The Google Passkey Manager on Android appears to have inconsistent messaging for deletion of data along with other varying issues that lead us to believe it's not ready for prime time.

*INTRODUCTION*  
Passkeys on Android are stored in Google Password Manager by default. The user cannot make their own backups of them.

Note: although the user can export a CSV file with both passkeys and passwords, the lines representing passkeys will not contain any secrets, rendering them useless.

Also note that Google Passkey Manager appears to primarily be a CLOUD-based password manager (with copies of passwords and passkeys usually cached on devices).

*PROBLEM*  
The user may have chosen to configure a "sync passphrase" in Chrome.  
Instructions on what to do, in case the user wishes to change or remove their sync passphrase, can be found in [1] under "Reset your passphrase".

Effectively the user is sent to [2] and should press the button "Clear Data" at the bottom of that page.  
Until mid June 2023, the text near that button used to read (emphasis in CAPS added by me):

   "This will clear your Chrome data from your Google Account.  
   THIS WON'T CLEAR ANY DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button would unrecoverably DELETE ALL YOUR PASSKEYS (not your passwords).

*ISSUE REPORTED TO GOOGLE*  
I reported this "passkeys gone" problem to Google as a security issue on June 11, 2023.  
Please see the Timeline below for details.

*"FIX"*  
The issue was "fixed" around June 15, 2023, apparently by changing the text at the bottom of [2] into (emphasis in CAPS added by me):

   "This will clear your Chrome data that has been saved in your Google Account.  
   THIS MIGHT CLEAR SOME DATA FROM YOUR DEVICES."

However, tapping the "Clear Data" button will still DELETE ALL OF YOUR PASSKEYS without any other warnings.

In my opinion this is unacceptable, as is the handling of my bug report. Therefore I have not yet reported the issues mentioned below to Google nor to the Chromium team.

*POTENTIAL SYNC ISSUES*  
Apparently Google decided to use a DEVICE based encryption key (instead of a Google ACCOUNT based key) to encrypt the passkey's private keys.  
The idea is that, if you start using an second Android device, the encryption key from the first device is transferred  to your second device.

Note that this requires you to enter your Google cloud password PLUS the screen unlock code of your first device on your second device.

However, transfer of the encryption key will fail if the second device ALREADY HAS an encryption key.

Note: I actually ran into this condition accidentally during tests.  
Although this may not be a typical situation, it is possible to reproduce (which I will not (yet) describe).

Consequently, if you you brick or loose your old Android device, and somehow you managed to already have a DIFFERENT encryption key on your new Android device, passkeys and passwords will sync from the cloud, but the synced passkeys will be UNUSABLE on your new device.

Tip: whatever you do on a new replacement device: don't start by creating a passkey as a test!  
Wait until your old passkeys have synchronized to your new device and you've confirmed that they work, before you add any new passkeys.

*BUG IN PASSWORDS.GOOGLE.COM*  
Editing a passkey's (user) name in [3] renders all passkeys for the domain unusable, with the following error message when attempting to use them:

   "No Passkeys Available  
   There aren't any passkeys for [domain] on this device"

That particular passkey will be unusable forever.  
However, any other passkeys for the same domain become usable again after you delete the -now corrupt and unusable- passkey.

*OTHER ISSUES*  
During my tests I found a lot of other issues (mostly minor compared to those mentioned above).  
Such as the following worrisome messages I repeatedly saw:

   "An unknown error occurred while talking to the credential manager."

   "For security, you can no longer access your encrypted data on this device."

Also, in Chrome settings, after enabling sync, tapping on "Password Manager" would usually open Google Password Manager (implemented as a part of Google Play Services), but sometimes the Chrome built-in password manager instead.

I may reveal other issues at a later stage.

*CONCLUSION*  
In my opinion the reliability of Android's passkey implementation insufficient (immature, not production ready).

There is no way for the user to back up their passkey secrets themselves, while cloud storage of passkeys can obviously not be relied upon (Google owns your passkeys, not you).

The partial integration of Google Password Manager with Chrome's builtin password manager complicates things - in particular when combined with a "sync passphrase" and/or "on device encryption".  
The apparent confusion which party (Google or the Chromium team) is responsible for fixing bugs in Google Password Manager seems amateuristic annd chaotic.

Account lockout is a serious risk. If fallbacks to passwords or recovery codes remains a necessity because of easily lost passkeys, the advantage of "phishing resistance" is mostly moot.

*DISCLOSURE TIMELINE* (format: yyyy-mm-dd)  
2023-06-06 I published a Dutch article "Passkeys voor leken" (Passkeys for beginners) [4].

2023-06-08 After enabling encryption (using a sync passphrase) for all synced data, and then following Google's instructions [1] on how to change that passphrase, I noticed that all passkeys on my Google Pixel 6 Pro Android phone had disappeared.

I wrote about this in [5], but initially thought that I made a mistake myself.  
After thid incident I started to further investigate this issue, which appeared to reproduce.

2023-06-11 I uploaded a vulnerability report to Google titled "Passkeys gone from device after clearing Chrome data from Google Account" [6].

2023-06-12 Google acknowledges receiving my report.

2023-06-14 Google forwards my report to the Chromium team [7] and sets the status of the Google issue to "Won't Fix (Infeasible)".

2023-06-14 Im am notified that my vulnerability report was registered by the Chromium team.  
In [7] I see that the issue was assigned to a specific person (the "assignee" from now on).

2023-06-15 On the bug tracking website [7] I uploaded a zip-file with screenshots to further clarify things.

2023-06-15 The assignee wrote in [7]:

   "This is as expected, but you're right that we should clarify that on the page and that it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices."

2023-06-15 The assignee adds a comment:

   "> it's unexpected that Android's implementation of Sync differs r.e. the clearing of data from devices.  
   (Sorry, that was poorly worded. It's potentially _surprising_ that Android differs given the wording.)"

At that time I did not understand what the assignee meant. Later I discovered by accident that the text at the bottom of [2] had been changed, and the assignee was apparently referring to that text.

2023-08-10 After 60 days since my initial report, I addded a comment in [7] that I am able to reproduce the vulnerability using the latest (August) Android update. I added:

   "I don't know whether this is a Chromium or an Android issue, but losing passkeys is unacceptible.  
   What gives?"

2023-09-10 (after 90 days) On [6] I reported that I had not heard back from the Chromium team since June 15 and that I do not understand what they wrote that day, and that there was no response to my August 8 comment.

2023-09-11 My latest comment in [6] is acknowledged by Google and under review.

2023-09-15 Google states that they won't do anything as this vulnerability is tracked by [7].

2024-02-07 No updates on [6] and [7].  
Publication.

*REFERENCES*  
[1] https://support.google.com/chrome/answer/165139

[2] https://chrome.google.com/sync

[3] https://passwords.google.com/

[4] https://security.nl/posting/798699/Passkeys+voor+leken

[5] https://security.nl/posting/798932

[6] https://issuetracker.google.com/issues/286730198

[7] https://bugs.chromium.org/p/chromium/issues/detail?id=1454857

Google Android Passkey Deletion / Confusion

Ubuntu Security Notice 6629-1 - It was discovered that UltraJSON incorrectly handled certain input with a large amount of indentation. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jake Miller discovered that UltraJSON incorrectly decoded certain characters. An attacker could possibly use this issue to cause key confusion and overwrite values in dictionaries. It was discovered that UltraJSON incorrectly handled an error when reallocating a buffer for string decoding. An attacker could possibly use this issue to corrupt memory.

==========================================================================  
Ubuntu Security Notice USN-6629-1  
February 14, 2024

ujson vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in UltraJSON.

Software Description:  
- ujson: ultra fast JSON encoder and decoder for Python 3

Details:

It was discovered that UltraJSON incorrectly handled certain input with  
a large amount of indentation. An attacker could possibly use this issue  
to crash the program, resulting in a denial of service. (CVE-2021-45958)

Jake Miller discovered that UltraJSON incorrectly decoded certain  
characters. An attacker could possibly use this issue to cause key  
confusion and overwrite values in dictionaries. (CVE-2022-31116)

It was discovered that UltraJSON incorrectly handled an error when  
reallocating a buffer for string decoding. An attacker could possibly  
use this issue to corrupt memory. (CVE-2022-31117)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
   python3-ujson                   5.1.0-1ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   python-ujson                    1.35-2ubuntu0.1~esm1  
   python3-ujson                   1.35-2ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   python-ujson                    1.33-1ubuntu0.1~esm2  
   python3-ujson                   1.33-1ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6629-1  
   CVE-2021-45958, CVE-2022-31116, CVE-2022-31117

Ubuntu Security Notice USN-6629-1

Red Hat Security Advisory 2024-0814-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0814.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2024:0814-03Product:            .NET Core on Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0814Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.The following packages have been upgraded to a later upstream version: rh-dotnet60-dotnet (6.0.127). (BZ#2262321)Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0814-03

Red Hat Security Advisory 2024-0811-03 - A security update for sudo is now available for Red Hat Enterprise Linux 8 and 9.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0811.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: sudo security update  
Advisory ID:        RHSA-2024:0811-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0811  
Issue date:         2024-02-14  
Revision:           03  
CVE Names:          CVE-2023-28486  
====================================================================

Summary: 

A security update for sudo is now available for Red Hat Enterprise Linux 8 and 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The sudo packages contain the sudo utility which allows system  
administrators to provide certain users with the permission to execute  
privileged commands, which are used for system management purposes, without  
having to log in as root.

Bug Fix(es) and Enhancement(s):

* CVE-2023-28487 sudo: Sudo does not escape control characters in sudoreplay output  
* CVE-2023-28486 sudo: Sudo does not escape control characters in log messages  
* CVE-2023-42465 sudo: Targeted Corruption of Register and Stack Variables

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-28486

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2179272  
https://bugzilla.redhat.com/show_bug.cgi?id=2179273  
https://bugzilla.redhat.com/show_bug.cgi?id=2255568

Red Hat Security Advisory 2024-0811-03

Red Hat Security Advisory 2024-0808-03 - An update for dotnet6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0808.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet6.0 security updateAdvisory ID:        RHSA-2024:0808-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0808Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0808-03

Red Hat Security Advisory 2024-0807-03 - An update for dotnet6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0807.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet6.0 security updateAdvisory ID:        RHSA-2024:0807-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0807Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0807-03

Red Hat Security Advisory 2024-0806-03 - An update for dotnet7.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0806.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet7.0 security updateAdvisory ID:        RHSA-2024:0806-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0806Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet7.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.116 and .NET Runtime 7.0.16.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0806-03

Red Hat Security Advisory 2024-0805-03 - An update for dotnet7.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0805.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet7.0 security updateAdvisory ID:        RHSA-2024:0805-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0805Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet7.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.116 and .NET Runtime 7.0.16.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0805-03

Red Hat Security Advisory 2024-0804-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0804.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.7 security updateAdvisory ID:        RHSA-2024:0804-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0804Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2023-2976====================================================================Summary: A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.7 serves as a replacement for Red Hat Single Sign-On 7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6291)* guava: insecure temporary directory creation (CVE-2023-2976)* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)* open redirect via \"form_post.jwt\" JARM response mode (CVE-2023-6927)* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-2976References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2215229https://bugzilla.redhat.com/show_bug.cgi?id=2236340https://bugzilla.redhat.com/show_bug.cgi?id=2236341https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://bugzilla.redhat.com/show_bug.cgi?id=2248423https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2255027

Red Hat Security Advisory 2024-0804-03

Red Hat Security Advisory 2024-0801-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0801.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.7 for OpenShift image enhancement updateAdvisory ID:        RHSA-2024:0801-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0801Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2023-2976====================================================================Summary: A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On is an integrated sign-on solution, available as aRed Hat JBoss Middleware for OpenShift containerized image. The Red HatSingle Sign-On for OpenShift image provides an authentication server thatyou can use to log in centrally, log out, and register. You can also manageuser accounts for web applications, mobile applications, and RESTful webservices.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6291)* guava: insecure temporary directory creation (CVE-2023-2976)* jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() (CVE-2023-26048)* jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)* open redirect via \"form_post.jwt\" JARM response mode (CVE-2023-6927)* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)This erratum releases a new image for Red Hat Single Sign-On 7.6.7 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.Solution:https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.7.GA/templates/${resource}CVEs:CVE-2023-2976References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2215229https://bugzilla.redhat.com/show_bug.cgi?id=2236340https://bugzilla.redhat.com/show_bug.cgi?id=2236341https://bugzilla.redhat.com/show_bug.cgi?id=2246070https://bugzilla.redhat.com/show_bug.cgi?id=2248423https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2255027

Source

Packet Storm