IBM Planning Analytics on Cloud Pak for Data 4.0 could allow an attacker on a shared network to obtain sensitive information caused by insecure network communication.  IBM X-Force ID:  247898.

CVE-2023-26024

IBM Administration Runtime Expert for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to obtain sensitive information caused by improper authority checks.  IBM X-Force ID:  265266.

  

**Summary**

IBM Administration Runtime Expert for i could allow sensitive information stored in a file, including passwords, to be obtained by an attacker as described in the vulnerability details section. IBM Administration Runtime Expert for i has addressed the vulnerability with a fix as described in the remediation/fixes section.

**Vulnerability Details**

**CVEID:**   CVE-2023-42006  
**DESCRIPTION:**   IBM Administration Runtime Expert for i could allow a local user to obtain sensitive information caused by improper authority checks.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265266 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Administration Runtime Expert for i

7.5

IBM Administration Runtime Expert for i

7.4

IBM Administration Runtime Expert for i

7.3

IBM Administration Runtime Expert for i

7.2

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Component":"","Platform":\[{"code":"PF012","label":"IBM i"}\],"Version":"7.5.0, 7.4.0, 7.3.0, 7.2.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2023-42006: Security Bulletin: IBM Administration Runtime Expert for i is vulnerable to an attacker obtaining sensitive information due to CVE-2023-42006

IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands.  IBM X-Force ID:  267966.

  

**Summary**

A vulnerability in the AIX invscout command could allow a non-privileged local user to execute arbitrary commands (CVE-2023-45168).

**Vulnerability Details**

**CVEID:**   CVE-2023-45168  
**DESCRIPTION:**   IBM AIX could allow a non-privileged local user to exploit a vulnerability in the invscout command to execute arbitrary commands.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267966 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.2

AIX

7.3

VIOS

3.1

The following fileset levels are vulnerable:

Fileset

Lower Level

Upper Level

invscout.rte

2.2.0.0

2.2.0.24

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example:  lslpp -L | grep -i invscout.rte

**Remediation/Fixes**

**A. FIXES**

IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available.

The AIX and VIOS fixes can be downloaded via https from:

https://aix.software.ibm.com/aix/efixes/security/invscout\_fix5.tar 

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

To extract the fixes from the tar file:

tar xvf invscout\_fix5.tar

cd invscout\_fix5

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

c0b1fb8c09034e37f0fe4adc88aaa24b8751a3999f290020719522669ece8fd5

invscout.rte

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.         

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

https://aix.software.ibm.com/aix/efixes/security/invscout\_advisory5.asc.sig

**B. FIX INSTALLATION**

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview the fix installation:

installp -apYd . invscout

To install the fix package:

installp -aXYd . invscout

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

30 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2023-45168: Security Bulletin: AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-45168)

By Waqas
Thus far, the FjordPhantom malware has defrauded victims of around $280,000 (£225,000).
This is a post from HackRead.com Read the original post: Android Banking Malware FjordPhantom Steals Funds Via Virtualization

Currently, the FjordPhantom malware appears to be active in Southeast Asia, covering countries including Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

Cybersecurity firm Promon has identified a novel Android malware named FjordPhantom that employs virtualization to target applications. This technique has not been observed in any malware previously. FjordPhantom propagates through messaging services and combines app-based malware with social engineering to deceive banking customers.

Promon indicated in its report published on November 30, 2023, that only one sample of FjordPhantom has been obtained. However, researchers suspect that the malware is operational in Southeast Asia, encompassing countries such as Malaysia, Thailand, Indonesia, Singapore, and Vietnam.

“In discussions with banks in the region, Promon has learned that one customer was defrauded out of 10 million Thai Baht (approximately $280,000 – £225,000) at the time of writing,” noted the report author Benjamin Adolphi and shared with Hackread.com ahead of publication on Thursday.

Further probing revealed that the malware is distributed through emails, SMS messages, and messaging apps. Users are tricked into downloading a bogus banking app, which contains FjordPhantom.

When this app gets installed, the attackers, posing as customer service representatives, guide the users about the steps to run the app. The malware uses virtualization to create a virtual container to run this app and attackers can monitor the user’s actions and steal their credentials.

The malware integrates various open-source/free projects from GitHub, incorporating a virtualization solution and a hooking framework. FjordPhantom utilizes virtualization solutions to circumvent the Android sandbox, enabling different apps to operate within the same sandbox.

This facilitates attackers in gaining access to files and memory, conducting debugging, and injecting code into other apps. The approach involves virtualization solutions loading their own code into a new process before loading the hosted app’s code. Consequently, the malware can evade traditional code injection detection methods, as it doesn’t modify the original application.

The malware leverages the hooking framework to evade SafetyNet rooting detection, screenreader detection, and dismiss dialog boxes warning the user of ongoing malicious activity on the system. Additionally, the malware logs various actions performed by the targeted applications, signifying active development and suggesting potential targeting of other apps in the future.

Screenshot credit: Promon

Researchers believe that FjordPhantom is a sophisticated Android malware used to commit real-world fraud. Here are 5 tips for Android users to protect themselves from malware, especially banking trojan:

1.  **Download apps only from trusted sources:** The safest way to get apps for your Android device is to download them from the official Google Play Store. Apps in the Play Store have been reviewed by Google and are less likely to be malicious. If you need to download an app from a third-party source, make sure to do your research and only download apps from reputable websites.
2.  **Be careful about the permissions you give apps:** When you install an app, it will ask you for permission to access certain data or features on your device. Only give apps the permissions they need to function. For example, if you’re installing a banking app, it will need permission to access your contacts and call history. However, there’s no reason for it to need permission to access your photos or location.
3.  **Keep your device up to date:** Google regularly releases updates for Android that fix security vulnerabilities. Make sure to install these updates as soon as they become available. You can enable automatic updates in your device’s settings.
4.  **Install a mobile security app:** A mobile security app can help to protect your device from malware by scanning apps and files for threats. It can also block malicious websites and phishing attempts. There are many different mobile security apps available, so do some research to find one that’s right for you.
5.  **Be cautious about what you click on:** Be careful about clicking on links in emails or text messages, even if they appear to be from someone you know. These links could take you to malicious websites that could install malware on your device.

****_RELATED ARTICLES_****

1.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users**
4.  **Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots**
5.  **Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw**

Android Banking Malware FjordPhantom Steals Funds Via Virtualization

By Deeba Ahmed
The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic,…
This is a post from HackRead.com Read the original post: 68% of US Websites Exposed to Bot Attacks

The conclusion was reached after researchers evaluated over 9,500 of the largest transactional websites in terms of traffic, encompassing sectors such as banking, e-commerce, and ticketing businesses.

Bad bots are plaguing the internet, making up over 30% of internet traffic today. Cybercriminals can use them to target online businesses with fraud and other types of attacks, according to the latest research from online fraud and mitigation company DataDome.

According to a report from DataDome, a company specializing in bot and online fraud protection, released on November 28, 68% of US websites lack adequate protection against simple bot attacks, highlighting how vulnerable US businesses could be to automated cyberattacks.

The researchers assessed more than 9,500 of the largest transactional websites in terms of traffic, including banking, e-commerce, and ticketing businesses. They found that the US websites face significant risks ahead of the busy holiday shopping season. The findings also highlighted that traditional CAPTCHAs aren’t effective in preventing automated attacks.

As per DataDome’s report shared with Hackread.com ahead of publication on Tuesday, 72.3% of e-commerce websites and 65.2% of classified ad websites failed the bot tests, whereas 85% of DataDome’s fake Chrome bots remained undetected.

Among the 2,587 websites featuring one CAPTCHA tool, less than 5% could detect/block all bots. Interestingly, gambling sites were the most well-protected against bot attacks, with 31% blocking all the test bots. Only 10.2% successfully blocked all malicious bot requests.

DataDome’s Head of Research, Antoine Vastel, referred to bots as “silent assassins”, adding that bots are becoming sophisticated day-by-day and US businesses are unprepared for the “financial and reputational damage” bot attacks can cause.

This, as per Vastel, includes threats like ticket scalping, inventory hoarding, and account fraud. Vastel explained that bad bots can wreak havoc on businesses and consumers, exposing them to “unnecessary risk.”

These findings highlight the urgent need for US businesses to enhance their bot protection measures. Here are 5 key points on how owners and administrators can protect their wbsites against bot attacks:

1.  **Implement CAPTCHA and reCAPTCHA:** CAPTCHAs and reCAPTCHAs are effective tools for distinguishing between humans and bots. They can be used to prevent bots from submitting forms, signing up for accounts, or accessing restricted areas of your website.
2.  **Use IP blacklisting:** IP blacklisting involves identifying and blocking IP addresses that are known to be associated with malicious activity. This can help to prevent bots from accessing your website altogether.
3.  **Monitor website traffic:** By monitoring website traffic, you can identify patterns that may be indicative of bot activity. For example, if you see a sudden surge in traffic from a single IP address, this could be a sign that your website is under attack from a botnet.
4.  **Implement rate limiting:** Rate limiting is a technique that can be used to limit the number of requests that a user can make to your website in a given period of time. This can help to prevent bots from overwhelming your website with requests.
5.  **Use web application firewalls (WAFs):** WAFs are designed to protect websites from a variety of attacks, including bot attacks. They can be used to block malicious traffic and prevent bots from exploiting vulnerabilities in your website’s code.

****_RELATED ARTICLES_****

1.  IBM X-Force Discovers Gootloader Malware Variant- GootBot
2.  Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
3.  Telekopye Toolkit Used as Telegram Bot to Scam Marketplace Users
4.  Proton CAPTCHA: New Privacy-First CAPTCHA Defense Against Bots
5.  Google Workspace Exposed to Takeover from Domain-Wide Delegation Flaw

68% of US Websites Exposed to Bot Attacks

Red Hat Security Advisory 2023-7587-01 - An update is now available for IBM Business Automation Manager Open Editions including images for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7587.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Updated IBM Business Automation Manager Open Editions 8.0.4 SP1 Images  
Advisory ID:        RHSA-2023:7587-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7587  
Issue date:         2023-11-29  
Revision:           01  
CVE Names:          CVE-2023-44487  
====================================================================

Summary: 

An update is now available for IBM Business Automation Manager Open Editions including images for Red Hat OpenShift Container Platform.

Description:

IBM Business Automation Manager Open Editions is an open source business process management suite that combines process management and decision service management. It enables business and IT users to create, manage, validate, and deploy process applications and decision services.

IBM Business Automation Manager Open Editions images have been provided for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) and for on-premise or private-cloud deployments.

This release updates the IBM Business Automation Manager Open Editions images to 8.0.4.

This release includes security fixes.

Security Fix(es):

* netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* Quarkus: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* EAP XP: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* EAP: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* businessautomation-operator: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.

Solution:

CVEs:

CVE-2023-44487

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803

Red Hat Security Advisory 2023-7587-01

The improper neutralization of special elements in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device.

**CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474****Summary**

Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection.

**What are the vulnerabilities?**

CVE-2023-35137

An improper authentication vulnerability in the authentication module in Zyxel NAS devices could allow an unauthenticated attacker to obtain system information by sending a crafted URL to a vulnerable device.

CVE-2023-35138

A command injection vulnerability in the “show\_zysync\_server\_contents” function in Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CVE-2023-37927

The improper neutralization of special elements in the CGI program in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-37928

A post-authentication command injection vulnerability in the WSGI server in Zyxel NAS devices could allow an authenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-4473

A command injection vulnerability in the web server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

CVE-2023-4474

The improper neutralization of special elements in the WSGI server in Zyxel NAS devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted URL to a vulnerable device.

**What versions are vulnerable—and what should you do?**

After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below.

  
**Got a question?**

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

**Acknowledgment**

Thanks to the following security researchers and consultancies:

*   Maxim Suslov for CVE-2023-35137 and CVE-2023-35138
*   Attila Szász from BugProve for CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, and CVE-2023-4474
*   Drew Balfour from IBM X-Force for CVE-2023-4473

**Revision history**

2023-11-30: Initial release.

CVE-2023-4474: Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products | Zyxel Networks

Red Hat Security Advisory 2023-7539-01 - An update for kernel is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7539.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2023:7539-01  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7539  
Issue date:         2023-11-28  
Revision:           01  
CVE Names:          CVE-2022-40982  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)

* kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route (CVE-2023-4128, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208)

* kernel: netfilter: potential slab-out-of-bound access due to integer underflow (CVE-2023-42753)

* hw: Intel: Gather Data Sampling (GDS) side channel vulnerability (CVE-2022-40982)

* kernel: use-after-free due to race condition occurring in dvb_register_device() (CVE-2022-45884)

* kernel: use-after-free due to race condition occurring in dvb_net.c (CVE-2022-45886)

* kernel: use-after-free due to race condition occurring in dvb_ca_en50221.c (CVE-2022-45919)

* kernel: Race between task migrating pages and another task calling exit_mmap to release those same pages getting invalid opcode BUG in include/linux/swapops.h (CVE-2023-4732)

* kernel: fbcon: out-of-sync arrays in fbcon_mode_deleted due to wrong con2fb_map assignment (CVE-2023-38409)

* kernel: use-after-free in smb2_is_status_io_timeout() (CVE-2023-1192)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Intel 8.8 BUG SPR IOMMU: QAT Device Address Translation Issue with Invalidation Completion Ordering (BZ#2221097)

* RHEL 8.9: intel_pstate may provide incorrect scaling values for hybrid capable systems with E-cores disabled (BZ#2223403)

* Bring MD code inline with upstream (BZ#2235655)

* NAT sport clash in OCP causing 1 second TCP connection establishment delay. (BZ#2236514)

* ibmvnic: NONFATAL reset causes dql BUG_ON crash (BZ#2236701)

* PVT:1050:NXGZIP: LPM of RHEL client lpar got failed with error HSCLA2CF in 19th loops (BZ#2236703)

* xfs: mount fails when device file name is long (BZ#2236813)

* NFSv4.0 client hangs when server reboot while client had outstanding lock request to the server (BZ#2237840)

* i40e: backport selected bugfixes (BZ#2238305)

* Updates for NFS/NFSD/SUNRPC for RHEL 8.9 (BZ#2238394)

* SCSI updates for RHEL 8.9 (BZ#2238770)

* kernel: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:35 at: sock_map_update_elem_sys+0x85/0x2a0 (BZ#2239475)

* Random delay receiving packets after bringing up VLAN on top of VF with vf-vlan-pruning enabled (BZ#2240751)

* RHEL-8.9 RDMA/restrack: Release MR restrack when delete (BZ#2244423)

Enhancement(s):

* Intel 8.9 FEAT EMR power: Add EMR CPU support to intel_rapl driver (BZ#2230146)

* Intel 8.9 FEAT EMR tools: Add EMR CPU support to turbostat (BZ#2230154)

* Intel 8.9 FEAT EMR power: Add EMR support to the intel_idle driver (BZ#2230155)

* Intel 8.9 FEAT EMR RAS: Add EDAC support for EMR (BZ#2230161)

* Intel 8.9 FEAT general: intel-speed-select (ISST): Update to latest release (BZ#2230163)

* Intel 8.9 FEAT cpufreq: intel_pstate: Enable HWP IO boost for all servers (BZ#2232123)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-40982

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/solutions/7027704  
https://bugzilla.redhat.com/show_bug.cgi?id=2148510  
https://bugzilla.redhat.com/show_bug.cgi?id=2148517  
https://bugzilla.redhat.com/show_bug.cgi?id=2151956  
https://bugzilla.redhat.com/show_bug.cgi?id=2154178  
https://bugzilla.redhat.com/show_bug.cgi?id=2223949  
https://bugzilla.redhat.com/show_bug.cgi?id=2225201  
https://bugzilla.redhat.com/show_bug.cgi?id=2225511  
https://bugzilla.redhat.com/show_bug.cgi?id=2230042  
https://bugzilla.redhat.com/show_bug.cgi?id=2236982  
https://bugzilla.redhat.com/show_bug.cgi?id=2239843

Red Hat Security Advisory 2023-7539-01

Musk’s recent use of the term “Q*Anon” is his most explicit endorsement of the movement to date. Conspiracists have since spent days dissecting its meaning and cheering on his apparent support.

With no new messages from Q in almost three years and former US President Donald Trump facing mounting legal woes, one would think that the QAnon political conspiracy was losing steam. But, on November 22, Elon Musk may have renewed hope for conspiracists around the world: As the US was preparing for Thanksgiving, Musk tweeted “Q\*Anon” out to his 164.5 million followers.

Musk’s post, which has been viewed 7.8 million times, linked to a story referencing a secret OpenAI project known as Q\* (pronounced Q star). Instantly, the online spaces where QAnon still flourishes—message boards, Telegram, and X itself—lit up with excited believers cheering Musk’s post. They claimed it was an endorsement of their worldview and, despite years of failed promises, confirmation that they were on the right path.

“Let’s gooooooo,” wrote Erica, a member of a prominent QAnon channel on Telegram, in response to Musk’s post. “The sheep will read QAnon \[and\] hopefully they’ll ask themselves why he did it, and look for answers, same way we all did,” a QAnon believer wrote on Truth Social. “Loud and Clear,” another wrote on X in a reply to Musk’s post.

Other QAnon figures flagged that the way Musk wrote QAnon—with a star symbol between Q and Anon—was a reference to the oft-used, and inaccurate, refrain within the community that claims the phrase QAnon is a media construction. “The asterisk separates Q and Anon,” an X user wrote in response to Musk’s post, “He knows exactly what he’s doing.” “Message received,” another wrote. On QAnon Telegram channels over the weekend, Musk’s recent posts were dissected as if there were messages written directly by Q, and some users decoded the dates and times of Musk’s posts on Twitter to try and discern a hidden meaning. QAnon believers also shared increasingly radical conspiracies about Musk, including apparent links between Musk’s tweet and the involvement of AI in the 2024 election. The same platforms where these discussions are occurring were also primary vectors for election conspiracies in 2020.

With the 2024 election now less than a year away, and almost a quarter of the country believing in some aspects of QAnon, it’s clear that the conspiracy movement could play a key role: Trump continues to court the group’s attention; one of their own, the QAnon Shaman, is now running for Congress; and, just last week, Marjorie Taylor Greene, a US representative from Georgia, appeared on one of the most popular online QAnon shows and discussed the conspiracy that the FBI was behind the January 6 attack on the Capitol. On X, the conspiracy and its promoters have flourished since Musk took control of the company last November. And now, Musk’s use of the term QAnon serves as the X owner’s most explicit endorsement of the movement to date.

Musk’s supporters were quick to defend his reference to QAnon, claiming in the replies that this was just Musk trolling. Even if he was, that doesn’t really matter: QAnon adherents see it not as a joke, but as a wholehearted endorsement from one of the most powerful people in the world. “While Musk isn’t explicitly endorsing QAnon, he’s making a thoughtless joke that Q believers will absolutely interpret as an endorsement,” Mike Rothschild, the author of _The Storm Is Upon Us_, a book about QAnon, wrote on X.

And while some QAnon followers realize Musk could be trolling, they also believe he is signaling to them. “The fact that he has been highlighting Q quite a bit over the last week or two is pretty interesting. One way to highlight is to troll. Musk does this often,” one user of a QAnon message board wrote, echoing similar comments from others.

This is hardly the first time Musk has interacted with and posted dog whistles to the QAnon community. Immediately after Musk took control of what was then Twitter, the platform reinstated the accounts of almost all the QAnon promoters who’d been banned from the platform in the wake of the Capitol riot. He has also interacted with many of them. In March, Musk posted “Free Jacob Chansley,” the man better known as the QAnon Shaman who is now running for Congress in Arizona. (At the end of March, Chansley was released early from a 41-month sentence in federal prison, which he’d been serving after taking part in the Capitol riot.)

Musk and X did not respond to WIRED’s request for comment.

A few days before Musk’s QAnon post, left-wing media watchdog Media Matters had published a report claiming that X was “placing ads for Apple, Bravo, IBM, Oracle, and Xfinity next to pro-Nazi content.” In response, Musk boosted a baseless conspiracy that Media Matters founder David Brock was linked to Pizzagate, the thoroughly-debunked precursor to QAnon that claimed Democrats were running a child sex trafficking operation from the basement of a pizza joint in Washington, DC. The Media Matters report also said that Musk has boosted the antisemitic conspiracy theory on X that Jewish people are helping “hordes of minorities” who are “flooding” into the country to replace white people. Days after the report was published, Musk filed a lawsuit against Media Matters.

Some influential QAnon figures have told their followers that they are now on the offensive against Media Matters, and claimed that the organization’s attacks on Musk are all part of a plot to disrupt the 2024 election. “They know what another year of increasing free speech on X does to all their precious false narratives in an election year in 2024. They need to take Musk and X out now,” a QAnon promoter who has organized a number of Q conferences in recent years wrote on his Telegram channel.

Elon Musk Is Giving QAnon Believers Hope Just in Time for the 2024 Elections

IBM Security Guardium 11.3, 11.4, and 11.5 is potentially vulnerable to CSV injection.  A remote attacker could execute malicious commands due to improper validation of csv file contents.  IBM X-Force ID:  265262.

  

**Summary**

IBM Security Guardium has addressed this vulnerability in an update.

**Vulnerability Details**

**CVEID:**   CVE-2023-42004  
**DESCRIPTION:**   IBM Security Guardium is potentially vulnerable to CSV injection. A remote attacker could execute malicious commands due to improper validation of csv file contents.  
CVSS Base score: 8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265262 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Guardium

11.3

IBM Security Guardium

11.4

IBM Security Guardium

11.5

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

27 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"11.3, 11.4, 11.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

Tag

#ibm