Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML files may cause a denial-of-service (DoS) condition.

**Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack**

Moderate severity GitHub Reviewed Published Nov 13, 2023 to the GitHub Advisory Database • Updated Nov 14, 2023

GHSA-gw7g-qr8w-3448: Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-47163: Release v0.17.1 · remarshal-project/remarshal

IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  267484.

**Security Bulletin**

  

**Summary**

IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. Additionally, a cross site scripting issue was found. These have been addressed in the update.

**Vulnerability Details**

**CVEID:**   CVE-2020-22218  
**DESCRIPTION:**   libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read in the \_libssh2\_packet\_add function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266252 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20593  
**DESCRIPTION:**   AMD Ryzen, Gen AMD EPYC Processors could allow a local authenticated attacker to obtain sensitive information, caused by a use-after-free flaw in the vzeroupper instruction. By conducting a cache timing attack using a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive data used by other processes, such as passwords and encryption keys, at a rate of 30KB/sec from each CPU core.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261343 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2023-35788  
**DESCRIPTION:**   Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by an off-by-one flaw in the fl\_set\_geneve\_opt fucntion. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257458 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-44730  
**DESCRIPTION:**   Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to probe user profile/data and send it directly as parameter to a URL.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264130 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-44729  
**DESCRIPTION:**   Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to cause resource consumption and obtain sensitive information.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264129 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

**CVEID:**   CVE-2023-20900  
**DESCRIPTION:**   VMware Tools could allow a remote attacker to bypass security restrictions, caused by improper SAML token signature verification. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to perform VMware Tools Guest Operations  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264792 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-3341  
**DESCRIPTION:**   ISC BIND is vulnerable to a denial of service, caused by a stack exhaustion flaw in control channel code. By sending a specially crafted message over the control channel, a remote attacker could exploit this vulnerability to cause named to terminate.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266515 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-3899  
**DESCRIPTION:**   Red Hat Enterprise Linux could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper authorization by the subscription-manager. By sending a specially crafted request through D-Bus interface com.redhat.RHSM1, an authenticated attacker could exploit this vulnerability to gain elevated privileges to an unconfined root.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264328 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-43057  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267484 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM QRadar SIEM

7.5 - 7.5.0 UP7

**Remediation/Fixes**

**IBM strongly encourages customers to update their systems promptly.**

**Product**

**Version**

**Remediation/First Fix**

IBM QRadar SIEM

7.5.0 

7.5.0 UP7 IF02

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

10 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-43057: Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

Plus: A DDoS attack shuts down ChatGPT, Lockbit shuts down a bank, and a communications breakdown between politicians and Big Tech.

Drones, hidden cameras, thermal vision scopes—these are just a few examples of the high-tech equipment recommended by the animal liberation group Direct Action Everywhere, according to a manual released by the organization this week. The document, which was reviewed by WIRED, is a rare glimpse into how the organization is using tech to target factory farms in often brazen operations that have rescued pigs, goats, ducks, and chickens.

Extremist groups are experimenting with generative AI to flood social media with propaganda and misinformation, researchers at Tech Against Terrorism have told WIRED. A new report from the group details how, in recent months, terrorists and other extremist organizations have been using artificial intelligence to manipulate imagery and thwart content moderation. As platforms have struggled to keep up with this flood of extremist content, a new tool called Altitude, built in collaboration between Tech Against Terrorism and Google, is seeking to address the problem. The tool centralizes the collection of verified terrorist content, allowing companies to easily vet posts shared to their platforms.

Israel is exacerbating the humanitarian catastrophe in Gaza by likely imposing devastating internet blackouts in the region. Last week, Israel reportedly imposed a full internet shutdown in the area as its troops moved into the Gaza Strip. After internet access was restored, the area suffered two additional connectivity blackouts. The most recent lasted for about 15 hours on Sunday as Israel was carrying out an intense operation to cut off Gaza City in the north from southern Gaza.

In other infrastructure news, a report from the ​​cybersecurity firm Mandiant reveals that last year, the Russian military intelligence agency known as Sandworm carried out a power grid attack targeting a Ukrainian electric utility causing a blackout for Ukrainian civilians. According to the report, the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country.

The third GOP presidential primary debate was livestreamed on Rumble, a YouTube alternative home to what the Southern Poverty Law Center says is one of America’s most notorious white nationalists, Nick Fuentes. Since the outbreak of the Israel-Hamas conflict last month, Fuentes has used his Rumble channel to push antisemitic hate speech and Holocaust denial conspiracies, racking up hundreds of thousands of views. Fuentes’ YouTube account was terminated in 2020 after Google demonetized it.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there

On Wednesday, you and everyone you know had trouble getting ChatGPT to ghostwrite their emails as developer OpenAI was hit by what it thought was a distributed denial-of-service attack. For nearly two hours, users who tried to access the chatbot were greeted with a message telling them “ChatGPT is at capacity right now.”

In a tweet, OpenAI CEO Sam Altman initially blamed its outage on a surge in interest in the platform's new features. By Wednesday night the company announced that the periodic outages were due to an “abnormal traffic pattern reflective of a DDoS attack.”

While it’s unclear who is behind the attack, a group known as Anonymous Sudan claimed responsibility on Wednesday, posting on Telegram that it had targeted OpenAI for "general biases towards Israel and against Palestine." OpenAI has since resolved the issue.

The US arm of the Industrial and Commercial Bank of China was hit by a ransomware attack that disrupted trades in the US Treasury market on Thursday. The bank appears to be the latest victim of the prolific ransomware gang known as Lockbit. According to the US Cybersecurity and Infrastructure Security Agency, Lockbit has hit 1,700 US organizations since 2020 and extorted more than $100 million in ransom demands. Last month it threatened Boeing with a leak of sensitive data.

"ICBC has been closely monitoring the matter and has done its best in emergency response and supervisory communication," China's foreign ministry spokesperson Wang Wenbin said at a press conference.

Signal is beta testing usernames that will allow people to communicate using the encrypted service without exchanging phone numbers, further enhancing the app's privacy applications. The feature will go live in early 2024.

Support for usernames is a major step for the messaging service as Signal has apparently been working on the feature for years. Though accounts will still need to be associated with a phone number at setup, the introduction of usernames will allow users to connect without having to share it.

Cooperation between government, researchers, and tech companies aimed at countering disinformation online is evaporating thanks to a sustained campaign by US Republicans in the press, courts, and on Capitol Hill. Tech employees tell NBC the FBI has halted communications with social media firms about foreign influence campaigns, a move the FBI director attributed to a September ruling in the country's most conservative appellate court forbidding the government from "significantly" encouraging social media companies to remove misinformation.

“We’re having some interaction with social media companies,” FBI director Christopher Wray said in testimony last week to the Senate Homeland Security Committee. “But all of those interactions have changed fundamentally in the wake of the court rulings.”

According to NBC, all the FBI’s interactions with tech platforms now have to be supervised by Justice Department lawyers.

Signal Is Finally Testing Usernames

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

CVE-2023-46849

Attacker can perform a Denial of Service attack to crash the ICAS 3 IVI ECU in a Volkswagen ID.3 (and other vehicles of the VW Group with the same hardware) and spoof volume setting commands to irreversibly turn on audio volume to maximum via REST API calls.


**Vulnerabilities in Volkswagen in-vehicle infotainment systems**

Attacker can perform a Denial of Service attack to crash the ICAS 3 IVI ECU in a Volkswagen ID.3 (and other vehicles of the VW Group with the same hardware) and spoof volume setting commands to irreversibly turn on audio volume to maximum via REST API calls.

**Demo Video Volume Manipulation**

**Demo Video IVI DoS**

CVE Record: https://nvd.nist.gov/vuln/detail/CVE-2023-6073

Discovered by Hannah Wieser, Jannis Hamborg, Timm Lauser, Thomas Schäfer, Christoph Krauß at the DEPARTMENT OF COMPUTER SCIENCE at h\_da Hochschule Darmstadt.

CVE-2023-6073: CVE-2023-6073: DoS and Control of Volume Settings for VW ID.3 ICAS3 IVI ECU - Automotive Security Research Group

IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service.  IBM X-Force ID:  267965.

CVE-2023-45167

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-5954

**HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability**

Moderate severity GitHub Reviewed Published Nov 9, 2023 to the GitHub Advisory Database • Updated Nov 10, 2023

**Package**

gomod github.com/hashicorp/vault (Go)

**Affected versions**

< 1.13.10

\>= 1.14.0, < 1.14.6

\>= 1.15.0, < 1.15.2

**Patched versions**

1.13.10

1.14.6

1.15.2

**Description**

Published to the GitHub Advisory Database

Nov 9, 2023

Last updated

Nov 10, 2023

GHSA-4qhc-v8r6-8vwm: HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability

CVE-2023-5954: HCSEC-2023-33 - Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption

A race condition was found in the QXL driver in the Linux kernel. The qxl_mode_dumb_create() function dereferences the qobj returned by the qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. This flaw allows an attacker to guess the returned handle value and trigger a use-after-free issue, potentially leading to a denial of service or privilege escalation.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

Tag

#dos