#dos

Red Hat Security Advisory 2024-1318-03 - An update is now available for Red Hat JBoss Web Server 5.7.8 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.

Red Hat Security Advisory 2024-0722-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice 6700-1 - It was discovered that the Layer 2 Tunneling Protocol implementation in the Linux kernel contained a race condition when releasing PPPoL2TP sockets in certain conditions, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that the ext4 file system implementation in the Linux kernel did not properly handle block device modification while it is mounted. A privileged attacker could use this to cause a denial of service or possibly expose sensitive information.

Ubuntu Security Notice 6699-1 - Reima Ishii discovered that the nested KVM implementation for Intel x86 processors in the Linux kernel did not properly validate control registers in certain situations. An attacker in a guest VM could use this to cause a denial of service. It was discovered that the Quick Fair Queueing scheduler implementation in the Linux kernel did not properly handle network packets in certain conditions, leading to a use after free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

### Impact All historical installations of django-wiki are vulnerable to maliciously crafted article content, that can cause severe use of server CPU through a regular expression loop. ### Patches ### Workarounds Close off access to create and edit articles by anonymous users. ### References _Are there any links users can visit to find out more?_

### Summary An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. ### Details The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. The core issue is located in [expireOldFailedAttempts](https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311) function: ```go func expireOldFailedAttempts(maxAge time.Duration, failures *map[string]LoginAttempts) int { expiredCount := 0 for key, attempt := range *failures { if time.Since(attempt.LastFailed) > maxAge*time.Sec...

### Summary An attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts. ### Details The issue arises from two main vulnerabilities: 1. The application crashes due to a previously described DoS vulnerability caused by unsafe array modifications in a multi-threaded environment. 2. The application saves the data of failed login attempts in-memory, without persistent storage. When the application crashes and restarts, this data is lost, resetting the brute force protections. ```go // LoginAttempts is a timestamped counter for failed login attempts type LoginAttempts struct { // Time of the last failed login LastFailed time.Time `json:"lastFailed"` // Number of consecutive login failures FailCount int `json:"failCount"` } ``` By chainin...

Ubuntu Security Notice 6696-1 - Yi Yang discovered that the Hotspot component of OpenJDK 8 incorrectly handled array accesses in the C1 compiler. An attacker could possibly use this issue to cause a denial of service, execute arbitrary code or bypass Java sandbox restrictions. It was discovered that the Hotspot component of OpenJDK 8 did not properly verify bytecode in certain situations. An attacker could possibly use this issue to bypass Java sandbox restrictions.

By Waqas Cyber Warfare Takes Flight: Geopolitics Fuel Attacks on Airlines - Dark Web Tool Aims at E-commerce! This is a post from HackRead.com Read the original post: Dark Web Tool Arms Ransomware Gangs: E-commerce & Aviation Industries Targeted