolved with the release of job-tracker 4.645.0. The service was rolled out to all affected Foundry instances. No further intervention is required.

CVE-2023-22835: Palantir | Trust and Security Portal

A security defect was identified that enabled a user of Foundry Issues to perform a Denial of Service attack by submitting malformed data in an Issue that caused loss of frontend functionality to all issue participants. This defect was resolved with the release of Foundry Issues 2.510.0 and Foundry Frontend 6.228.0.

CVE-2023-30955: Palantir | Trust and Security Portal

A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.

CVE-2023-30945: Palantir | Trust and Security Portal

Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well.

CVE-2023-2904: Security Center | HID Global

The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.

CVE-2023-30948: Palantir | Trust and Security Portal

A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.

RHSA-2023:0786: Red Hat Security Advisory: Network observability 1.1.0 security update

Network observability 1.1.0 release for OpenShift Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0813: A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced, allowing any user who can connect to the OpenShift Console in an OpenShift cluster to retrieve flows without authentication.

CVE-2022-45589: Talend Security

SQL Injection vulnerability in Talend ESB Runtime 7.3.1-R2022-09-RT thru 8.0.1-R2022-10-RT when using the provisioning service.

CVE-2022-34457: DSA-2022-297: Dell Command | Configure Security Update for Multiple Vulnerabilities

Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users.

Threat Source newsletter (Nov. 3, 2022): Mastadon, evolution, and LiveJournal oh my!

Welcome to this week’s edition of the Threat Source newsletter. I’m fascinated by how things live and die on the internet. Things that are ubiquitous to our daily lives are simply gone the next. LiveJournal and Myspace we hardly knew you. Elon Musk’s purchase

Red Hat Security Advisory 2022-7384-01

Red Hat Security Advisory 2022-7384-01 - The ubi9/openssl image provides provides an openssl command-line tool for using the various functions of the OpenSSL crypto library. Issues addressed include a buffer overflow vulnerability.

Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602)

Summary   Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services.  Any customer action that is required will be highlighted in this blog and our associated Security Update … Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) Read More »

Gentoo Linux Security Advisory 202211-01

Gentoo Linux Security Advisory 202211-1 - Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. Versions less than 3.0.7:0/3 are affected.

Gentoo Linux Security Advisory 202211-01

Gentoo Linux Security Advisory 202211-1 - Multiple vulnerabilities have been discovered in OpenSSL, the worst of which could result in remote code execution. Versions less than 3.0.7:0/3 are affected.

OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week

By Deeba Ahmed The OpenSSL vulnerability was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations. This is a post from HackRead.com Read the original post: OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week

OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week

By Deeba Ahmed The OpenSSL vulnerability was first categorized as critical and later as a high-severity buffer overflow bug that impacted all OpenSSL 3.x installations. This is a post from HackRead.com Read the original post: OpenSSL Released Patch for High-Severity Vulnerability Detected Last Week

CVE-2022-3786: OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun

**Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and are known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

CVE-2022-3602: OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrun

**Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by the Microsoft products listed in the Security Updates table and are known to be affected. It is being documented in the Security Update Guide to announce that the latest builds of these products are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical

Organizations should update to the latest encryption (version 3.0.7) as soon as possible, but there's no need for Heartbleed-like panic, security experts say.

The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical

Organizations should update to the latest encryption (version 3.0.7) as soon as possible, but there's no need for Heartbleed-like panic, security experts say.

Threat Advisory: High Severity OpenSSL Vulnerabilities

In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or

Threat Advisory: High Severity OpenSSL Vulnerabilities

In late October two new buffer overflow vulnerabilities, CVE-2022-3602 and CVE-2022-3786, were announced in OpenSSL versions 3.0.0 to 3.0.6. These vulnerabilities can be exploited by sending an X.509 certificate with a specially crafted email address, potentially causing a buffer overflow resulting in a crash or

RHSA-2022:7288: Red Hat Security Advisory: openssl security update

An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3602: OpenSSL: X.509 Email Address Buffer Overflow * CVE-2022-3786: OpenSSL: X.509 Email Address Variable Length Buffer Overflow

RHSA-2022:7288: Red Hat Security Advisory: openssl security update

An update for openssl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3602: OpenSSL: X.509 Email Address Buffer Overflow * CVE-2022-3786: OpenSSL: X.509 Email Address Variable Length Buffer Overflow

Ubuntu Security Notice USN-5710-1

Ubuntu Security Notice 5710-1 - It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. The default compiler options for affected releases reduce the vulnerability to a denial of service. It was discovered that OpenSSL incorrectly handled applications creating custom ciphers via the legacy EVP_CIPHER_meth_new function. This issue could cause certain applications that mishandled values to the function to possibly end up with a NULL cipher and messages in plaintext.

Ubuntu Security Notice USN-5710-1

Ubuntu Security Notice 5710-1 - It was discovered that OpenSSL incorrectly handled certain X.509 Email Addresses. If a certificate authority were tricked into signing a specially-crafted certificate, a remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. The default compiler options for affected releases reduce the vulnerability to a denial of service. It was discovered that OpenSSL incorrectly handled applications creating custom ciphers via the legacy EVP_CIPHER_meth_new function. This issue could cause certain applications that mishandled values to the function to possibly end up with a NULL cipher and messages in plaintext.

CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to up...

CVE-2022-3602

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to up...

GHSA-8rwr-x37p-mx23: X.509 Email Address 4-byte Buffer Overflow

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Many platforms implement stack overflow protections which would mitigate against the risk of remote code execution. The risk may be further mitigated based on stack layout for any given platform/compiler. Pre-announcements of CVE-2022-3602 described this issue as CRITICAL. Further analysis based on some of the mitigating factors described above have led this to be downgraded to HIGH. Users are still encouraged to ...

GHSA-h8jm-2x53-xhp5: X.509 Email Address Variable Length Buffer Overflow

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

The OpenSSL project has rolled out fixes to contain two high-severity flaws in its widely used cryptography library that could result in a denial-of-service (DoS) and remote code execution. The issues, tracked as CVE-2022-3602 and CVE-2022-3786, have been described as buffer overrun vulnerabilities that can be triggered during X.509 certificate verification by supplying a specially-crafted email

CVE-2017-5711: Security Center

Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution