Red Hat Security Advisory 2022-6051-01 - An update is now available for RHOL-5.5-RHEL-8. Issues addressed include denial of service, man-in-the-middle, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2022:6051-01  
Product:           RHOL  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6051  
Issue date:        2022-08-18  
CVE Names:         CVE-2021-38561 CVE-2022-0759 CVE-2022-1012  
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1785  
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-2068  
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-30631  
                   CVE-2022-32250  
====================================================================  
1. Summary:

An update is now available for RHOL-5.5-RHEL-8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.0 - Red Hat OpenShift

Security Fix(es):

* kubeclient: kubeconfig parsing error can lead to MITM attacks  
(CVE-2022-0759)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks  
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-1415 - Allow users to tune fluentd  
LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `  
LOG-1713 - Reduce Permissions granted for prometheus-k8s service account  
LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.  
LOG-2134 - The infra logs are sent to app-xx indices  
LOG-2159 - Cluster Logging Pods in CrashLoopBackOff  
LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.  
LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL  
LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext.  
LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not  be collected.  
LOG-2242 - Log file metric exporter is still following /var/log/containers files.  
LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed  
LOG-2264 - Logging link should contain an icon  
LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.  
LOG-2276 - Fluent config format is hard to read via configmap  
LOG-2290 - ClusterLogging Instance status in not getting updated in UI  
LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1  
LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint.  
LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch  
LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck  
LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously  
LOG-2333 - Journal logs not reaching Elasticsearch output  
LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record.  
LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"  
LOG-2384 - Provide a method to get authenticated from GCP  
LOG-2411 - [Vector] Audit logs forwarding not working.  
LOG-2412 - CLO's loki output url is parsed wrongly  
LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type  
LOG-2418 - EO supported time units don't match the units specified in CRDs.  
LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong  
LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift  
LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.  
LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster.  
LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack.  
LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices  
LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]  
LOG-2522 - CLO supported time units don't match the units specified in CRDs.  
LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready.  
LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster  
LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.  
LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data  
LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated.  
LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate  
LOG-2599 - Supported values for level field don't match documentation  
LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert  
LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect  
LOG-2619 - containers violate PodSecurity -- Log Exporation  
LOG-2627 - containers violate PodSecurity -- Loki  
LOG-2649 - Level Critical should match the beginning of the line as the other levels  
LOG-2656 - Logging uses deprecated v1beta1 apis  
LOG-2664 - Deprecated Feature logs causing too much noise  
LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster  
LOG-2693 - Integration with Jaeger fails for ServiceMonitor  
LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .  
LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance  
LOG-2725 - Upgrade logging-eventrouter Golang  version and tags  
LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.  
LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration  
LOG-2742 - unrecognized outputs when use the sts role secret  
LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs  
LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.  
LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo  
LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.  
LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image  
LOG-2765 - ingester pod can not be started in IPv6 cluster  
LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy  
LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx  
LOG-2773 - No cluster-logging-operator-metrics  service in logging 5.5  
LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.  
LOG-2784 - Japanese log messages are garbled at Kibana  
LOG-2793 - [Vector] OVN audit logs are missing the level field.  
LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF  
LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.  
LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.  
LOG-2875 - Seeing a black rectangle box on the graph in Logs view  
LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error  
LOG-2877 - When there is no query entered, seeing error message on the Logs view  
LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-0759  
https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYv5/w9zjgjWX9erEAQhRBBAAiZe24VtCQruCG/MvGEOowBvHf/YNANlR  
N6WAw2VezEfvFkG7z599MWZVWz2jnZO6cn9i+CoNDanAmItPJ8ljK4sitrP2ywrG  
OKwqIa4DPrywFFTSMxemB604ewE0cvXifuqG5bQDn+GvndiV/u/XaVTYZseY1P5X  
8ZIJ20cxROOE9pg0/3eya27edZxDrgWx6BtzSEZw47ReV3Dogqy+KzRCAAoN+pE5  
g2t/E0u0Ypmjil9Ttsop/ejUg/iz8UTGtua4m1nzhZrsoE84p5xIgvCEkYlh3OrD  
tfawpj1r9Avcjk4zbZkAe/enSQZQv0iWD792SoP7/ddX5tIu05ArvPWj/NvN/rI4  
dFzMe2UmezuS2EQpzaWOug2xSQUbR1hI+Y4cy0YOHuwzeaMeoHSbNYTJmOxKR0v1  
44a9oSBku+Xfk8nUNqS+9oq0z3DlAWt2BjbfrJCbSjZQdOUOIGM95L3ClrXY9LYF  
PT5v+h2W4myonj6HVhkv+Wy7aRbYQ7Qhk/3AaN7Dz5soBSNK4exvOzWXGuf/BdSf  
XFef6O87ipZveHQYmTfH+t8aJV1plEVTrm8pyz2EfzCv1Fnhjn0rvbGZAFBlvqW+  
vhxoj505RQBBhcno16V1zczdd8KsiqY7aZniTuh2DQAVvNhqsHgn8rvQ7HJlExun  
eIFVKOxx310=ynB/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6051-01

Ubuntu Security Notice 5572-1 - Roger Pau Monné discovered that the Xen virtual block driver in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information. Roger Pau Monné discovered that the Xen paravirtualization frontend in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information.

    ==========================================================================Ubuntu Security Notice USN-5572-1August 18, 2022linux-aws vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systemsDetails:Roger Pau Monné discovered that the Xen virtual block driver in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information (guest kernel memory). (CVE-2022-26365)Roger Pau Monné discovered that the Xen paravirtualization frontend in the Linux kernel did not properly initialize memory pages to be used for shared communication with the backend. A local attacker could use this to expose sensitive information (guest kernel memory). (CVE-2022-33740)It was discovered that the Xen paravirtualization frontend in the Linuxkernel incorrectly shared unrelated data when communicating with certainbackends. A local attacker could use this to cause a denial of service(guest crash) or expose sensitive information (guest kernel memory).(CVE-2022-33741)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   linux-image-4.4.0-1148-aws      4.4.0-1148.163   linux-image-aws                 4.4.0.1148.152After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-5572-1   CVE-2022-26365, CVE-2022-33740, CVE-2022-33741

Ubuntu Security Notice USN-5572-1

Google's cloud division on Thursday disclosed it mitigated a series of HTTPS distributed denial-of-service (DDoS) attacks which peaked at 46 million requests per second (RPS), making it the largest such recorded to date.
The attack, which occurred on June 1, targeting an unnamed Google Cloud Armor customer, is 76% larger than the 26 million RPS DDoS attack repealed by Cloudflare earlier this

Google's cloud division on Thursday disclosed it mitigated a series of HTTPS distributed denial-of-service (DDoS) attacks which peaked at 46 million requests per second (RPS), making it the largest such recorded to date.

The attack, which occurred on June 1, targeting an unnamed Google Cloud Armor customer, is 76% larger than the 26 million RPS DDoS attack repealed by Cloudflare earlier this June.

"To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds," Google Cloud's Emil Kiner and Satya Konduru said.

It's said to have started around 9:45 a.m. PT with 10,000 RPS, before growing to 100,000 RPS eight minutes later and further ramping up within two minutes to hit a high of 46 million RPS at 10:18 a.m. PT. In all, the DDoS assault lasted for a total of 69 minutes.

Google said that the unexpectedly high volume of traffic originated from 5,256 IP addresses located in 132 countries, with Brazil, India, Russia, and Indonesia alone accounting for 31% of all the attack requests.

22% of the IP addresses (1,169) corresponded to TOR exit nodes, but were responsible for just 3% of the attack traffic.

"The attack leveraged encrypted requests (HTTPS) which would have taken added computing resources to generate," the company noted. "The geographic distribution and types of unsecured services leveraged to generate the attack matches the Mēris family of attacks."

In September 2021, the Mēris botnet was linked to a DDoS attack on Russian internet giant Yandex that peaked at 21.8 million RPS. Parts of the botnet's infrastructure were sinkholed in late September 2021.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Cloud Blocks Record DDoS attack of 46 Million Requests Per Second

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.

Summary

ReDoS in Build Information request (CVE-2022-2075)

Advisory Number

2022-12

Discovery Date

06 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2075

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a Medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2075, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2075: Security Advisory 2022-12

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.

Summary

ReDoS in Variable Project Templates (CVE-2022-2074)

Advisory Number

2022-11

Discovery Date

12 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

High

CVE ID

CVE-2022-2074

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a high rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2074, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2074: Security Advisory 2022-11

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.

Summary

ReDoS in Package Upload Files (CVE-2022-2049)

Advisory Number

2022-10

Discovery Date

02 Jun 2022

Patch Release Date

21 Jun 2022

Advisory Release Date

19 Aug 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Medium

CVE ID

CVE-2022-2049

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.2.6872 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a medium rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. When performed successfully, this results in Octopus Server becoming unresponsive due to excessive CPU usage.

The versions of Octopus Server affected by this vulnerability are:

*   All 0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x, 2021.x versions
*   All 2022.1.x versions before 2022.1.2894
*   All 2022.2.x versions before 2022.2.6872
*   All 2022.3.x versions before 2022.3.4953

As of the 19/08/2022 Octopus Server version 2022.3.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.1.2894
*   2022.2.6872
*   2022.3.4953

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.2.6872). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.2.6872):**

If you have feature version...

...then upgrade to this version

0.x.x, 1.x.x, 2.x.x, 3.x.x, 4.x.x

2022.1.2894 or greater

2018.x, 2019.x, 2020.x, 2021.x

2022.1.2894 or greater

2022.1.x

2022.1.2894 or greater

2022.2.x

2022.2.6872 or greater

2022.3.x

2022.3.4953 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2049, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Bartłomiej Górkiewicz

CVE-2022-2049: Security Advisory 2022-10

Incomplete cleanup in a firmware subsystem for Intel(R) SPS before versions SPS_E3_04.08.04.330.0 and SPS_E3_04.01.04.530.0 may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.2 IPU - Intel® Chipset Firmware Advisory**

**Summary: **

A potential security vulnerability in the Intel® Server Platform Services (SPS) firmware may allow denial of service.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-26074

Description: Incomplete cleanup in a firmware subsystem for Intel(R) SPS before versions SPS\_E3\_04.08.04.330.0 and SPS\_E3\_04.01.04.530.0 may allow a privileged user to potentially enable denial of service via local access.  

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

**Affected Products:**

Intel® SPS before version SPS\_E3\_04.08.04.330.0 and SPS\_E3\_04.01.04.530.0.

**Recommendations:**

Intel recommends that users of Intel® SPS update to the latest version provided by the system manufacturer that addresses these issues.

**Acknowledgements:**

The following issue was found internally by Intel employees.  Intel would like to thank Tomasz Bagniuk.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-26074: INTEL-SA-00669

Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.2.9 may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Ethernet Controllers and Adapters Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Ethernet Controllers and Adapters may allow denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2021-33126

Description: Improper access control in the firmware for some Intel(R) 700 and 722 Series Ethernet Controllers and Adapters before versions 8.5 and 1.5.5 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 5.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CVEID: CVE-2021-33128

Description: Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.0.6 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 5.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 

CVEID: CVE-2022-28709

Description: Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.1.9 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 4.1 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

Intel® 700 Series Ethernet Controllers and Adapters before version 8.5.

*   Firmware version, as reported by the device, corresponding to the release numbers above are:  
    
*   Software Release Version 26.6: Device reports 8.5, NVM version 8.50.

Intel® 722 Series Ethernet Controllers and Adapters before version 1.5.5.

*   Firmware version, as reported by the device, corresponding to the release numbers above are:
    *   Software Release Version 26.6: Device reports 1.5.5, NVM version 5.50.

Intel® E810 Ethernet Controllers and Adapters before version 1.6.0.6.

*   Firmware versions, as reported by the device, corresponding to the release numbers above are:
    *   Software Release version 26.4: Device Reports 1.6.0.6., NVM version 3.0.

Intel® E810 Ethernet Controllers and Adapters before version1.6.1.9

*   Firmware versions, as reported by the device, corresponding to the release numbers above are:
    *   Software Release Version 26.8: Device reports 1.6.1.9, NVM version 3.10.

**Recommendations:**

Intel recommends updating the firmware for impacted Intel® Ethernet Controllers and Adapters to the versions provided below or later.

*   Intel® 700 Series Ethernet Controllers and Adapters before version 8.5.
*   Intel® 722 Series Ethernet Controllers and Adapters before version 1.5.5.
*   Intel® E810 Ethernet Controllers and Adapters before version 1.6.1.9

Updates are available for download at this location:

https://downloadcenter.intel.com/product/36773/Ethernet-Products

**Acknowledgements:**

The following issues were found internally by Intel employees.  Intel would like to thank Dmitry Shvarts and Dmitry Tsimbler. 

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

1.1

08/18/2022

Updated versions for:

CVE-2021-33128, CVE-2022-28709.

Affected products section.

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-28709: INTEL-SA-00593

libjpeg commit 281daa9 was discovered to contain a segmentation fault via LineMerger::GetNextLowpassLine at linemerger.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

Hi, there.

There is a segmentation fault in the newest master branch.

Here is the reproducing command:  
jpeg poc /dev/null

    (gdb) bt
    #0  0x00007ffff7f31270 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x0000000000711b6f in LineMerger::GetNextLowpassLine (this=0x85ed20, comp=2 '\002')
        at linemerger.cpp:262
    #2  0x00000000007127d2 in LineMerger::GetNextExpandedLowPassLine (this=0x85ed20,
        comp=<optimized out>) at linemerger.cpp:339
    #3  0x0000000000713251 in LineMerger::GetNextLine (this=0x85ed20, comp=2 '\002')
        at linemerger.cpp:360
    #4  0x000000000071c2dd in HierarchicalBitmapRequester::Pull8Lines (this=0x792720,
        c=<optimized out>) at hierarchicalbitmaprequester.cpp:447
    #5  0x0000000000720156 in HierarchicalBitmapRequester::ReconstructRegion (this=0x792720,
        orgregion=..., rr=0x7fffffffdae8) at hierarchicalbitmaprequester.cpp:739
    #6  0x000000000045c501 in Image::ReconstructRegion (this=0x7923b0, bmh=0x7fffffffd790,
        rr=0x7fffffffdae8) at image.cpp:1115
    #7  0x000000000043e266 in JPEG::InternalDisplayRectangle (this=0x7904c8, tags=0x7fffffffde90)
        at jpeg.cpp:721
    #8  0x000000000043e14b in JPEG::DisplayRectangle (this=0x7904c8, tags=0x7fffffffde90)
        at jpeg.cpp:699
    #9  0x000000000041e336 in Reconstruct (infile=<optimized out>,
        outfile=0x7fffffffe704 "/dev/null", colortrafo=1,
        alpha=0x790280 "\230$\255", <incomplete sequence \373>, upsample=true)
        at reconstruct.cpp:331
    #10 0x0000000000408b6a in main (argc=<optimized out>, argv=0x87a720) at main.cpp:747
    

poc.zip

CVE-2022-37770: Segmentation fault in LineMerger::GetNextLowpassLine · Issue #79 · thorfdbg/libjpeg

libjpeg commit 281daa9 was discovered to contain a segmentation fault via HuffmanDecoder::Get at huffmandecoder.hpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

Hi, there.

There is a segmentation fault in the newest master branch.

    Program received signal SIGSEGV, Segmentation fault.
    HuffmanDecoder::Get (this=0x0, io=0x7933c8)
        at /home/users/chluo/libjpeg/codestream/../coding/huffmandecoder.hpp:112
    warning: Source file is more recent than executable.
    (gdb) bt
    #0  HuffmanDecoder::Get (this=0x0, io=0x7933c8)
        at /home/users/chluo/libjpeg/codestream/../coding/huffmandecoder.hpp:112
    #1  0x0000000000491388 in LosslessScan::ParseMCU (this=0x793250, prev=0x7fffffffda90,
        top=0x7fffffffda70) at losslessscan.cpp:374
    #2  0x0000000000491b4a in LosslessScan::ParseMCU (this=0x793250)
        at losslessscan.cpp:440
    #3  0x000000000043aca1 in JPEG::ReadInternal (this=0x7904c8, tags=0x7fffffffdd40)
        at jpeg.cpp:345
    #4  0x000000000043988b in JPEG::Read (this=0x7904c8, tags=0x7fffffffdd40)
        at jpeg.cpp:210
    #5  0x000000000041cabb in Reconstruct (infile=<optimized out>,
        outfile=0x7fffffffe6fc "/dev/null", colortrafo=1, alpha=0x0, upsample=true)
        at reconstruct.cpp:121
    #6  0x0000000000408b6a in main (argc=<optimized out>, argv=0x0) at main.cpp:747

Tag

#dos