The company is urging users running vulnerable versions to patch CVE-2024-5655 immediately, to avoid CI/CD malfeasance.

Source: Bill Crump via Alamy Stock Photo

A critical GitLab vulnerability could allow an attacker to run a pipeline as another user.

GitLab is a popular Git repository, second only to GitHub, with millions of active users. This week, it released new versions of its Community (open source) and Enterprise Editions.

The updates include fixes for 14 different security issues, including cross site request forgery (CSRF), cross site scripting (XSS), denial of service (DoS), and more. One of the issues is deemed of low severity according to the Common Vulnerability Scoring System (CVSS), nine are of medium severity, and three are high — but there's also one critical bug with a CVSS score of 9.6 out of 10.

**CVE-2024-5655 Offers Critical Threat to Code Development**

That critical one, CVE-2024-5655, affects GitLab versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, according to the company. It enables an attacker to trigger a pipeline as another user, but only under circumstances which GitLab did not elaborate on (nor did it provide any other information about the vulnerability).

A pipeline automates the process of building, testing, and deploying code in GitLab. Theoretically, an attacker with the ability to run pipelines as other users can access their private repositories, and manipulate, steal, or exfiltrate sensitive code and data contained therein.

Unlike with CVE-2023-7028 — a 10 out of 10 account takeover bug known to have been exploited earlier this Spring — GitLab has thus far found no evidence of CVE-2024-5655 exploits in the wild. Though, that could quickly change.

**A Compliance Issue, Not Just Security**

 Issues rooted deep in the development process like CVE-2024-5655 can sometimes cause headaches beyond the simple risk they pose on paper.

"In a worst-case scenario, this vulnerability doesn't even have to be exploited to cost companies money in lost revenue," says Jamie Boote, associate principal consultant at Synopsys Software Integrity Group. The mere fact that a software or software-driven product was built using a vulnerable version of GitLab could itself be cause for concern.

"Pipeline vulnerabilities like this can not only pose a security risk but a regulatory and compliance risk as well. As US companies are working towards compliance with the Self-Attestation Form requirements that they need to meet to sell software and products to the US Government, not addressing this vulnerability could lead to a compliance gap which could put sales and contracts at risk," he explains. In particular, he points to line item 1c in Section III of the US Department of Commerce's Secure Software Development Attestation Form Instructions, which requires "Enforcing multi-factor authentication and conditional access across the environments relevant to developing and building software in a manner that minimizes security risk."

"Compliance with item 1c is in jeopardy for companies who don't address this vulnerability as an exploit would allow attackers to bypass those conditional access controls that companies are relying on for compliance," he concludes.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Critical GitLab Bug Threatens Software Development Pipelines

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps.

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks**

By Nate Nelson, Contributing Writer, Dark Reading

Wireless service providers prioritize uptime and lag time, occasionally at the cost of security, allowing attackers to take advantage, steal data, and worse.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you (over 5G). From there, spying, phishing, and plenty more are all on the table.

The Penn State researchers have reported all the vulnerabilities they discovered to the respective 5G mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, "If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?"

Read more: Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks

Related: Black Hat USA 2024 Sessions Agenda

**Dark Reading Confidential: Meet the Ransomware Negotiators**

Episode 2: Incident response experts-turned-ransomware negotiators Ed Dubrovsky, COO and managing partner of CYPFER, and Joe Tarraf, chief delivery officer of Surefire Cyber, explain how they interact with cyber threat actors who hold victim organizations' systems and data for ransom. Among their fascinating stories: how they negotiated with cybercriminals to restore operations in a hospital NICU where lives were at stake, and how they helped a church, where the attackers themselves "got a little religion."

Listen now: Meet the Ransomware Negotiators

Visit the podcast archive, available here.

**DR Global: China-Linked Cyber-Espionage Teams Target Asian Telecoms**

By Robert Lemos, Contributing Writer, Dark Reading

In the latest breaches, threat groups compromised telecommunications firms in at least two Asian nations, installing backdoors and possibly eavesdropping or pre-positioning for a future attack.

Tools from a trio of China-linked groups — Fireant, Neeedleminer, and Firefly — were used to compromise telecommunications companies in at least two Asian nations, according to an analysis published by technology giant Broadcom's Symantec cybersecurity division. The groups — also known as Mustang Panda, Nomad Panda, and Naikon, respectively — previously have been associated with widespread attacks against a variety of countries in the Asia-Pacific region.

Attackers see telecommunications companies as a strong launchpad from which to compromise other systems, eavesdrop on communications, or cybercrime

"There's the potential for eavesdropping and surveillance but also, because telecoms is critical infrastructure, you could create significant disruption in your target country," says Dick O'Brien, principal threat intelligence analyst for Symantec's threat hunter team. "We think that there is a distinct possibility that the motive for these attacks was similar to what the US government has been repeatedly warning about."

Read more: China-Linked Cyber-Espionage Teams Target Asian Telecoms

Related: Japan, Philippines & US Forge Cyber Threat Intel-Sharing Alliance

**Key Takeaways From the British Library Cyberattack**

Commentary by Steve Durbin, CEO, Information Security Forum

Knowledge institutions with legacy infrastructure, limited resources, and digitized intellectual property must protect themselves from sophisticated and destructive cyberattacks.

In October 2023, the British Library underwent a crippling cyberattack that cost the library £7 million (US$8.9 million) in recovery costs, or about 40% of its reserve budget. Although the online catalogue was restored in January, full recovery is not expected before the end of the year.

The British Library ransomware attack is a wake-up call for all knowledge institutions, libraries, and government-funded organizations that have similar risks in terms of legacy infrastructure, limited resources, and a significant portion of their intellectual property and research existing in a digital format. Such organizations should follow best practices to help protect themselves from sophisticated and destructive cyberattacks.

The institution issued a report outlining details of the attack and sharing valuable lessons, which include:

1.  Assess your technical debt;
    
2.  Maintain a holistic view of cyber-risk;
    
3.  Practice good information governance;
    
4.  And, adopt a defense-in-depth approach.
    

Read more on the lessons learned: Key Takeaways From the British Library Cyberattack

Related: Enhancing Incident Response Playbooks With Machine Learning

**The NYSE's $10M Wake-up Call**

Commentary by Jeffrey Wells, Visiting Fellow, National Security Institute at George Mason University's Antonin Scalia Law School

The settlement between the SEC and the owner of the New York Stock Exchange is a critical reminder of the vulnerabilities within financial institutions' cybersecurity frameworks as well as the importance of regulatory oversight.

In 2018, a severe cyberattack on a subsidiary of Intercontinental Exchange Inc. (ICE), the owner of the New York Stock Exchange (NYSE), exposed highly sensitive information. The SEC's subsequent investigation revealed that ICE failed to implement adequate cybersecurity measures, compromising its systems.

As a result, ICE was required to pay a $10 million settlement. This incident is a stark reminder of the critical need for robust cybersecurity practices, particularly for entities handling such vital financial data.

The primary accountability lies with ICE, which neglected to enforce stringent cybersecurity protocols. The SEC's findings indicate that ICE's subsidiary had multiple vulnerabilities that must be addressed adequately. This lack of preparedness is a significant breach of fiduciary duty to protect sensitive financial information.

However, the $10 million fine, while significant, raises questions about whether it is enough to deter future negligence by major financial institutions.

Read more: The NYSE's $10M Wake-up Call

Related:  Don't Forget to Report a Breach: A Cautionary Tale

**CISA Releases Guidance on Network Access, VPNs**

By DR Techology Staff

CISA outlines how modern cybersecurity relies on network visibility to defend against threats and scams.

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and similar entities in New Zealand, has issued guidance on modern approaches to network access security.

With the growing number of breaches and data incidents, organizations need to be thinking about, and planning to adopt, modern firewall and network access management technologies to gain visibility over the network.

CISA lays out three specific approaches its guidance: zero trust, secure service edge (SSE), and secure access service edge (SASE).

Read more: CISA Releases Guidance on Network Access, VPNs

Related: Attackers Target Check Point VPNs to Access Corporate Networks

CISO Corner: The NYSE &amp; the SEC; Ransomware Negotiation Tips

WIRED was able to download stories from publishers like The New York Times and The Atlantic using Poe’s Assistant bot. One expert calls it “prima facie copyright infringement,” which Quora disputes.

Poe, an AI chatbot platform owned by the question-and-answer site Quora and backed by a $75 million Andreessen Horowitz investment, is providing users with downloadable HTML files of articles published by paywalled journalistic outlets.

Prompting the service’s Assistant bot with the URL of this WIRED story about the AI-powered search service Perplexity plagiarizing one of our stories, for example, yields a detailed, 235-word summary and a 1-MB file containing an HTML capture of the entire article, which users can download from Poe’s servers directly from the chatbot.

WIRED was similarly able to retrieve articles from paywalled sites including The New York Times, Bloomberg Businessweek, The Atlantic, Forbes, Defector, and 404 Media in downloadable format simply by entering URLs into the Assistant bot’s interface. This appears to be just the latest example of the AI industry’s cavalier approach to intellectual property law, which is rapidly undermining existing business models in fields like journalism and music.

“This is a significant copyright issue,” James Grimmelmann, professor of digital and information law at Cornell University, wrote in an email. “Because they made a copy on their own server, that's prima facie copyright infringement.” (Quora disputes this, comparing Poe to a cloud storage service.)

When asked to summarize the content of a test website controlled by my colleague Dhruv Mehrotra, the bot did not return a summary but did return an HTML file. According to the website’s server logs, immediately after the Assistant bot was prompted to summarize the site, a server identifying itself as “Quora Bot” visited the site. It did not attempt to visit the site’s robots.txt page, suggesting that Poe and Quora ignore the Robots Exclusion Protocol, a widely accepted though not legally binding web standard.

A prominent media executive, whom WIRED granted anonymity to candidly discuss a legally sensitive matter his company is actively investigating, says that his publication also observed servers identifying themselves as Quora bots accessing its site immediately after giving Poe’s chatbot prompts about specific articles; these prompts, he says, yielded much or all of the text of these articles.

“Poe is a platform that lets users ask questions and have back-and-forth dialog with a variety of AI-powered bots provided by third parties,” Quora spokesperson Autumn Besselman wrote in an email. “We do not have or train our own AI models. Poe has a feature that enables a user to show the contents of a URL to a bot, but the bot will only see content that it is served by the domain. We would be happy to connect with your technical team to help them make sure your paywalled content isn’t served to people using Poe.”

“The file attachments on Poe are created at the direction of users and operate similarly to cloud storage services, ‘read it later’ services, and ‘web clipper’ products, which we believe are all consistent with copyright law,” Besselman wrote in response to an email asking follow-up questions. Andreessen Horowitz did not respond to a request for comment.

Quora cofounder Adam D’Angelo is a former Facebook CTO as well as an OpenAI board member. (D’Angelo was among the board members who voted to fire OpenAI CEO Sam Altman last year and was the only member who subsequently joined a new board formed after Altman’s return.) In March, nearly three months after Andreessen Horowitz announced that it had led a funding round for Quora, he sat for an interview with David George, a general partner at the venture firm who asked about the relationship between Quora and Poe.

“We’d love to have all of this as integrated as possible,” said D’Angelo. “If you think about the relationship between Facebook and Facebook Messenger, these are two products built by the same company, but they share a lot. I think that Poe and Quora might evolve to a similar kind of relationship. We’d love to get more of the human aspects of Quora into Poe. We’d also love to get the whole Quora dataset into the Poe bots and we’re also working—we’ve launched some of this already—to get some of the Poe AI to generate answers that are available on Quora.”

A user who goes to Poe’s website is prompted to start a chat with one of a number of chatbots. These range from bots offering direct access to various large language models and specialized bots like Mrstherapist (“Your very own therapist with relationship, trauma, stress etc.”) to the Assistant bot, the default option.

The Assistant bot is designated on the site as “by Poe” and as powered by AI firm Anthropic. This doesn’t mean that the bot is Anthropic’s; as the company points out, customers with access to its API can implement its models in their own products however they see fit. Claude, the Anthropic model on which the Assistant bot is apparently built, does not have access to the internet but can work with text provided to it—in this case, seemingly, by Quora crawlers that scrape websites in response to prompts. The HTML file the Assistant bot offers for download after being prompted with an article’s URL re-creates the article when opened in a browser, making it functionally equivalent to a PDF file.

Journalism companies have threatened and carried out legal action over claims that AI companies are infringing on their copyrights. The New York Times, for example, is suing OpenAI and Microsoft alleging infringement, and Forbes reportedly recently sent Perplexity a letter accusing it of “willful infringement.” (OpenAI, Microsoft, and Perplexity have denied wrongdoing.) Publishers whose articles WIRED was able to download were furious when apprised of the situation.

“As the law and The Times’ terms of service make clear,” wrote Charlie Stadtlander, a spokesperson for The New York Times, in an email, “scraping or reproducing The Times' content is prohibited without our prior written permission.”

“These stupid chatbots drive me fucking crazy,” wrote Defector co-owner and editor in chief Tom Ley in a text message. “Defector does not condone having its precious blogs stolen by a dumb chatbot backed by egghead-ass Andreessen Horowitz.”

Quora’s Chatbot Platform Poe Allows Users to Download Paywalled Articles on Demand

Despite more than 50% of all open source code being written in memory-unsafe languages like C++, we are unlikely to see a massive overhaul to code bases anytime soon.

A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software (OSS) projects.

However, the chances that fresh insight on a long known issue will spur any immediate changes to the software landscape remain bleak, given just how enormous, costly, and complex the task is of rewriting codebases entirely in memory-safe code.

Memory-unsafe programming languages such as C and C++ allow programmers to have more direct control over memory-related functions in code, which can often lead to very common application security issues like buffer overflows and use-after-free errors. Such flaws represent a large proportion of all vulnerabilities in modern application software. In contrast, memory-safe languages — the most common examples of which include Rust, Python, Java, and Go —offer guardrails such as built-in runtime and compile time checks to mitigate against common memory related errors.

**Most OSS Projects Contain Memory-Unsafe Code**

The US Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI and counterparts at the Australian Cyber Security Centre and the Canadian Centre for Cyber Security this week released a report summarizing the results of their investigation into the use of memory-unsafe code in OSS.

The findings, while troubling, are not entirely unexpected given past data on the extensive use of memory-unsafe languages in almost all modern codebases. Fifty-two percent of the 172 major open source projects that the research authors looked at contained code written in a memory-unsafe language. More than half (55%) of the total lines of code in all the projects combined were written in a memory-unsafe language, with the larger projects being the worst culprits.

Some 95% of the total lines of code in Linux for instance are memory-unsafe. For MySQL Server, that number was 84%; for TensorFlow it was 64%; for Zephyr 84%; and for Chromium 51%. On average, 26% of the total lines of code in the 10 largest open source projects consisted of memory-unsafe code. Even projects written in memory-safe languages were at risk from dependencies on unsafe components.

"Most critical open source projects analyzed, even those written in memory-safe languages, potentially contain memory safety vulnerabilities," the report noted. "This can be caused by direct use of memory-unsafe languages or external dependency on projects that use memory-unsafe languages."

In addition, the tendency — and often the need — to disable memory-safety features to accommodate functional requirements in applications can often neutralize the benefits of using otherwise memory-safe languages.  

"These limitations highlight the need for continued diligent use of memory safe programming languages, secure coding practices, and security testing," the report authors noted.

**CISA Consistent With Previous OSS Data**

The findings are consistent with numerous previous studies that have examined the extensive problems tied to the use of memory-unsafe languages.  

And indeed, concerns over the ubiquity of the problem have prompted calls for change over the years. The most recent is a February 2024 technical report from the White House that urged industry stakeholders to go back to the building blocks and start over with using memory safe code in all software. In 2022, the US National Security Agency (NSA) urged software makers and all organizations developing software to consider adopting memory-safe languages to reduce risk from memory management related software issues in modern code bases. The continued pounding away at the topic over the years has spurred some change, but most expect it will take years — if not even decades — for a whole scale shift to memory-safe languages to happen.

"Adopting memory-safe code is challenging, primarily because changing a programming language often requires a complete rewrite of existing code," says Neatsun Ziv, CEO and Co-Founder of OX Security. The cost and effort required to undertake such a massive overhaul without significant economic incentives will likely make any change, a slow process.

**Making the World Memory-Safe: A Huge & Complex Challenge**

Omkhar Arasaratnam, general manager at OpenSSF says memory safety issues aren't specifically a problem for either open or closed-source software. It's a problem in general for all modern software.

"There are many memory-safe languages available today like JavaScript, Python, and Java, but software engineers often use memory-unsafe older languages like C/C++ for performance or low-level hardware access," he says.

Also, while Rust has emerged as a viable alternative to C/C++ for low level systems programming in recent years, there are many embedded systems and safety-critical applications for which Rust is not appropriate, he adds.

"While it is certainly possible to write memory-safe code in a memory-unsafe language, 25 years of CVEs tells us it is highly unlikely," Arasaratnam says. "It is not that people are bad programmers, but defensively writing code that is memory-safe in a memory-unsafe language is very difficult," he notes. As newer projects adopt memory-safe languages, expect the use of memory-unsafe languages to decrease over time, in all but niche applications.

Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group, says the new report does a good job showing how some major open source software projects such as Kubernetes and WordPress are authored in a memory-safe language. However, there are other issues that remain unexplored, he says. For example, it would be interesting to know if memory-safe languages are being used in new projects on GitHub, and whether memory-safe libraries are being used as dependencies in larger projects.

"We can safely say that awareness of memory safe languages is growing, but is it growing at a rate that would displace older languages? For example, are the creators of new embedded software solutions using C++ or Rust, and to what degree?"

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

CISA's Flags Memory-Unsafe Code in Major Open Source Projects

Though the Chicago-area hospital did not pay a ransom, a host of sensitive medical information is now at risk.

Source: Helen Sessions via Alamy Stock Photo

A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children's Hospital in Chicago taking its systems offline.

Cybercriminals accessed the children's hospital's systems, disrupting its patient portal, communications, and ability to access medical records.

In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.

Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.

While still determining the nature and scope of the attack, the hospital said, information "relating to certain individuals, such as name, address, date of birth, dates of service, driver's license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number, and telephone number, was impacted," though it varies depending on the individual.

The hospital's notice did not specifically say that it was the victim of a ransomware attack, but it noted that the hospital did not pay a ransom of any kind.

"Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken," according to the hospital.

The cybercriminals in question are in the Rhysida ransomware gang, which has claimed responsibility of the attack, listing the hospital on its website and the apparent 600GB it claims to have stolen as "sold."

The hospital is in the process of informing affected individuals and is providing 24 months to Experian Identity Works. A call center is available to address questions and concerns about the information released on the cyberattack as well.

Hundreds of Thousands Impacted in Children's Hospital Cyberattack

Red Hat Security Advisory 2024-4166-03 - An update for python3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a traversal vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4166.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: python3 security updateAdvisory ID:        RHSA-2024:4166-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4166Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-6597====================================================================Summary: An update for python3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python: Path traversal on tempfile.TemporaryDirectory (CVE-2023-6597)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6597References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2276518

Red Hat Security Advisory 2024-4166-03

Red Hat Security Advisory 2024-4165-03 - An update for pki-core is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4165.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core security updateAdvisory ID:        RHSA-2024:4165-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4165Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-4727====================================================================Summary: An update for pki-core is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* dogtag ca: token authentication bypass vulnerability (CVE-2023-4727)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4727References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2232218https://issues.redhat.com/browse/RHEL-23077

Red Hat Security Advisory 2024-4165-03

Red Hat Security Advisory 2024-4164-03 - An update for pki-core is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4164.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pki-core security updateAdvisory ID:        RHSA-2024:4164-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4164Issue date:         2024-06-27Revision:           03CVE Names:          CVE-2023-4727====================================================================Summary: An update for pki-core is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.4 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate System.Security Fix(es):* dogtag ca: token authentication bypass vulnerability (CVE-2023-4727)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4727References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2232218

Red Hat Security Advisory 2024-4164-03

Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0045.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.0 security update  
Advisory ID:        RHSA-2024:0045-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0045  
Issue date:         2024-06-27  
Revision:           03  
CVE Names:          CVE-2023-29483  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.0 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.16.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.16.0. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2024:0041

Security Fix(es):

* dnspython: denial of service in stub resolver (CVE-2023-29483)  
* golang: net/http/cookiejar: incorrect forwarding of sensitive headers and  
cookies on HTTP redirect (CVE-2023-45289)  
* golang: net/http: memory exhaustion in Request.ParseMultipartForm  
(CVE-2023-45290)  
* containers/image: digest type does not guarantee valid type  
(CVE-2024-3727)  
* golang: crypto/x509: Verify panics on certificates with an unknown public  
key algorithm (CVE-2024-24783)  
* golang: net/mail: comments in display names are incorrectly handled  
(CVE-2024-24784)  
* golang: html/template: errors returned from MarshalJSON methods may break  
template escaping (CVE-2024-24785)  
* golang-protobuf: encoding/protojson, internal/encoding/json: infinite  
loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON  
(CVE-2024-24786)  
* jose: resource exhaustion (CVE-2024-28176)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at   
https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

CVEs:

CVE-2023-29483

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2262921  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268018  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268021  
https://bugzilla.redhat.com/show_bug.cgi?id=2268022  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2268820  
https://bugzilla.redhat.com/show_bug.cgi?id=2274520  
https://bugzilla.redhat.com/show_bug.cgi?id=2274767

Red Hat Security Advisory 2024-0045-03

Red Hat Security Advisory 2024-0043-03 - Red Hat build of MicroShift release 4.16.0 is now available with updates to packages and images that include a security update. Issues addressed include a bypass vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0043.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of MicroShift 4.16.0 security update  
Advisory ID:        RHSA-2024:0043-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0043  
Issue date:         2024-06-27  
Revision:           03  
CVE Names:          CVE-2024-3177  
====================================================================

Summary: 

Red Hat build of MicroShift release 4.16.0 is now available with updates to packages and images that include a security update.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat build of MicroShift is Red Hat's light-weight Kubernetes orchestration solution designed for edge device deployments and is built from the edge capabilities of Red Hat OpenShift Container Platform. MicroShift is an application that is deployed on top of Red Hat Enterprise Linux devices at the edge, providing an efficient way to operate single-node clusters in these low-resource environments.

This advisory contains the RPM packages for Red Hat build of MicroShift 4.16.0. Read the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0041

All Red Hat build of MicroShift 4.16 users are advised to use these updated packages and images when they are available in the RPM repository.

Security Fix(es):

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite  
loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON  
(CVE-2024-24786)  
* kubernetes: kube-apiserver: bypassing mountable secrets policy imposed by  
the ServiceAccount admission plugin (CVE-2024-3177)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/documentation/en-us/red_hat_build_of_microshift/4.16/html/release_notes/index

CVEs:

CVE-2024-3177

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2274118  
https://issues.redhat.com/browse/OCPBUGS-21901  
https://issues.redhat.com/browse/OCPBUGS-23336  
https://issues.redhat.com/browse/OCPBUGS-24444  
https://issues.redhat.com/browse/OCPBUGS-24689  
https://issues.redhat.com/browse/OCPBUGS-25030  
https://issues.redhat.com/browse/OCPBUGS-25784  
https://issues.redhat.com/browse/OCPBUGS-27849  
https://issues.redhat.com/browse/OCPBUGS-29037  
https://issues.redhat.com/browse/OCPBUGS-29847  
https://issues.redhat.com/browse/OCPBUGS-30039  
https://issues.redhat.com/browse/OCPBUGS-30807  
https://issues.redhat.com/browse/OCPBUGS-30833  
https://issues.redhat.com/browse/OCPBUGS-31739  
https://issues.redhat.com/browse/OCPBUGS-32946  
https://issues.redhat.com/browse/OCPBUGS-33588

Latest News