Red Hat Security Advisory 2023-6021-01 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6021.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish:6 security updateAdvisory ID:        RHSA-2023:6021-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6021Issue date:         2023-10-27Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6021-01

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

CVE-2022-34832: XXE in AgileReporter 21.3 by VERMEG

Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA Virtual Server

CTX579459

{{tooltipText}}

Security Bulletin | Severity: Critical | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}} | Status: Final

**Description of Problem**

Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

Affected Versions: 

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

*   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
*   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
*   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
*   NetScaler ADC 13.1-FIPS before 13.1-37.164
*   NetScaler ADC 12.1-FIPS before 12.1-55.300
*   NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Summary: 

NetScaler ADC and NetScaler Gateway contain unauthenticated buffer-related vulnerabilities mentioned below 

CVE ID

Description

Pre-requisites

CWE

CVSS

CVE-2023-4966

Sensitive information disclosure

Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Improper Restriction of Operations within the Bounds of a Memory BufferCWE-119

9.4

CVE-2023-4967

Denial of service

Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Improper Restriction of Operations within the Bounds of a Memory BufferCWE-119

8.2

**Mitigating Factors**

None.

**What Customers Should Do**

**Exploits of CVE-2023-4966 on unmitigated appliances have been observed.** Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible: 

*   NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
*   NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
*   NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0  
*   NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS  
*   NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS  
*   NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Cloud Software Group has also published a related blog at https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ which contains a further context.

**What Citrix is Doing**

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

**Obtaining Support on This Issue**

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

**Subscribe to Receive Alerts**

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

**Reporting Security Vulnerabilities to Citrix**

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

**Changelog**

2023-10-10 T 16:00:00Z

Initial Publication

2023-10-17 T 16:00:00Z

Inclusion of information related to the exploitation of CVE-2023-4966

2023-10-23 T 16:00:00Z

Inclusion of a link to the Cloud Software Group blog post about CVE-2023-4966

CVE-2023-4967: NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967


Rockwell Automation FactoryTalk View Site Edition insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.



**JavaScript required**

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

CVE-2023-46289: Sign In

A denial-of-service vulnerability was found in the firmware used in Lenovo printers, where users send illegal or malformed strings to an open port, triggering a denial of service that causes a display error and prevents the printer from functioning properly.

CVE-2022-3429

Debian Linux Security Advisory 5536-1 - An important security issue was discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5536-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-5472An important security issue was discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), this problem has been fixedin version 118.0.5993.117-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 118.0.5993.117-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmU6+wwACgkQZF0CR8NudjcbzQ//b9RRr1OyKscWjFnuIgcs6zbj3IloLMQVwYj1LNeR1eqDwFcOBhxjfSKhx4vAxveR/KyrDKf1O71CWwL+vGZREw7r8X2kanJTCBQ7kIdgRpSc/uSQcCCmcx7LUemd9k2CzWHgqSYgZGrxBB5XDoQ2WfUxqH3gu5Xm0qhLb6GnWg4ylMlpsxvepEJW4v0GulZJqBQn1gnUfoFetoUccg7qKi0ev/COlza6kcfY71Xs+vlNMrnDwuzeCcuiWEjB8Q5JcjcU3D269Mj7aa6B5AN3LeCBLK+Q7T3+pn8Ft8GYSJrlFleEvtTkGSCxW8Pjo2gzDvl9U8bswgmtcUE6M26MFJIlYINxI9SCKuPCnbmdCxY5JG/8puSGD+ioG3l3BexYT0+NexUgjjoMsnwyaPR1OeQyWr/N8Obk/vEeZ9xaJzpnKtxKstnFqcZ9eqKt1B8S68YDPuXSVI0Wyb5E6Ozqrq2J8PrmwK7LrqrI/8nD/AQLgf20gU+2jc1z5MCYymu+IGxGolBcOTaRoK4GpASZ0x93UR/sNB6jGK08FZB+XUPjM/otxDl1D3QQeFuMXndWzvwsxHdZrL1DTlk4vDhaGzW2XBcPqhbfuqRwwKt7QMqLlTKH3/iVp6SQPYY8k1SfBSs1oO7iXv9UYm8+kHGNtWs0GWpuY0qxwDIMflWb4rE==Gmlo-----END PGP SIGNATURE-----

Debian Security Advisory 5536-1

Red Hat Security Advisory 2023-6148-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.9 General Availability release images, which provide security updates and fix bugs. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6148.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Advanced Cluster Management 2.7.9 security and bug fix updates  
Advisory ID:        RHSA-2023:6148-01  
Product:            Red Hat ACM  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6148  
Issue date:         2023-10-26  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Red Hat Advanced Cluster Management for Kubernetes 2.7.9 General  
Availability release images, which provide security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Red Hat Advanced Cluster Management for Kubernetes 2.7.9 images

Red Hat Advanced Cluster Management for Kubernetes provides the  
capabilities to address common challenges that administrators and site  
reliability engineers face as they work across a range of public and  
private cloud environments. Clusters and applications are all visible and  
managed from a single console—with security policy built in.

This advisory contains the container images for Red Hat Advanced Cluster  
Management for Kubernetes, which fix several bugs. See the following  
Release Notes documentation, which will be updated shortly for this  
release, for additional details about this release:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/release_notes/

Security fix(es):  
CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack  
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work  
CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections  
CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts  
CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts  
CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/install/index#installing

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6148-01

Red Hat Security Advisory 2023-6145-01 - Multicluster Engine for Kubernetes 2.2.9 General Availability release images, which contain security updates and fix bugs. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6145.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Multicluster Engine for Kubernetes 2.2.9 security updates and bug fixes  
Advisory ID:        RHSA-2023:6145-01  
Product:            multicluster engine for Kubernetes  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6145  
Issue date:         2023-10-26  
Revision:           01  
CVE Names:          CVE-2023-39318  
====================================================================

Summary: 

Multicluster Engine for Kubernetes 2.2.9 General Availability release images,   
which contain security updates and fix bugs.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE links in the References section.

Description:

Multicluster Engine for Kubernetes 2.2.9 images

Multicluster engine for Kubernetes provides the foundational components  
that are necessary for the centralized management of multiple  
Kubernetes-based clusters across data centers, public clouds, and private  
clouds.

You can use the engine to create new Red Hat OpenShift Container Platform  
clusters or to bring existing Kubernetes-based clusters under management by  
importing them. After the clusters are managed, you can use the APIs that  
are provided by the engine to distribute configuration based on placement  
policy.

Security fix(es):  
CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack  
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work  
CVE-2023-39321 golang: crypto/tls: panic when processing post-handshake message on QUIC connections  
CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts  
CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts  
CVE-2023-39322 golang: crypto/tls: lack of a limit on buffered post-handshake

Solution:

https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/clusters/cluster_mce_overview#installing-while-connected-online-mce

CVEs:

CVE-2023-39318

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6145-01

Red Hat Security Advisory 2023-6105-01 - An update is now available for Red Hat JBoss Core Services. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6105.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP1 security updateAdvisory ID:        RHSA-2023:6105-01Product:            Red Hat JBoss Core ServicesAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6105Issue date:         2023-10-26Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update is now available for Red Hat JBoss Core Services.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.57, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section.Security Fix(es):* nghttp2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [Major Incident] (CVE-2023-44487)A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6105-01

Xpand IT Write-back manager v2.3.1 allows attackers to perform a directory traversal via modification of the siteName parameter.

During an authorised penetration testing assessment conducted on Xpand IT’s Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to change the directory to which an uploaded file is saved on the filesystem.

This blog post is the second post of a five-part series in which we will technically describe five security vulnerabilities and how they were detected and exploited.

**What is Write-Back?**

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premises execution, audit, multiple back-end databases, and integrated authentication.

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

**Write-Back (Server)**: Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.

**Write-Back Manager**: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing it to manage that instance.

**Technical description**

CVE-2023-27170 is a path or directory traversal security vulnerability that allows an authenticated user to upload a file to any location on the file system using any of the multiple file upload features on the Write-Back Manager.

This vulnerability was initially detected by changing the uploaded filename through a man-in-the-middle attack.

In the particular case of the customised logo upload feature, the name under which the logo file would be written to disk equalled the value passed in the siteName parameter, which by default was always 00000000-0000-0000-0000-000000000000. By manipulating the value of this parameter and adding special characters such as dots ‘.’ and slashes ‘/’, an attacker can change the path to which the file will be written:

**_Figure 1 – Logo file upload._**

In this example, the logo was placed in one folder hierarchically above the logos folder:

**_Figure 2 – Logo file uploaded to a different folder._**

The root cause of this vulnerability can be found in the uploadLogoFile function of the ThemesManager class, which handles the upload of a custom logo file:

**_Figure 3 – Cause of the vulnerability._**

The siteName parameter is simply concatenated together with the file extension and added to the writePath, resulting in the manipulation of the folder’s path to which the file is uploaded to.

**Impact**

This vulnerability could potentially be exploited in multiple manners. A malicious user could overwrite critical files, upload massive files, cause a file space denial of service, or upload dangerous files into the web tree to achieve code execution.

**CVE ID:** CVE-2023-27170  
**CVSS 3.1 Base Score:** 5.5  
**CVSS Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L  
**Affected Vendor:** Xpand IT  
**Affected Product:** Write-Back  
**Affected Version:** Write-Back Manager v2.3.1

**Mitigation**

Update Write-Back to at least version 4.1.

**Timeline**

12-12-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27170 reserved.

12-07-2023 – Official Patch released by Write-Back team.

20-10-2023 – Public disclosure of CVE-2023-27170.

**Credits**

**Bruno Pincho** | Penetration Tester at Balwurk 

**References**

*   https://writeback4t.com

Tag

#dos