Threat actors can take over victims' cloud accounts to steal data, or use them for command-and-control for phishing attacks, denial of service, or other cyberattacks.

Attackers can compromise a new feature in Amazon Web Services (AWS) to hijack cloud accounts' static public IP addresses and abuse them for various malicious purposes, researchers have found.

Threat actors can use the Amazon Virtual Private Cloud (VPC) Elastic IP (EIP) transfer feature to steal someone else's EIP and use it as their own command-and-control (C2), or to launch phishing campaigns that impersonate the victim, researchers from cloud incident response firm Mitiga revealed in a blog post on Dec. 20.

Attackers also can use the stolen EIP to attack a victim's own firewall-protected endpoints, or to serve as the original victim’s network endpoint to extend opportunities for data theft, the researchers said.

"The potential damage to the victim by hijacking an EIP and using it for malicious purposes can mean using the victim’s name, jeopardizing the victim’s other resources in other cloud providers/on-premises, and \[stealing the\] victim’s customers' information," Or Aspir, software engineer at Mitiga, wrote in the post.

Threat actors must already have permissions on an organization's AWS account to leverage the new attack vector, which the researchers call "a post-initial-compromise attack."

However, because the attack was not possible before the feature was added and is not yet listed in the MITRE ATT&CK Framework, organizations may be unaware that they are vulnerable to it, as it's not likely to be picked up by existing security protections, the researchers said.

"With the right permissions on the victim’s AWS account, a malicious actor using a single API call can transfer the victim’s used EIP to their own AWS account, thus practically gaining control over it," Aspir wrote. "In many cases it allows greatly increasing the impact of the attack and gaining access to even more assets."

**How Elastic IP Transfer Works**

AWS introduced EIP in October as a legitimate feature to allow transfer of Elastic IP addresses from one AWS account to another. An Elastic IP (EIP) address is a public and static IPv4 address that can be reached from the Internet and can be allocated to an Elastic Compute Cloud (EC2) instance for Web-facing activities, such as website hosting or communicating with network endpoints under a firewall.

AWS introduced the feature to make it easier to move Elastic IP addresses during AWS account restructuring by transferring the EIP to any AWS account — even AWS accounts that are not owned by someone or his or her organization, the researchers said.

With the feature, the transfer is a mere "two-step handshake between AWS accounts — the source account (either a standard AWS account or an AWS Organizations account) and the transfer account," Aspir explained.

**Abuse of Elastic IP Transfer**

The ease with which EIPs can now be transferred creates an unintentional issue, however — while it certainly facilitates the process of transferring IP for legitimate account owners, it also makes it easier for malicious actors as well, the researchers said.

Researchers described a basic scenario to illustrate how attackers can take advantage of EIP transfer, assuming that attackers already have permissions that allow them to "see" existing EIPs and their status, or whether or not they are associated with other computer resources.

Typically, EIPs are associated, but sometimes an organization keeps dissociated EIP for later use, or as a result of an unmanaged environment that keeps unused resources, the researchers said. "Either way, the attacker only needs to enable the EIP transfer, and the IP address is theirs," Aspir wrote.

Attackers can do this in two ways with the correct permissions: either transfer a dissociated EIP or remove the association of an associated EIP and then transfer it, the researchers said.

For the former, an adversary must have the following action in its attached Identity and Access Management (IAM) policy on AWS: "ec2:DisassociateAddress" action on the elastic IP addresses and the network interfaces that the IP addresses are attached to.

To transfer an EIP, a threat actor must have the following actions in its attached IAM policy: "ec2:DescribeAddresses" on all the IP addresses and "ec2:EnableAddressTransfer" on the EIP address that the attacker wants to transfer, the researchers said.

**Leveraging a Stolen EIP**

There are a wide range of attack scenarios that a threat actor can engage in after successfully transferring someone else's EIP to their own control.

In external firewalls used by the victim, for example, an attacker can communicate with the network endpoints behind the firewalls if there is an allow rule on the specific IP address, the researchers said.

Moreover, in cases in which a victim uses DNS providers such as a Route53 service, there could be DNS records of an "A" type in which the target is the transferred IP address. In this case, an attacker can abuse the address for hosting a malicious Web server under a legitimate victim’s domain, then launch other malicious actions, such as phishing attacks, the researchers said.

Attackers also can use the stolen IP address as C2, using it for malware campaigns that appear legitimate and thus fly under the radar of security defensives. A threat actor can even cause denial of service (DoS) to a victim's public services if they dissociate an EIP from a running endpoint and transfer it, the researchers said.

**Who's at Risk and How to Mitigate It**

Anyone using EIP resources in an AWS account is at risk, and thus must treat the EIP resources like other resources in AWS that are in danger of exfiltration, the researchers advised.

To protect themselves from an EIP transfer attack, Mitiga recommends that enterprises use the principle of least privilege on AWS accounts and even disable the ability to transfer EIP entirely if it's not a necessary feature on their environment.

To do this, an organization can use native AWS IAM features such as service control policies (SCPs), which offer central control over the maximum available permissions for all accounts in an organization, the researchers said, providing an example in their post of how this works.

AWS Elastic IP Transfer Feature Gives Cyberattackers Free Range

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

A vulnerability in how Akamai retrieves Amazon Web Services (AWS) S3 resources could allow attackers to stage web cache poisoning attacks against websites.

Web cache poisoning involves malicious clients forcing content delivery networks (CDN) or web servers to cache malicious content and later serve it to other clients requesting the same resource.

**Double misconfiguration**

Akamai can map various HTTP requests to their corresponding S3 bucket and cache them for later retrieval. Security researcher Tarunkant Gupta discovered that he could trick the Akamai server into caching files from malicious buckets.

“A few months back I encountered a non-exploitable AWS S3 misconfiguration and I was just revisiting it to check if that still exists or not, but this time I wanted to explore all attack possibilities,” he told The Daily Swig. After trying different attack vectors, Gupta ran into a misconfiguration in Akamai’s cache servers that could be leveraged to exploit the S3 bug.

RELATED Akamai WAF bypassed via Spring Boot to trigger RCE

Akamai said creating “a blanket ‘patch’” was “not trivial, as that may have a big negative impact on legitimate internet traffic”, according to a technical writeup from Gupta. In the meantime, Gupta said users can protect themselves by not accepting any headers containing Unicode characters at the Akamai level. 

**Tampering header commands**

To exploit the vulnerability, an attacker must send a web request for a benign file, but modify the header directives to add a header preceded by a hex value (e.g. ) and followed by the malicious S3 address.

If the request results in a cache hit, then the Akamai server will prioritize the header with the Unicode value over the original header and cache the malicious file to serve it to future users who request the same path.

“Because of the S3 misconfiguration, it prioritizes the first header over the target origin and Akamai’s incorrect parsing on the inclusion of Unicode character let me pass exactly what I wanted to the S3 buckets, a malicious host on the first occurrence of the header,” Gupta explained.

**Attacking at scale**

The attack will only work if benign and malign files are stored in S3 buckets located in the same region. The attacker can create S3 buckets in all available regions and upload the malicious file to all of them.

Exploiting the bug would then be a matter of brute-forcing the web cache poisoning attack on the target web resource to see which bucket works.

Gupta tested the attack with an SVG file, which is usually a cached file type and can contain JavaScript code – making it especially dangerous. But the attack can also work with any other file type cached by the server.

Gupta also developed a pair of Python scripts that can find targets stored in S3 buckets and cached by Akamai.

“This issue is very easy to exploit, and one simple cURL can create a malicious cache,” Gupta said. “An automation script was created to exploit at scale. This issue can result in various types of attacks such as XSS, JavaScript injection, open redirection, DoS, spoofing, etc.”

**RFC non-compliance**

Akamai told Gupta that the configuration issue “results from certain customers’ needs to process non-RFC compliant requests for their applications to function correctly, and therefore cloud vendors offering features to support such traffic unless explicitly instructed not to do so.”

Kaan Onarlioglu, senior infosec architect at Akamai, told The Daily Swig: “By default, Akamai edge servers allow certain invalid HTTP headers to pass through, treating them as custom headers.”

Catch up with the latest hacking techniques news and analysis

This feature is necessary to support large volumes of legitimate traffic flows and origin applications that rely on invalid headers to function correctly, he said. However, it could sometimes lead to unexpected interactions between Akamai and origin servers, depending on the origin’s request processing behavior.

“Akamai provides a strict header parsing configuration option to block traffic containing invalid headers, and we strongly urge our customers to utilize it unless that interferes with their operations,” Onarlioglu continued.

According to Onarlioglu, Akamai is currently working on making strict header parsing a default behavior instead of offering an opt-out mechanism for customers. The work is expected to be finalized early in 2023.

Gupta advised web developers to always follow RFC and its recommendations. “Many companies don’t follow them and also don't put any countermeasures around it, which sometimes becomes a serious issue,” he said.

RECOMMENDED Researcher discovers 70 web cache poisoning vulnerabilities, nets $40k in bug bounty rewards

Akamai wrestles with AWS S3 web cache poisoning bug 

Large vendors are commoditizing capabilities that claim to provide absolute security guarantees backed up by formal verification. How significant are these promises?

There is no software without bugs, right? While this is a common sentiment, we make assumptions that rely on the premise that software has no bugs in our day-to-day digital life. We trust identity providers (IDPs) to get authentication right, operating systems to perfectly comply with their specs, and financial transactions to always perform as intended. Even more vividly, we trust software with our physical safety by going on planes, driving a car that actively corrects our adherence to traffic lanes or our distance from the car in front of us, or undergoing certain surgeries. What makes this possible? Or to put it another way, why aren't planes falling out of the sky due to bad software?

Software quality assurance borrows from scientific and engineering tools. One way to ensure and improve software quality is to publicize it and give as many people as possible an incentive to try to break it.

Another is using design patterns or well-architecture frameworks rooted in engineering. For example, while not every software project can be put under the same level of scrutiny as the Linux kernel, which has been under scrutiny for decades, software projects can open source code to invite scrutiny or submit code for audits in hopes to gain some of the security guarantees.

And of course, there's testing. Whether static, dynamic, or real-time, done by the developer or by a dedicated team, testing is a major part of software development. With critical software, testing is usually an entirely separate project handled by a separate team with specific expertise.

Testing is good, but it doesn't claim to be comprehensive. There are no guarantees we found all the bugs because we don't know which bugs we don't know about. Did we already find 99% of Linux kernel bugs out there? 50%? 10%?

**The 'Absolute' Claim**

The research field of formal methods is looking at ways to assure you that there are no bugs in a certain piece of software, such as your stockbroker or certificate authority. The basic idea is to translate software into math, where everything is well-defined, and then create an actual proof that the software works with no bugs. That way, you can be sure that your software is bug-free in the same way you can be sure that every number can be decomposed to a multiplication of prime numbers. (Note that I don't define what a bug is. This will prove to be a problem, as we will later see.)

Formal method techniques have long been used for critical software, but they were extremely compute- and effort-intensive and so applied only to small pieces of software, such as a limited part of chip firmware or an authentication protocol. In recent years, advanced theorem provers like Z3 and Coq have made it possible to apply this technology in a larger context. There are now formally verified programming languages, operating systems, and compilers that are 100% guaranteed to work according to their specifications. Applying these technologies still requires both advanced expertise and a ton of computing power, which make them prohibitively expensive to most organizations.

Major cloud providers are performing formal verification of their fundamental stacks to reach high levels of security assurance. Amazon and Microsoft have dedicated research groups that work with engineering teams to incorporate formal verification methods into critical infrastructure, such as storage or networking. Examples include AWS S3 and EBS and Azure Blockchain. But the really interesting fact is that in the past few years, cloud providers have been trying to commoditize formal verification to sell to their customers.

**Decisively Solving Misconfiguration?**

Last year, AWS released two features that leverage formal verification to address issues that have long plagued their customers, namely network and identity and access management (IAM) misconfigurations. Network access and IAM configurations are complex, even for a single account, and that complexity grows drastically in a large organization with distributed decision-making and governance. AWS addresses it by giving its customers simple controls — such as "S3 buckets should not be exposed to the Internet" or "Internet traffic to EC2 instances must go through a firewall" — and guaranteeing to apply them in every possible configuration scenario.

AWS is not the first to address the misconfiguration problem, even for AWS-specific issues such as open S3 buckets. Cloud security posture management (CSPM) vendors have been addressing this issue for a while now, analyzing virtual port channel (VPC) configuration and IAM roles and identifying cases where privileges are too lax, security features are not properly used, and data can be exposed to the Internet. So what's new?

Well, this is where the absolute guarantee comes in. A CSPM solution works by creating a known-bad or known-good list of misconfigurations, sometimes adding context from your environment, and producing results accordingly. Network and IAM analyzers work by examining every potential IAM or network request and guaranteeing that they will not result in unwanted access according to your specification (such as "no Internet access"). The difference is in the guarantees about false negatives.

While AWS claims that there is no way it has missed anything, CSPM vendors say they are always on the lookout for new misconfigurations to catalog and detect, which is an admission that they did not detect these misconfigurations previously.

**Some Flaws of Formal Verification**

Formal verification is great for finding well-defined issues, such as memory security issues. However, things become difficult when trying to find logical bugs because those require specifying what the code is actually supposed to do, which is exactly what the code itself does.

For one thing, formal verification requires specifying well-defined goals. While some goals, like preventing access to the Internet, seem simple enough, in reality they are not. The AWS IAM analyzer documentation has an entire section defining what "public" means, and it's full of caveats. The guarantees it provides are only as good as the mathematical claims that it has coded.

There's also the question of coverage. AWS analyzers cover only a few major AWS services. If you route traffic into your network through an outbound connection channel, the analyzer wouldn't know. If some service has access to two IAM roles and can combine them to read from a confidential public bucket and write to a public one, the analyzer wouldn't know. Nevertheless, on some well-defined subset of the misconfiguration problem, formal verification provides stronger guarantees than ever before.

Getting back to the relative advantage question posed above, the difference is that the IAM and network analyzer claims that its list of issues detected is comprehensive, while CSPM claims that its list covers every misconfiguration known today. Here's the key question: Should you care?

**Should We Care About Absolute Guarantees?**

Consider the following scenario. You own a CSPM and look at the AWS network and IAM analyzer. Comparing the results of the two, you realize that they've identified the exact same problems. After some effort, you fix every single problem on that list. Relying only on your CSPM, you would feel you are in a good place now and could dedicate security resources elsewhere. By adding AWS analyzers to the mix, you now know — with an AWS guarantee — that you are in a good place. Are these the same results?

Even if we neglect the caveat of formal verification and assume that it catches 100% of issues, measuring the benefits over detection-based services like CSPM would be an exercise for every individual organization with its own security risk appetite. Some would find these absolute guarantees groundbreaking, while others would probably stick to existing controls.

These questions are not unique to CSPM. The same comparisons could be made for SAST/DAST/IAST web application security testing tools and formally verified software, to name one example.

Regardless of individual organization choices, one exciting side effect of this new technology would be an independent way to start measuring security solutions' false negative rates, pushing vendors to be better and providing them with clear evidence where they need to improve. This in and of itself is a tremendous contribution to the cybersecurity industry.

Are 100% Security Guarantees Possible?

Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page.

**Build custom apps for your business, as easy as lego**

|

Turn your Airtable or Google Sheets into client portals, partner apps or internal tools.

**Trusted by 80,000+ teams worldwide**

**Create apps powered by your data**

**Client Portals**

Create client or employee portals with self-service account creation and secure access to content.

**Internal Tools**

Enable your team to create internal apps like employee directories, CRM, and company wikis, in minutes.

**Marketplaces**

Create two sided marketplaces like Airbnb, Upwork and the like. Sell services, goods, pay securely with Stripe and run your entire business from one tool.

**Online Communities**

Supercharge your community and bring them together in one platform, with memberships, free and premium content. Share resources, sell courses, connect with each other and more.

**Resource Directories**

Curate resources of any kind and let users search, filter, and explore. Launch online courses, company wikis or upvoting sites directly from Airtable.

**Websites**

Quickly create multi-page marketing sites or high-converting landing pages. Add your custom domain for free.

**Softr is the easiest, fastest way to build a professional web app on Airtable. Zero learning curve.**

**80,000+ companies and creators use Softr**

I had already tried other tools, so when I started using Softr, it was clear immediately that the capabilities were beyond what I found elsewhere.

**Yohei Nakajima**

General Partner, Untapped Capital

Softr helps you take action on your ideas quickly by allowing you to leverage your Airtable data and build powerful websites and web apps. I was blown away by how user-friendly and well-documented the entire product was! I was able to create an app within hours without any external help.

**Karthik Puvvada (KP)**

Program Director, On Deck No-Code Fellowship

Softr’s ease and speed of use is it’s standout characteristic. No tool is faster to create with. Although there is limited design customizability, this should be viewed as a strength of Softr as it acts as a positive restraint to help you ship things more quickly than you ordinarily would.

**Max Haining**

Founder, 100DaysOfNoCode

They say that if you can’t explain it in a simple way, you don’t understand it well enough. I say the same thing about any software. If you can’t figure it out in the first 10 min by yourself without any tutorial, it’s probably not for you. Since the first moment we discovered Softr, we started the work.

**Akiki Rachid**

COO, Bookzdoctr Inc

It took me one day to build the product, learn the integrations, and see how the customer service acts. I was completely flashed that it is so easy, and that everything is working really well. So, I quickly decided 3 weeks later to set up our main page and transferred it to Softr.

**Sabine Wildemann**

Co-Founder, KidsCircle

I have been impressed with the flexibility of Softr. The ability to pull data from different Airtable bases into different blocks and display them on one page was one of the main reasons I chose Softr.

**Dan Smith**

Director, DS Automotive

As a small business, we needed to use a tool that could grow with us, and we feel that this is what Softr offers us. After wasting time and money trying every web builder under the sun, Softr came to save the day. We cannot recommend this platform enough – it's perfect, easy to use even for a non-technical person like me.

**Lucia Borraccino**

Founder, Nanny Network

I like the diversity of templates that are available and the thoughtfulness that has been taken in making the building process as simple as possible for non-coders.

**Kwaku Dapaah-Danquah**

Entrepreneurship Manager, YSYS

I used Softr to build the MVP for my company www.tallsize.com.When I discovered how easy it was to use Softr to create a frontend interface for our users, my mind was blown!!! It was so easy to set up that I literally launched my site in a single weekend. Their support team was incredible throughout this journey and the ability to customize everything the way I wanted was very intuitive and easy to accomplish.

**Nicole Murphy**

Founder, Tall Size

I have been using Softr for a few months now, and the list of new features & improvements is PHENOMENAL. A no-brainer pick for now and a really good bet for the future!

**Nic Touron**

Founder, ToolMeUp

With Softr, I’m able to create beautifully intuitive and responsive front-ends that integrate directly with Airtable and Stripe. Softr allows me to create and iterate at least twice as fast as traditional web platforms.

**Connor Gustafson**

Founder, LendingApp

Softr is THE no-code website builder to use. From SEO and site responsiveness to database backends and customer support, Softr is the deal of the century!

**Patrick Ford**

Founder, Adastacks

**Simple, yet powerful**

**As simple as building lego**

Start from a template or from 100+ pre-built blocks and customize any element on the page. No design or coding skills needed.

**Build platforms, not just sites**

Turn your Airtable data into a full-stack web-app with out-of-the-box memberships, payments and business logic, all in one place.

**Turn into a mobile app, with one click**

Immediately made available on both Apple and Android devices, without the extra effort.

**Start now, go live today**

Don't spend hours learning new tools. Softr is the quickest way to put a product in the hands of your customers. Changing things later is easy and instant.

**This website is built on Softr**

Join 80,000+ companies already using Softr.

**Powerful pre-built functionality out of the box**

Softr does the heavy lifting of all technical work for you, so you can focus on your business.

**Secure user accounts**

Keep yours and your customers' data safe with server-side password protection.

**Free custom domain**

Our free tier includes hosting on custom domains. No credit card required.

**Team Collaboration**

Invite your teammates to manage the application and set granular permissions

**Easy online payments**

Enable one-off purchases or subscriptions in seconds.

**Optimized for SEO**

Pages built with Softr are automatically indexed by search engines.

**Performant, safe, and scalable**

Enjoy Amazon AWS-powered security and performance.

**Integrate with the tools you love**

Seamlessly integrate your Softr app with the modern and trusted tools of your workflow like Zapier, Google Analytics, Stripe, Hotjar, Mailchimp and more.

**Run your business on Softr + Airtable**

**For Companies**

Explore how SMBs and startups use Softr to manage and grow their business.

LEARN MORE

**For Creators**

Learn how entrepreneurs of all sizes are starting new ventures in days with Softr.

LEARN MORE

**For Non-Profits**

Organizations of all kinds can run their operations online, saving time and money.

**Learn about companies and creators using Softr**

CVE-2022-40434: Build website, web app & portals on Airtable without code | Softr

By Waqas
In total, 117 million files were exposed due to two misconfigured Amazon Web Services S3 buckets.
This is a post from HackRead.com Read the original post: Top American Online Ed Platform Leaks 22TB of Data

The incident took place when two misconfigured AWS S3 buckets belonging to McGraw Hill, one of the “big three” educational publishers in the US, were left exposed without any security authentication.

The cyber security researchers at vpnMentor discovered a couple of **misconfigured Amazon Web Services (AWS) S3 buckets** containing a massive trove of data belonging to a USA-based education publishing firm, McGraw Hill.

The platform is among the top three educational content publishers in the United States, and it is also widely used by educational institutions across Canada for facilitating online classes. It builds educational software for students who can access lectures and upload homework on its portal.

**Findings Details**

Researchers discovered two misconfigured Amazon Web Services S3 buckets, the owner of which was identified to be **McGraw Hill**. The researchers discovered one non-production bucket containing over 69 million documents and 10TB+ of data and one production bucket containing 12TB+ of data.

In total, 22TB of data was exposed, and the buckets contained 117 million files. The buckets were discovered on 12 June 2022. vpnMentor’s researchers contacted McGraw Hill first on 13 June, 2022 then again on 15 June and 20 June 2022.

They contacted them the fourth time on 27 June 2022 and finally reached USA CERT several times between 27 June and 4 July 2022. In total, vpnMentor tried to contact McGraw Hill nine times. On 7 July 2022, vpnMentor contacted Amazon Web Service, and finally, they received a response on 9 July 2022.

**What Data Got Exposed?**

According to vpnMentor’s **blog post**, around 100,000 students could be exposed to numerous online attacks due to this data breach. Their private data, such as personal details and grades, could be at risk, and anyone could access it using a web browser.

Further, the exposed data included excel sheets containing student data such as email IDs, names, and grades, documents featuring students’ assignments, performance reports, and grades, and documents containing syllabi for the teachers.

Screenshot taken from one of the exposed files (Credit: vpnMentor)

Moreover, the data included reading material for different courses, source code for McGraw Hill, and private digital keys from McGraw Hill. The leaking of source code is dangerous as it can help threat actors to search for other flaws.

Reportedly, the breach or incident impacted students from the following universities:

1.  McGill University
2.  University of Illinois
3.  University of Toronto
4.  University of Michigan
5.  Johns Hopkins University
6.  Washington University in St Louis
7.  University of California, Los Angeles

**What Caused the Exposure?**

Researchers noted that McGraw Hill was using AWS S3 buckets for storing data from their online education service since the exposed data belonged to the company’s online learning portal that was connected to the AWS account.

Researchers were certain that Amazon wasn’t responsible for the misconfigured database. After several failed attempts to bring the issue to the company’s notice, vpnMentor could contact them, and the sensitive files were removed from public exposure on 20 July.

The data exposure might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a **third party with malicious intent** or not.

Nevertheless, at the time of publishing this article, both exposed servers had been secured, thanks to vpnMentor’s non-stop alerts to concerned authorities.

1.  **AWS bucket exposed 421GB of Artwork Archive data**
2.  **350 million email addresses exposed in AWS S3 bucket**
3.  **S3 Cloud Bucket Exposed 100GB of Classified NSA Data**
4.  **Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket**
5.  **S3 bucket exposed 182GB of senior US, Canada citizens’ data**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Top American Online Ed Platform Leaks 22TB of Data

Recession fears notwithstanding, cybersecurity skills — both credentialed and noncredentialed — continue to attract higher pay and more job security.

Company executives continue to voice concerns that a recession is likely in 2023, but cybersecurity professionals — along with IT workers and developers with cybersecurity knowledge — appear well-positioned to weather an economic downturn, according to technology-job experts.

Overall, professional certifications have provided declining salary premiums since 2018, but information security certifications continue to command significantly above-average pay premiums, according to an analysis of more than 4,000 employers in the US and Canada by Foote Partners LLC. Cybersecurity-related skills — such as AWS Certified Security, GIAC Certified Incident Handler, and Okta Certified Developer — make up more than half of the "winner" skills, those that have attracted the most pay and have gained the most in market value.

Noncertified security skills — such as cryptography, DevSecOps, and risk analytics — also attract high premiums, says Bill Reynolds, research director at Foote Partners.

"Obviously, security skills and certs are still commanding cash premiums beyond salary at the 4,057 employers \[we surveyed\] in the US and Canada," he says. "That’s a pretty large sample for a survey, so it’s quite meaningful."

**Positioned to Withstand Recession?**

The robustness of the cybersecurity job market comes as company executives continue to worry about a recession in 2023. The vast majority of company executives (83%) expect a recession in 2023 — as do 82% of investors, according to another online survey — and about half of organizations are pre-emptively cutting expenses. In many cases, that means layoffs. In the cybersecurity industry, nearly a score of companies have cut workers in the last three months, according to tracking site Layoffs.fyi.

The fears of a downturn have even affected the valuations of startup companies in the cybersecurity industry.

Because of the difficulty in hiring and retaining knowledgeable cybersecurity workers, however, layoffs will likely come from less-technical groups, leaving knowledgeable cybersecurity workers. In fact, the majority of companies (60%) still planned to increase the head count of their IT departments as of July 2022, according to the _IT Spending and Staffing Benchmarks 2022/2023_ report published by Computer Economics.

"Expected growth is modest, but this is an indication that IT organizations cannot simply rely on increased efficiency from the cloud and virtualization for growth," the report stated. "Some hiring will still need to be done."

**Cybersecurity Skills Fetch a Premium**

Overall, cybersecurity workers remain in demand, with 770,000 positions currently unfilled, compared with a cybersecurity workforce of 1.1 million — a 69% shortfall in workers, according to data from the CyberSeek project. The gap between supply and demand is much greater than the 7.4% for the Businesses and Professional Services industry and the 6.9% gap in the Information sector, according to the US Bureau of Labor Statistics.

Workers with specific cybersecurity skills will continue to see opportunities, according to Foote Partners 2022 Tech Compensation Survey Reports. Ten of the 17 skills listed on the firm's IT Winners list, which includes skills that command an above-average premium and which have seen those premiums accelerate in the past few months, are security-related. The same criteria for noncertified IT skills show that 10 of 39 are security-related.

GIAC Certified Forensics Analyst (GCFA), InfoSys Security Engineering Professional, and Okta Certified Developers each have an average pay premium of 12% over base pay, according to Foote's data. For noncertification-based skills, security auditing, cryptography, and identity and access management each had an 18% premium over base pay.

What else is important? Soft skills, says Foote's Reynolds. A worker's ability to collaborate, deal with stress, manage time, have passion for the work, ability to listen, and include others all matter a great deal, he says.

These are "things that have nothing to do with certifications and this appears to be gaining in importance," he says.

**Avoid "Alphabet Soup" of Certifications**

Workers should take care to not collect certifications, as hiring managers and recruiters are wary of an alphabet soup of certifications on applicants' resumes, according to a recent Axios brief.

Foote's Reynolds agrees. Just because workers with a particular certificate get a pay premium isn't the right reason to get the certificate.

"It's like the argument of whether a college degree is mandatory for job consideration," he says. "Just because you have a college degree doesn't mean you're qualified for a particular job. It's more about what you've done with that college degree on the job. Tangible, measurable experience matters a lot."

Security Skills Command Premiums in Tight Market

<p>Across government, organizations have extended operations from the datacenter to multiple public clouds to the edge. Now they need to manage data and deliver intelligent capabilities across those environments. More than ever, they must achieve those goals with greater simplicity, consistency and availability, along with enhanced security of their IT operations.</p>

<p>These imperatives were the focus of <a href="https://www.redhat-govsymposium.com/program/">Red Hat Government Symposium 2022</a>, which

Across government, organizations have extended operations from the datacenter to multiple public clouds to the edge. Now they need to manage data and deliver intelligent capabilities across those environments. More than ever, they must achieve those goals with greater simplicity, consistency and availability, along with enhanced security of their IT operations.

These imperatives were the focus of Red Hat Government Symposium 2022, which convened on November 9 at the Waldorf Astoria in Washington, D.C. With an overarching theme of “Innovation Unleashed,” the one-day event packed in eight insightful keynotes and panels delivered by nearly 20 industry and government leaders, plus a half-dozen drill-down breakout sessions. As the day unfolded, the following themes emerged: 

**Deploying and scaling at the mission edge**

The modern battlespace involves satellites, drones and sensors that send and receive data at the extreme edge. Symposium attendees heard from Winston Beauchamp, deputy CIO of the Air Force, and Michelle Davis, director of DoD Solution Architects for Red Hat, about ways the military is using edge compute and data management to accelerate critical decisions and dominate the battlespace.

We also learned about deployment-ready edge technology from Mark Valcich, civilian general manager of Public Sector for Intel, and Dylan Conner, vice president and product manager for Archon. They described standards-based technology that’s enabling rapid edge implementations with stronger security capabilities today.

**Achieving automation and insights**

Machine learning (ML) and other forms of artificial intelligence (AI) are showing up in more places. Justin Taylor, vice president of AI for Lockheed Martin, and Chris Edillon, solution architect for Red Hat, described how intelligent technologies are transforming the capabilities of drones.

Conference-goers learned about other advanced analytics capabilities in a panel discussion by Jesus Caban, chief of Clinical Research Informatics at Walter Reed Medical Center, and Amanda Purnell, director of Data and Analytics Innovation for the Department of Veterans Affairs. These government leaders provided first hand stories of how AI and ML are helping agencies solve real-world, critical challenges.

**Building cyber-resilience**

Cybersecurity is now central to innovation. A multilayered defense can help stack the cyber-risk deck in your agency’s favor, noted panelists Ken Bailey, section chief of threat hunting for CISA; Jon Boyens, deputy chief of computer security for NIST; and Sandra López, CTO for Leidos. They shared insight into how organizations can build resilience into their networks and minimize downtime in the face of a breach.

**Quantifying quantum computing**

Finally, Vishnu Parasuraman, lead of the federal HCT OpenShift offering at IBM, and Michael Epley, chief architect, Public Sector, at Red Hat, explored the vast potential of quantum computing. Combining the results of quantum algorithms with classical computers can unleash a wealth of real-time data to support government missions. These innovations are moving within reach.

But those were only the highlights of Red Hat’s 13th-annual Government Symposium. Attendees also benefited from breakout sessions on real-time edge intelligence, enterprise integration, the future of government service delivery and more. They also heard real-world insights from agency leaders at the Coast Guard, FEMA and USPS, and from technology leaders at Accenture, AWS and KPMG.

Organizations can unleash innovation if they deploy the most effective technologies in the most effective ways. The Red Hat Government Symposium 2022 showed how agencies and their industry partners are doing just that. Couldn't make it to DC for Red Hat Government Symposium in-person? Join us online for the Best of Symposium keynotes and breakout sessions for free on demand.

Red Hat Government Symposium 2022: Unleashing innovation, powering missions

A comprehensive data privacy program requires involvement from all parts of the business that deal with personal data.

Most organizations are ill-equipped when it comes to meeting upcoming compliance standards for data privacy, according to a new CYTRIO report focused on GDPR and California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Data Subject Access Request (DSAR) requirements.

However, the results also indicated that noncompliant companies are making progress moving up the compliance maturity curve by moving to automate processes.

A major stumbling block for nearly all organizations surveyed is the cost and complexity of data privacy management solutions.

Vijay Basani, CEO of CYTRIO, says the most concerning surveying finding was that 52% of respondents who said they need to comply with the CCPA and CPRA do not provide a mechanism for consumers to exercise their data privacy rights.

"This means more than half the companies are electing to ignore data privacy and do not feel they need to respect the rights of consumers and their customers," he says.

Organizations that are still using error-prone and time-consuming manual processes for GDPR and DSAR requirements could be doing so because they are receiving a very low volume (one to five per year) of data requests.

"This could be a function of consumers not being aware of their data rights, such as right to access, right to delete or do not sell my information, and lack of active enforcement and fines for noncompliance in the U.S.," Basani says.

Bryan Cunningham, advisory council member at Theon Technology, explains that many compliance programs are run mostly by lawyers or financial professionals ill-equipped to evaluate technology and often "somewhat luddite" in their adoption of new technology.

"They are also highly risk averse and, partly because of their lack of understanding, skeptical that automated processes can ensure compliance without manual, human supervision," he says.

In addition, highly performant, trustworthy, and affordable technologies to do this type of work are not yet readily available, despite many vendors working to develop and sell solutions.

**Privacy Management Solutions Complex, Costly**

Most first-generation data privacy management solutions offer effective workflow automation capabilities but do not provide automated data discovery capabilities, Basani says.

Data discovery and identifying all personal information (PI) data belonging to a specific individual is the most time-consuming task.

"A typical company will save bits and pieces of PI data in many data stores, including structured databases and unstructured data stores, such as SharePoint, Office 365, Mailchimp, AWS S3, and so on, as well as SaaS applications such as Salesforce, HubSpot, and Shopify," he explains.

Developing technology to discover PI data in structured, unstructured, and software-as-a-service (SaaS) applications is not easy and requires significant investment.

"Technology tools that do this are costly to procure and take time to deploy," Basani says. "It requires various data stakeholders to collaborate during deployment and to respond to a data request."

To effectively respond to data subject requests, the solutions need to have visibility across a broad variety and significant volume of data store types and cloud environments, according to Claude Mandy, chief evangelist of data security at Symmetry Systems.

"The permissions and integrations required for responding to these requests are a challenge of complexity and scale," he says.

Adding to the cost for most solutions is the fact that many organizations have taken a traditional SaaS approach, requiring them to index this data to the solution provider's only environment, driving up storage and network costs.

**Keys to Holistic Data Privacy Management**

From Basani's perspective, a holistic data privacy policy should include both outward-facing communication clearly informing consumers that their PI data is being collected, and educating internal users and partners about the need to respect privacy and comply with data privacy regulations.

"Discuss what PI data is being collected, obtain consent from the consumers, share how the data is used, shared, stored, and processed," he says. "A privacy policy should clearly state what specific rights a consumer has about their personal data collected by the company."

It should also provide an easy mechanism for a consumer to exercise their data privacy rights, such as right to access or delete their information.

Stakeholders include legal and compliance teams, data owners, data processors, and data users in an organization.

Symmetry Systems' Mandy says a holistic data privacy policy should always start with an accurate and precise understanding of the personal information that an organization collects, uses, stores, and shares.

"It's only from an accurate understanding of information that organizations can reliably and transparently create a data privacy policy that reflects their actual practices," he says.

Refining the policy from the actual practice to desired state will require involvement from general counsel, security, privacy, and data teams.

"Most important are business stakeholders, who can describe how the personal information is used and why it is necessary," Mandy adds.

**Compliance Requirements Likely to Grow in 2023**

The CYTRIO report comes as a growing number of states weigh their own privacy legislation, following moves by California, Colorado, Virginia, and, most recently, Utah.

"We should expect data privacy compliance to continue to move forward in several states in 2023," Basani says.

He notes that as enforcement begins in several states, in addition to CPRA going to effect on Jan. 1, 2023, there will be enhanced consumer education about their data privacy rights.

"As CPPA turns its attention to CPRA enforcement with significantly more resources, we expect a meaningful increase in CPRA enforcement action and fines under CCPA/CPRA," he says.

Increased numbers of CCPA/CPRA fines and media coverage will result in greater consumer education about their data privacy rights, Basani adds.

"We saw this happen under GDPR in Europe, and we will see this happen with CCPA/CPRA," he says. "Employees’ rights to data privacy under CPRA should also increase the number of complaints and potential fines for noncompliance under CPRA."

As more states develop their own flavor of state privacy laws, the privacy landscape will continue to become more complex, adds Mandy Pote, managing principal of strategy, privacy, and risk at Coalfire.

"Organizations may find it difficult to keep up with new requirements – understanding applicability and determining reporting requirements," she says.

From her perspective, the best solution is to adopt a comprehensive data privacy program with the objective of implementing the most stringent set of privacy control requirements such that they follow current and future privacy laws.

"Rather than applying this program to certain systems or a certain subset of data, privacy should be blanketly implemented across the organization to ensure proper coverage," she notes.

Organizations Unprepared for Upcoming Data Privacy Regulations

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

Red Hat Security Advisory 2022-8893-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.20.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.20 security update  
Advisory ID:       RHSA-2022:8893-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8893  
Issue date:        2022-12-15  
CVE Names:         CVE-2021-22570 CVE-2022-1158 CVE-2022-2639  
                   CVE-2022-24302 CVE-2022-27191 CVE-2022-42010  
                   CVE-2022-42011 CVE-2022-42012 CVE-2022-42898  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.11.20 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.20. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:8892

Security Fix(es):

* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures.

The image digests may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags  
The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:e86e058f7f66a687e273792f2e4ec70f3cc43ec9d2894bebee5caf5c4d4851a3

(For s390x architecture)  
The image digest is  
sha256:bab321a15615e824998f6b92e7df094761f4b8ca8417ca0efd669ef942981f2f

(For ppc64le architecture)  
The image digest is  
sha256:6c50689588e33ec4def2b8445e12def6ae79ff61d86145dbea0d27e4f5ad02b7

(For aarch64 architecture)  
The image digest is  
sha256:dcdbb16f5cab5fce07a7ad64aac8fa61aff640af6a039977c360de0cceb18017

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server  
2090914 - OCP RHEL 8 worker node fails to reboot during upgrade playbook run

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-2554 - ingress, authentication and console operator goes to degraded after switching default application router scope  
OCPBUGS-2970 - [2116547] phyc2sys config will be automatically added to ptpconfigs even if it is not included in user PGT  
OCPBUGS-3015 - Minor test fixes related to getting updated profile and checking kubeletconfiguration  
OCPBUGS-3023 - GCP: missing multiple regions  
OCPBUGS-3049 - [release-4.11] openshift-ingress-operator with mTLS does not download CRL  
OCPBUGS-3478 - [4.11] Baremetal Provisioning fails on HP Gen9 systems due to eTag handling  
OCPBUGS-3819 - Origin tests for bonds - 4.11 backport  
OCPBUGS-3852 - [4.11][Dual Stack] ovn-ipsec crashlooping due to cert signing issues  
OCPBUGS-3908 - [4.11] OVN-Kubernetes should not send IPs with leading zeros to OVN  
OCPBUGS-4137 - [4.11] Ipsec pods restart due to liveness probes fail in cluster with more than 150 +  
OCPBUGS-4163 - [release-4.11] The last egressIP in IP capacity cannot be applied correctly  
OCPBUGS-4167 - [Azure] Some cloudprivateipconfig IP is error status  
OCPBUGS-4179 - [release-4.11] Fix assign error display for cloudprivateipconfig  
OCPBUGS-4233 - Updating ose-cloud-network-config-controller images to be consistent with ART  
OCPBUGS-4294 - Backport to 4.11 specify resources.requests for operator pod  
OCPBUGS-4325 - [gcp] when the optional Service Usage API is disabled, IPI installation cannot succeed  
OCPBUGS-4398 -  CVE-2022-27191 ose-installer-container: golang: crash in a golang.org/x/crypto/ssh server [openshift-4]  
OCPBUGS-4410 - [4.13] Improve ironic logging configuration in metal3  
OCPBUGS-4528 - Disconnected Openshift cluster on AWS having problem with manual egress IP assignment  
OCPBUGS-4532 - CSR are generated with incorrect Subject Alternate Names

6. References:

https://access.redhat.com/security/cve/CVE-2021-22570  
https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/cve/CVE-2022-24302  
https://access.redhat.com/security/cve/CVE-2022-27191  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5uhG9zjgjWX9erEAQjTMg/8CKbkSiBW4yyJgW17d2iZVpf2RQ1CBfgd  
EkCwPcL0tvfFY0KU8DMkOJehvX5bS6jEl27h3r6OAj2TuQFAy7aYma7C1fQgQX2q  
jxI5A7Zc1xcjEuaSwGwS8/4l2aMFlBgt7iPcv5FBNLTLfTjhQAbh3a+jYsRqM5D0  
Z4xNmc0xXR/4FXJ0qg0Flxom5NX4fB9mUQyNtbO5Gcus4ritNeKsfgKT9V9eOJm7  
0SBYXOXhN3iwn+prGiOSTIG4QYm9oUih+cdqz7hk7Nm+WbCytmkQw3JRIrDtHcd5  
IcNSyYfZDxNSdEgi6uWMXhroa53FJA9ZRnpWMYGG1uuDp8kgEDEgu5osTbx0zZlb  
82wf3TXjgPj6/4BjgpW4pB2fTNbAPc/FY4oGtBcsY7lo6B62vmSfFJ3HitdohB2S  
YRvzTA/ypOKMR7UdNM1UX3nOswN3jytzzUpRzJF31BKUDyHAo0EbXSJRO5RZKggT  
gFakEHu7dcozCDTH8O+74ax5yUQ00Y9gmIsoe/zgt5ycLqB852tOwdCgpICrY3Ot  
HVamgD2FXpKSDExwoougXAVCPHxDoGJ+Myey1atKTZt/YKpnR0hjF79K5eX3RCkx  
2rQ7uQ5XwAb4hv9n5pEsh7LAoWnAMkwamITWIQFXoJXDfHy6yAh/mI8tH/p94HRK  
hje0BLZLdSE=Rw38  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#aws