Red Hat Security Advisory 2022-7261-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift API for Data Protection (OADP) 1.0.5 security and bug fix update  
Advisory ID:       RHSA-2022:7261-01  
Product:           OpenShift API for Data Protection  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7261  
Issue date:        2022-10-31  
CVE Names:         CVE-2022-21698 CVE-2022-34903 CVE-2022-40674   
=====================================================================

1. Summary:

OpenShift API for Data Protection (OADP) 1.0.5 is now available.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore  
application resources, persistent volume data, and internal container  
images to external backup storage. OADP enables both file system-based and  
snapshot-based backups for persistent volumes.

Security Fix(es):

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter

5. JIRA issues fixed (https://issues.jboss.org/):

OADP-801 - Openshift plugin does not add Migration Plan labels on all resources  
OADP-812 - openshift-adp-controller-manager should not continuously log once dpa reaches reconciled  
OADP-823 - Check OADP and Openshift Versions and warn / error on compatibility  
OADP-829 - Registry pod going in crashloopbackoff state

6. References:

https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1/FydzjgjWX9erEAQgYvA/+IvvS65fmrIxTJSogT1oGiu2BE/rD6Rgo  
gYPPBC5Rm/eYTqhbzubugXydg8TgFlkIrmsWCz4hIG+QtQtXMDfQDu2PSxMUcBJK  
KnSa9eb0lKQOIRclqCMmVnA2NR7NQ54WPf7mBqzznl8BujT2LJ3pcscDHsWCf7Yn  
3Spgmrg6Ix3OJ3qM5h0l4xwQDubo14KkzcULCbhAyc0Kpx3Zq+C9tk8SwGQCrYZ+  
1cpoBGOw3x8EIZQDxB2FdiaPviPX1WkpcfghCE9ap/xbATx2ccUP+odDAiY1TLBM  
hcz1KguMZsTtK5uSvl+FytaV/E0c3qNvYQgj65dxAO+9SFrOCoR9+A9l965L/vGG  
cRJR+vSE0JmNsiPExvdqz5rFH5dP3Cdmx7m/7BM2OLoS4q5R+D5h5vrT85zxnAl5  
XXYikoSEO0C1eVRES+R5y4JFFApWDZF6TTe0bPNUXYulnJF75HbshqMW0UFGxRHG  
AwaChp/Pdhfjve9atV+0YO89cSFfovCaTxO95VkTswF0ZpK84VLKj1LMBoVJy3hU  
ef5hdDB76hrLpvx2qXcDxy0wGKgf3dhf4Hjx3Ub9S0OiAcRg4EFZgi4JG1OkuDEF  
K5x3VfONIEYG0e7ymDwY2VWHDjWBakts4Yg/AyD801iq/VR6M9eAG8fQUbwQxbYP  
0zkb+rGxrBY=  
=wK59  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7261-01

Bug fixed despite product reaching end of life

Bug fixed despite product reaching end of life

  

VMWare has patched a critical vulnerability in the management service for NSX, its network virtualization and security platform.

The vulnerability, caused by an old deserialization bug in an outdated Java library, could be abused to achieve pre-authentication remote code execution (RCE) on the host computer.

Due to the bug’s criticality, VMWare issued a patch despite the product having reached end-of-life status. The vulnerability is a reminder of the security challenges of managing open source software dependencies.

**Deserialization bugs**

Discovered and documented by security researcher Sina Kheirkhah, the main culprit in the VMWare NSX Manager flaw was XStream, a library for converting Java objects to XML format and vice versa (aka marshalling/unmarshalling).

XStream supports the marshalling and unmarshalling of a wide range of Java objects, even those that don’t support the Serializable interface.

This has made XStream an attractive launchpad for various code injection attacks. Security researcher Alvaro Muñoz documented RCE attacks with XStream in 2013, research that greatly helped Kheirkhah in discovering the VMWare vulnerability.

To go from unmarshalling to code execution on the host machine, the attacker would have to hook several Java features including dynamic proxies, event handlers, and method closure. This allowed the attacker to instantiate the class and invoke the method that runs commands on the system.

**Exploit on VMWare NSX Manager**

Versions of XStream up to 1.4.18 are vulnerable to this kind of deserialization attack. Kheirkhah discovered that VMWare NSX Manager used v1.4.18. The next step was to find an endpoint that could allow him to exploit the vulnerability.

“Java is very wild and there are so many scenarios that something can go wrong and end up in RCE on a popular appliance/software,” Kheirkhah told The Daily Swig. “I spent weeks studying how this certain VMWare product works which, eventually after spending so much time, it led to me to the discovery of the vulnerability.”

Kheirkhah first found an endpoint through which he could exploit the bug on NSX Manager. However, this endpoint required authenticated access.

With the help of security researcher Steven Seeley, Kheirkhah was able to access XStream through the password reset endpoint, which led to pre-authentication RCE on the NSX Manager host.

“This vulnerability allowed unauthenticated remote code execution as the root user on the target VMWare product,” Kheirkhah said.

Kheirkhah posted a proof of concept that shows how an attacker could gain shell access to the NSX Manager server.

**Lessons learned**

Even though the product had reached its end of life, VMWare patched it because it evaluated the severity of the bug to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

“While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a patch available,” VMWare stated in an advisory.

“Deserialization vulnerabilities have been around for many years and will never go away,” Kheirkhah said.

“Even today you can notice how many new serialization libraries are getting introduced every day and how talented researchers are analyzing the security of these libraries and how it’s possible to abuse the deserialization process.”

Kheirkhah also underlined the importance of carefully handling the dependency chain of open source software. “Keeping track of dependencies and making sure they’re up to date is vital for securing your software,” he stressed.

The Daily Swig has reached out to VMWare for comments. We will update this post if we hear back from them.

YOU MAY ALSO LIKE Jira Align flaws enabled malicious users to gain super admin privileges – and potentially worse

VMWare patches RCE exploit in NSX Manager

Lateral or upwards movement beyond the instance was theoretically possible, concludes researcher

Lateral or upwards movement beyond the instance was theoretically possible, concludes researcher

A pair of vulnerabilities patched in Jira Align could in the “worst-case scenario” be combined by low-privileged malicious users to target Atlassian’s cloud infrastructure, a security researcher warns.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application, in the cloud.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance.

**MisAligned permissions**

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.

Catch up with the latest cloud security news

“While, for good reason, my testing stopped at the edge of the Atlassian infrastructure, under the right conditions \[leveraging the SSRF\] potentially means gaining access to other client data through lateral or upward movement through Atlassian’s AWS infrastructure.

“Since Atlassian’s providing cloud tenants to these clients, gaining access to the infrastructure of the SaaS provider itself is pretty much worst-case scenario.”

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

**People permissions**

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.

The SSRF resides in the Jira Align API, which manages external connections.

A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix version 10.108.3.5 on June 28.

The Daily Swig has invited Atlassian to comment. We will update the article if they do so.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Jira Align flaws enabled malicious users to gain super admin privileges – and potentially worse

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

Adam Bannister 26 October 2022 at 16:00 UTC  
Updated: 27 October 2022 at 09:42 UTC

Super admins can, among other things, modify Jira connections, reset user accounts, and modify security settings

UPDATED A pair of vulnerabilities patched in Jira Align could have enabled low-privileged malicious users to elevate their privileges to super admin, a security researcher has found.

Jira Align is a software-as-a-service (SaaS) platform through which enterprises can scale their deployments of Atlassian Jira, the hugely popular bug tracking and project management application.

A Bishop Fox security researcher found a high severity (CVSS 8.8) authorization controls flaw that allows users with the ‘people’ permission to elevate their privilege, or that of any other user, to ‘super admin’ via the MasterUserEdit API (CVE-2022-36803).

Subsequently, abuse of a medium severity (CVSS 4.9) server-side request forgery (SSRF) bug (CVE-2022-36802) could then see attackers retrieve AWS credentials of the Atlassian service account that deployed the Jira Align instance, the researcher said.

**MisAligned permissions**

Super admins can among other things modify Jira connections, reset user accounts, and modify security settings, said Jake Shafer, senior security consultant at Bishop Fox.

Attackers could also access “everything the client of the SaaS had in their Jira deployment (or just take the whole thing offline, but I would hope there’s some backups in that case)”, he told The Daily Swig.

“Going by my pen testing experience, that could be everything from credentials and client information to details on unpatched vulnerabilities in their own applications and software.”

Catch up with the latest cloud security news

Shafer also speculated that, while his testing “stopped at the edge of the Atlassian infrastructure”, leveraging the SSRF “under the right conditions” might theoretically enable attackers to move laterally or upward through Atlassian’s AWS infrastructure.

However, Atlassian disputed this assertion in response to queries from The Daily Swig, emphasizing “that Jira Align's SaaS and Atlassian's wider SaaS are not connected. The Jira Align AWS environment was locked down to a level that there was no accessible information that was not encrypted and other layers could not be reached, so this is a purely hypothetical and misleading statement”.

**No exploitation detected**

The flaws affect version 10.107.4 and were patched in 10.109.3, which was released on July 22, 2022.

The issues were unearthed on May 31, 2022, and reported to Atlassian on June 6, with the vendor initially addressing the SSRF with a hotfix on June 9.

Bala Sathiamurthy, chief information security officer at Atlassian, told The Daily Swig: “These are both known and patched medium-severity vulnerabilities. Our Security Intelligence team has verified that no customers that use Jira Align on an Atlassian hosted cloud offering had either vulnerability exploited.”

He added: “As always, we recommend that our server and data center customers apply the latest security patches and mitigations as soon as they are available in order to receive the latest features and fixes. We also recommend that our customers move to the cloud versions of Atlassian products to ensure they automatically receive the upgrades and security patches.”

**People permissions**

The role of ‘people’ permissions varies depending on an instance’s configuration. “In the sandbox environment that was provisioned for testing purposes, this permission was added to the ‘program manager’ role, but could be exploited by any role with the ‘people’ permission,” explained Shafer in a Bishop Fox security advisory.

This could either be done by “intercepting the role change request directly to the API and modifying the parameter to ”, or by performing an API call with a request containing their session cookies.

The SSRF resides in the Jira Align API, which manages external connections.

A user-supplied URL value called points to the relevant API location. Jira Align automatically appended /rest/api/2/ to the URL server side, but the further addition of ‘#’ “would allow an attacker to specify any URL”, warned Shafer.

This article was updated on October 27 with the addition of comment from Atlassian.

RECOMMENDED Policy-as-code approach counters ‘cloud native’ security risks

Jira Align flaws enabled malicious users to gain super admin privileges

Two flaws in the popular developer cloud platform show how weaknesses in authorization functions and SaaS flaws can put cloud apps at risk.

Two vulnerabilities in Atlassian Jira Align, an agile planning software-as-a-service (SaaS) tool, could allow users with access to the service to become application administrators, and then attack the Atlassian service.

That's according to cybersecurity services firm Bishop Fox, which said in an advisory today that the vulnerabilities typify the risks posed to cloud services by relatively well-known, but often hard to catch, flaws. 

The two vulnerabilities found by Bishop Fox affect the Jira Align application, which is used to set agile-development goals, track efforts toward those goals, and create agile strategies. Because every instance of Jira Align is provisioned by Atlassian, an attacker could gain control of a part of the company's cloud infrastructure, Bishop Fox stated.

One vulnerability, a server-side request forgery (SSRF), could allow a user to retrieve "the AWS credentials of the Atlassian service account that provisioned the Jira Align instance," according to Bishop Fox.

The second vulnerability — in the authorization mechanism for users with the People role — could allow those users to elevate their role to Super Admin, which has access to all settings for the Jira Align tenant, such as resetting accounts and modifying settings.

The combination of the two flaws could allow a significant attack, says Jake Shafer, a security consultant with Bishop Fox, who found the flaws.

"Using the authorization finding would allow a low-privileged user to elevate their role to super admin which, in terms of information disclosure, would allow the attacker to gain access to everything the client of the SaaS had in their Jira deployment," he says. "From there, the attacker could then leverage the SSRF finding to go after the infrastructure of Atlassian themselves."

Both vulnerabilities have been patched — the first within a week and the second within a month, according to the disclosure timeline published by Bishop Fox.

However, companies should note that the increasing reliance on cloud applications has made attacks on cloud services and workloads much more common, so much so that the top class of vulnerability, according to the Open Web Application Security Project (OWASP), is broken authentication and access-control issues.

Furthermore, authorization issues are difficult for automated tools to pinpoint; plus, SSRF is a relatively new class of vulnerability that uses a cloud service's functionality and servers to conduct attacks, often bypassing security at the network edge as well as some internal security measures. 

Atlassian's Jira software has already had to deal with other instances of server-side request forgery, but the company is not alone. In 2019, a former Amazon Web Services used a SSRF vulnerability to steal data from financial firm Capital One.

**How to Combat Cloud Security Bugs**

With cloud services becoming part of operations for the vast majority of companies, tackling the top cloud vulnerabilities is critical, Shafer says.

"With the prevalence of how integrated these SaaS applications have become in the day-to-day operations of small and large companies, it’s important to remember that even these well-established companies can make mistakes," he says. "Trust but verify for all new software you’ll have to be reliant on, especially something as entrenched in the tech."

These most recent vulnerabilities highlight that developers should always make sure to double-check content supplied by users before completing a request, Shafer says. Additional input-sanitization checks could prevent both attacks.

"You're allowing customers into your cloud infrastructure, they may be paying for the service but at the end of the day they should be considered just as untrusted as a potential attacker," he says.

Companies should make sure to either manually test third-party applications or reach out to the cloud provider and check the results of their security assessments. Unfortunately, automated tools are not great at discovering authorization issues, Shafer says.

"These tools rely on a set of instructions or guidelines for what to look for and dealing with authorization issues will be different for every single piece of software out there," he says. "It’s very difficult to establish a set of rules that a scanner can pick up on and say 'Hey, user X shouldn’t be able to do Y in the context of this specific functionality.'"

Shafer lauded Atlassian's response, saying the company "did all the right things." Atlassian did not provide a comment by publishing time.

Atlassian Vulnerabilities Highlight Criticality of Cloud Services

Red Hat Security Advisory 2022-7058-01 - OpenShift sandboxed containers support for OpenShift Container Platform provides users with built-in support for running Kata containers as an additional, optional runtime. This advisory contains an update for OpenShift sandboxed containers with security fixes and a bug fix. Space precludes documenting all of the updates to OpenShift sandboxed containers in this advisory. Issues addressed include a null pointer vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift sandboxed containers 1.3.1 security fix and bug fix update  
Advisory ID:       RHSA-2022:7058-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7058  
Issue date:        2022-10-19  
CVE Names:         CVE-2015-20107 CVE-2022-0391 CVE-2022-1292  
                   CVE-2022-1586 CVE-2022-1785 CVE-2022-1897  
                   CVE-2022-1927 CVE-2022-2068 CVE-2022-2097  
                   CVE-2022-2832 CVE-2022-24675 CVE-2022-29154  
                   CVE-2022-30632 CVE-2022-32206 CVE-2022-32208  
                   CVE-2022-34903 CVE-2022-40674  
====================================================================  
1. Summary:

OpenShift sandboxed containers 1.3.1 is now available.

2. Description:

OpenShift sandboxed containers support for OpenShift Container Platform  
provides users with built-in support for running Kata containers as an  
additional, optional runtime.

This advisory contains an update for OpenShift sandboxed containers with  
security fixes and a bug fix.

Space precludes documenting all of the updates to OpenShift sandboxed  
containers in this advisory. See the following Release Notes documentation,  
which will be updated shortly for this release, for details about these  
changes:

https://docs.openshift.com/container-platform/4.11/sandboxed_containers/sandboxed-containers-release-notes.html

3. Solution:

Before applying this update, ensure all previously released errata relevant  
to your system have been applied.

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:  
https://docs.openshift.com/container-platform/latest/sandboxed_containers/upgrade-sandboxed-containers.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob  
2118556 - CVE-2022-2832 blender: Null pointer reference in blender thumbnail extractor

5. JIRA issues fixed (https://issues.jboss.org/):

KATA-1751 - CVE-2022-24675 osc-operator-container: golang: encoding/pem: fix stack overflow in Decode [rhosc-1]  
KATA-1752 - CVE-2022-28327 osc-operator-container: golang: crypto/elliptic: panic caused by oversized scalar [rhosc-1]  
KATA-1754 - OSC Pod security issue in 4.12 prevents subscribing to operator  
KATA-1758 - CVE-2022-30632 osc-operator-container: golang: path/filepath: stack exhaustion in Glob [rhosc-1]

6. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-2832  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-30632  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1C5WdzjgjWX9erEAQgJMw//UotXcQCJjQq9U/dMEE92E+gMGXIkLA0E  
r7WbJOwUYeokObhxD9T5Xq3/bXxRc1o/IGXIiL+0pxQSoG/JtjtI+DB9yUDxMdBU  
cNIu+H/o5aN0CPgIuYppi/UT1e3GUwkhMK310Ic8MFP/FKBzEu3sJmbLf3n1FRVp  
mpd+J08ksUo8NVKwqglyHgRyoDGOkzNd3jqo0q8PU07NmVWNcmQMmwE85/nEm4Cq  
PENRUyIKBQB7IhVdBhEy0RGCKqihnre4bwIoi3DULUfthnkuUEciBkTCNdEeRBmZ  
5wda1tj1vjbaLByeaEPla6+e48JcudmbL8G/ppacKUnVBD6p4qtW9LzdnOxRlrI2  
/MYM4kV3Z4gDTBZPEKVdgdMTDcHpjVB0d6IM+9yMSCjKMj3ihjeV/FYIxeo8WC0E  
Gdie+Kvd+1R/dRUdMh/FlUuk3dZjH6Xz3b7fkuIW1IVqC3xwawaT0MrmTBzqcyqu  
PYcIZmKUwglMn/fKOBlE4ynzirGX+tvVkP7Tu8nVm94YnWpZw4eDTY6E4WQqS3a5  
tgiKgqgey5cK6fLg8yQyPdSJfGzwAMiylCLVwSH8CMXBLvVxbRolBPDkz49ArxET  
36Pt3w7vkKUCPtSvk/1p36KZ/yHviYt4E2etRtwcGLvzGIqtu6vaq9NAWS+kcMbx  
dW4UeWt2Fow=N7WL  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7058-01

Red Hat Security Advisory 2022-6905-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.50. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.9.50 bug fix and security update  
Advisory ID:       RHSA-2022:6905-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6905  
Issue date:        2022-10-19  
CVE Names:         CVE-2022-26945 CVE-2022-30321 CVE-2022-30322  
                   CVE-2022-30323 CVE-2022-38177 CVE-2022-38178  
                   CVE-2022-40674  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.9.50 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.9.50. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-6903

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

Security Fix(es):

* go-getter: command injection vulnerability (CVE-2022-26945)  
* go-getter: unsafe download (issue 1 of 3) (CVE-2022-30321)  
* go-getter: unsafe download (issue 2 of 3) (CVE-2022-30322)  
* go-getter: unsafe download (issue 3 of 3) (CVE-2022-30323)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s)  
listed in the References section.

You may download the oc tool and use it to inspect release image metadata  
as follows:

(For x86_64 architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.50-x86_64

The image digest is  
sha256:7242723f9a23277a9e594a6fe1daed404254b2bd9098a136b16034bc11703182

(For s390x architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.50-s390x

The image digest is  
sha256:c9a09a04291188a17fd18e4ac5e875a6eb17cf3e12099dabb23e5a66d408a368

(For ppc64le architecture)

$ oc adm release info  
quay.io/openshift-release-dev/ocp-release:4.9.50-ppc64le

The image digest is  
sha256:b60278c85b70e3453dae0e9e4c3a93770e067c4c6c2df58c52cf9da90cad15c3

All OpenShift Container Platform 4.9 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which  
will be updated shortly for this release, for important instructions on how  
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html

Details on how to access this content are available at  
https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2092918 - CVE-2022-30321 go-getter: unsafe download (issue 1 of 3)  
2092923 - CVE-2022-30322 go-getter: unsafe download (issue 2 of 3)  
2092925 - CVE-2022-30323 go-getter: unsafe download (issue 3 of 3)  
2092928 - CVE-2022-26945 go-getter: command injection vulnerability

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1052 - "disruption_tests: [sig-network-edge] Cluster frontend ingress remain available" is failing  
OCPBUGS-1338 - Router proxy protocol doesn't work with dual-stack (IPv4 and IPv6) clusters  
OCPBUGS-1514 - kuryr-controller timing out liveness probe  
OCPBUGS-1518 - [OCP 4.9] Fix generate script in CBO  
OCPBUGS-1620 - Bug 2076297 - Router process ignores shutdown signal while starting up  
OCPBUGS-1624 - Bug 2054200 - Custom created services in openshift-ingress removed even though the services are not of type LoadBalancer  
OCPBUGS-1635 - Developer catalog fails to load  
OCPBUGS-1811 - [release-4.9] Jenkins install-plugins script does not ignore updates to locked plugin versions  
OCPBUGS-1981 - CI: Backend unit tests fails because devfile registry was updated (fix assertion)  
OCPBUGS-267 - Container creation errors causeed by crio goroutines stuck in semaphore wait (not dbus related)  
OCPBUGS-543 - [4.9] capabilities are not honored  
OCPBUGS-574 - [release-4.9] Failed to handle external GW check when a pod in the served ns has no ip  
OCPBUGS-811 - duplicate egressfirewall rules in the OVN Northbound database.

6. References:

https://access.redhat.com/security/cve/CVE-2022-26945  
https://access.redhat.com/security/cve/CVE-2022-30321  
https://access.redhat.com/security/cve/CVE-2022-30322  
https://access.redhat.com/security/cve/CVE-2022-30323  
https://access.redhat.com/security/cve/CVE-2022-38177  
https://access.redhat.com/security/cve/CVE-2022-38178  
https://access.redhat.com/security/cve/CVE-2022-40674  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY1BkfNzjgjWX9erEAQhoxA/9FfcwcDwxwfetRSVOrS5bwTefyeGqQ7OW  
crj99iNPdLRyFblDkK89sgUawjcFEce6A+1CxxBE7++F8UXvPqOgrK9ybEu9B1GW  
7eGbasDIwl0hPjzX/2H1wZqWR8KxUMGpP45/0LAMFhbddsnML4j5wPUgRlb4dcej  
hD+OMUfLy7ejHDmwN4BH5hfyD2IQEsdPmRM4gR6zpOeXFufOYcGy88/UIIy+F8dD  
4UuOc4kZ9d3EIKuzjrWaEQbkK8rhHxVcKdmzlcRxZGIy27VtZx8zAdP4oHJ5Lf9h  
5k1CGlvEdRN4a5WWorknQvsuOnNBsVHp2MTlhSjkfPVH9t6XFCBeiZGBIBKA4t4T  
g5GCkxzQTRNGlQNxVck+Q2dJacFgWBEvD5TwdKqvd55BO5JEuVHlZ540tcyGfQOw  
zYENjmHz/OLvPd0A4xbmBi9cUvCtChjIGlePdiyT2LA+HCcHTyGVEJW9iqIxRujP  
WDGyVF6sPscF3GdrHIbpBkICXqxDhZ+VI4z+yIidx6nskkbB3bxXCCRZbMwCKyFG  
6vpF7HMYSYPYgvKDHP9LUuEmlKxMRahJiwJr0Oiro19OvmBPAEI6fvAu+ay3Czi/  
zfb2JQXkKGrbgZ5KzF4fOh9sGn6XKJZa2l/Mqaif+H9rG2P8F7EmmdUuW8+65mP2  
1ke2xGzhDv0=kxZ6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6905-01

Categories: Cybercrime
Categories: News
Tags: Brasil

Tags:  Lapsus$

Tags:  Telegram

Tags:  Dark Web

Tags:  data exfiltration

Tags:  SIM jacking

Tags:  arrests

A person suspected of being a member of hacking group Lapsus$ has been arrested by Brazilian police



(Read more...)




The post Suspected LAPSUS$ group member arrested in Brazil appeared first on Malwarebytes Labs.

The Brazilian Federal Police have arrested a suspect after an investigation into last year's breach of the Brazilian Ministry of Health. Responsibility for the breach was claimed by the LAPSUS$ group, when users found a message stating that system data had been copied and deleted and was in the hands of the group.

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. At the time it was thought that the group hailed from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

LAPSUS$ is also believed to be responsible for invading the systems of Empresa Brasileira de Correios e Telégrafos, and Localiza Rent a Car, as well as several others in South America, the United States and Europe, including Sociedade Independente de Comunicação, a private television channel in Portugal, the group Impresa, Electronic Art, Globant, Nvidia, Okta, Uber, and many others.

**Members**

In March 2022, the City of London Police said they had arrested seven teenagers in relation to LAPSUS$. Two of the seven suspects were charged with hacking offenses and one was re-arrested later after an attack on Rockstar Games.

The group is likely to be widespread. It has been growing due to its big successes and even bigger claims. The group has an international outreach, especially since it is very active on Telegram and the Dark Web. Based on linguistic analysis, the group is believed to also have Russian, Turkish, and German native speakers among their admins.

**Methods**

LAPSUS$ is mainly an information stealing operation that uses every possible method it can. Paying insiders, SIM-jacking, exploit vulnerabilities in software like Confluence, JIRA, and GitLab, buying or searching for leaked credentials, and AD Explorer—a publicly available tool to enumerate all users and groups in a network.

Most of the times the breached organization is extorted to pay a ransom to prevent the group from leaking the exfiltrated information, but in a few cases the group simply sold or published the stolen information without contacting the victim organization. In the case of the Nvidia breach, LAPSUS$ claimed it was mainly after the removal of the lite hast rate (LHR) limitations in all GeForce 30 series firmware—apparently all to help out gamers and the mining community.

**Organized crime**

The availability of fast internet has brought cybercriminals from all over the world together and allows them to cooperate internationally. Using end-to-end encrypted communications and the Dark Web allows them to do business below the radar of law enforcement agencies.

Koen Hermans, Dutch national public prosecutor for cybercrime said at the ONE-conference:

> “At least 80% of cyberattacks are now caused by organized crime groups and data, tools and expertise are widely shared. Cybercriminal knowledge and skills are shared and offered for sale online, via messaging services, the dark web and other platforms. There is a revenue model behind it, in which cybercrime - according to experts - has already overtaken the international drug trade in terms of profitability.”

This requires law enforcement agencies to cooperate internationally, which seems to be easier for some. The FBI and Europol have been able to achieve some successes by deploying cybertechniques against criminals, but their success rate seems to be lower when the criminal activities are conducted digitally and require virtually no physical activities. It is easier to track a shipment of weapons or drugs than to monitor the trade in stolen information.

The result is a growing demand for specialized experts, for which the police force will need a good deal of extra funds and staff.

Suspected LAPSUS$ group member arrested in Brazil

The ManageJiraConnectors API in Atlassian Jira Align before version 10.109.2 allows remote attackers to exploit this issue to access internal network resources via a Server-Side Request Forgery. This can be exploited by a remote, unauthenticated attacker with Super Admin privileges by sending a specially crafted HTTP request.

CVE-2022-36802

The MasterUserEdit API in Atlassian Jira Align Server before version 10.109.2 allows An authenticated attacker with the People role permission to use the MasterUserEdit API to modify any users role to Super Admin. This vulnerability was reported by Jacob Shafer from Bishop Fox.

Tag

#jira