Red Hat Security Advisory 2024-8455-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8455.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:8455-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8455Issue date:         2024-10-24Revision:           03CVE Names:          CVE-2023-45235====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45235References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258700

Red Hat Security Advisory 2024-8455-03

Red Hat Security Advisory 2024-8449-03 - An update for edk2 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8449.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: edk2 security updateAdvisory ID:        RHSA-2024:8449-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8449Issue date:         2024-10-24Revision:           03CVE Names:          CVE-2023-45235====================================================================Summary: An update for edk2 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es):* edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message (CVE-2023-45235)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45235References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2258700

Red Hat Security Advisory 2024-8449-03

The software development kit will simplify building and testing of CHERI-enabled RISC-V applications.

Source: Mentor58 via Alamy Stock Photo

German processor design company Codasip has donated its latest RISC-V software development kit to chip security consortium CHERI Alliance to help developers add memory safety to chips.

RISC-V is an instruction set architecture (ISA) that allows developers and manufacturers to personalize silicon chips with capabilities to meet their needs, such as for use in smartphones, space technologies, industrial applications, and automotive technologies, to name a few. RISV-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

CHERI (Capability Hardware Enhanced RISC Instructions) extends ISA to manage memory access control to prevent common vulnerabilities, such as buffer overflows and memory corruption. The method involves isolating the hardware and software so that adversaries cannot inject attack code into memory. The CHERI Alliance is an industry consortium focused on promoting the development and adoption of security technologies that protect data stored in hardware memory.

Developers need access to tools and packages that are available for CHERI — this is what the SDK that Codasip built and donated to the CHERI Alliance offers. The compiler is capable of generating the modified instructions. Anyone implementing CHERI on RISC-V chips can access the SDK, which is freely available on GitHub.

The SDK includes:

*   C/C++ compiler and toolchain based on LLVM17
    

*   QEMU open source emulator
    
*   OpenSBI implementation of the RISC-V Supervisor Binary Interface
    

*   Yocto build system for Linux
    
*   Basic user space environment based on Busybox
    

"As more organizations and governments discover the potential of the CHERI technology to protect us, we need to speed up the pace of making the technology available in real systems," Codasip CEO Ron Black said in a statement. "We have made a massive effort to implement a full Linux-capable SDK that we are now opening for everyone to use."

**About the Author**

Codasip Donates Tools to Develop Memory-Safe Chips

This Metasploit module uses a combination of an arbitrary file read (CVE-2024-34102) and a buffer overflow in glibc (CVE-2024-2961). It allows for unauthenticated remote code execution on various versions of Magento and Adobe Commerce (and earlier versions if the PHP and glibc versions are also vulnerable). Versions affected include 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, and 2.4.4-p8 and earlier.

Magento / Adobe Commerce Remote Code Execution

Red Hat Security Advisory 2024-8116-03 - An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8116.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: java-1.8.0-openjdk security update  
Advisory ID:        RHSA-2024:8116-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8116  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534  
https://issues.redhat.com/browse/RHEL-62293

Red Hat Security Advisory 2024-8116-03

Red Hat Security Advisory 2024-8129-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8129.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 21.0.5 Security Update for Windows Builds  
Advisory ID:        RHSA-2024:8129-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8129  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.5) for Windows serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.4) and includes security and bug fixes. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8129-03

Red Hat Security Advisory 2024-8128-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8128.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 21.0.5 Security Update for Portable Linux Builds  
Advisory ID:        RHSA-2024:8128-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8128  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 21 (21.0.5) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 21 (21.0.4) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function  
(CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286)  
(CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446)  
(CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644)  
(CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8128-03

Red Hat Security Advisory 2024-8127-03 - An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8127.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: java-21-openjdk security update  
Advisory ID:        RHSA-2024:8127-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8127  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 21 runtime environment.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* JDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* JDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* JDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* JDK: Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8127-03

Red Hat Security Advisory 2024-8126-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8126.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 17.0.13 Security Update for Windows Builds  
Advisory ID:        RHSA-2024:8126-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8126  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.13) for Windows serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.12) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function (CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286) (CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446) (CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644) (CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Red Hat Security Advisory 2024-8126-03

Red Hat Security Advisory 2024-8125-03 - An update is now available for OpenJDK. Issues addressed include buffer overflow and integer overflow vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8125.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenJDK 17.0.13 Security Update for Portable Linux Builds  
Advisory ID:        RHSA-2024:8125-03  
Product:            OpenJDK  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8125  
Issue date:         2024-10-17  
Revision:           03  
CVE Names:          CVE-2023-48161  
====================================================================

Summary: 

An update is now available for OpenJDK.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The OpenJDK 17 packages provide the OpenJDK 17 Java Runtime Environment and the OpenJDK 17 Java Software Development Kit.

This release of the Red Hat build of OpenJDK 17 (17.0.13) for portable Linux serves as a replacement for the Red Hat build of OpenJDK 17 (17.0.12) and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.

Security Fix(es):

* giflib: Heap-Buffer Overflow during Image Saving in DumpScreen2RGB Function  
(CVE-2023-48161)

* OpenJDK: Array indexing integer overflow (8328544) (CVE-2024-21210)

* OpenJDK: HTTP client improper handling of maxHeaderSize (8328286)  
(CVE-2024-21208)

* OpenJDK: Unbounded allocation leads to out-of-memory error (8331446)  
(CVE-2024-21217)

* OpenJDK:  Integer conversion error leads to incorrect range check (8332644)  
(CVE-2024-21235)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-48161

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2251025  
https://bugzilla.redhat.com/show_bug.cgi?id=2318524  
https://bugzilla.redhat.com/show_bug.cgi?id=2318526  
https://bugzilla.redhat.com/show_bug.cgi?id=2318530  
https://bugzilla.redhat.com/show_bug.cgi?id=2318534

Tag

#buffer_overflow