IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in browser cache which can be read by a local user.  IBM X-Force ID:  271912.

  

**Summary**

IBM API Connect V10 stores user credentials in browser cache which can be read by a local user (CVE-2023-47722)

**Vulnerability Details**

**CVEID:**   CVE-2023-47722  
**DESCRIPTION:**   IBM API Connect V10 stores user credentials in browser cache which can be read by a local user.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271912 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

API Connect

V10.0.5.3 & v10.0.6.0

**Remediation/Fixes**

IBM recommends upgrading to 10.0.5.4 and 10.0.7.0

Fix Central link for 10.0.5.4

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

04 Dec 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"v10","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-47722: Security Bulletin: API Connect V10 is vulnerable to credential exposure

An out-of-bounds memory access flaw was found in the io_uring SQ/CQ rings functionality in the Linux kernel. This issue could allow a local user to crash the system.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-6560: cve-details

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.

When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.

This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).



Fixed a performance regression in 3.12's subprocess on Linux where it would no longer use the fast-path vfork() system call when it could have due to a logic bug, instead falling back to the safe but slower fork().

Also fixed a second 3.12.0 potential security bug. If a value of extra_groups=[] was passed to subprocess.Popen or related APIs, the underlying setgroups(0, NULL) system call to clear the groups list would not be made in the child process prior to exec().

The security issue was identified via code inspection in the process of fixing the first bug. Thanks to @vain for the detailed report and analysis in the initial bug on Github.

*   A regression test regarding vfork usage is desirable. I'm pondering a test that runs when strace is available and permitted which and confirms use of vfork() vs clone()...
*   A test that will catch setgroup() not being called is included in this PR. It must be run as root on Linux. I believe one of our buildbots is configured to run that way.
*   Discuss with Python Security Response team if this is also a noteworthy security fix. It could manifest when a root uid=0 process wants to drop other group memberships while executing a subprocess. Probably security relevant if the user= and group= parameters are also being used to drop privs...

Fixes #112334.

*   Issue: subprocess.Popen: Performance regression on Linux since 124af17b6e #112334

CVE-2023-6507: gh-112334: Restore subprocess's use of `vfork()` & fix `extra_groups=[]` behavior by gpshead · Pull Request #112617 · python/cpython

A null pointer dereference vulnerability was found in nft_dynset_init() in net/netfilter/nft_dynset.c in nf_tables in the Linux kernel. This issue may allow a local attacker with CAP_NET_ADMIN user privilege to trigger a denial of service.

CVE-2023-6622: cve-details

An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.

CVE-2023-6606: cve-details

An out-of-bounds read vulnerability was found in smb2_dump_detail in fs/smb/client/smb2ops.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.

CVE-2023-6610: cve-details

Red Hat Security Advisory 2023-7699-03 - Red Hat OpenShift Pipelines Client tkn for 1.10.6 has been released. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7699.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat OpenShift Pipelines Client tkn for 1.10.6 release and security updateAdvisory ID:        RHSA-2023:7699-03Product:            Red Hat OpenShift PipelinesAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7699Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-39325====================================================================Summary: Red Hat OpenShift Pipelines Client tkn for 1.10.6 has been released.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat OpenShift Pipelines Client, tkn for the 1.10.6 release, provides a CLI tool to interact with the Pipelines and Triggers components provided by Red Hat OpenShift Pipelines 1.10.6.The tkn CLI tool is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms.Security Fix(es):* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-39325References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803https://bugzilla.redhat.com/show_bug.cgi?id=2243296https://issues.redhat.com/browse/SRVKP-3610

Red Hat Security Advisory 2023-7699-03

Red Hat Security Advisory 2023-7697-03 - An update is now available for Red Hat AMQ Clients. Issues addressed include code execution, denial of service, deserialization, and resource exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7697.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: AMQ Clients 2023.Q4  
Advisory ID:        RHSA-2023:7697-03  
Product:            Red Hat AMQ Clients  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7697  
Issue date:         2023-12-07  
Revision:           03  
CVE Names:          CVE-2022-1471  
====================================================================

Summary: 

An update is now available for Red Hat AMQ Clients

Red Hat Product Security has rated this update as having an impact of  
Moderate.  
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed  
severity rating, is available for each vulnerability from the CVE link(s) in the  
References section.

Description:

Each Red Hat AMQ Client enables sending, and receiving messages to or from AMQ Broker 7.

This update provides various bug fixes and enhancements in addition to the  
client package versions previously released on Red Hat Enterprise Linux 8  
and 9.

Security Fix(es):

* (CVE-2023-34050) springframework-amqp: Deserialization Vulnerability  
* (CVE-2023-34462) netty: SniHandler 16MB allocation leads to OOM  
* (CVE-2023-40167) jetty: Improper validation of HTTP/1 content-length  
* (CVE-2022-1471) SnakeYaml: Constructor Deserialization Remote Code Execution  
* (CVE-2022-25857) snakeyaml: Denial of Service due to missing nested depth limitation for collections  
* (CVE-2022-38749) snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode  
* (CVE-2022-41854) dev-java/snakeyaml: DoS via stack overflow  
* (CVE-2023-1370) json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-1471

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2023.Q4  
https://access.redhat.com/documentation/en-us/red_hat_amq_clients/  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2129706  
https://bugzilla.redhat.com/show_bug.cgi?id=2150009  
https://bugzilla.redhat.com/show_bug.cgi?id=2151988  
https://bugzilla.redhat.com/show_bug.cgi?id=2188542  
https://bugzilla.redhat.com/show_bug.cgi?id=2216888  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2246065  
https://issues.redhat.com/browse/ENTMQCL-1291  
https://issues.redhat.com/browse/ENTMQCL-1517

Red Hat Security Advisory 2023-7697-03

Red Hat Security Advisory 2023-7623-03 - Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7623.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7623-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7623Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parametervalue (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silentlyignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509policy constraints (CVE-2023-0464)* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows(CVE-2023-42794)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7623-03

Red Hat Security Advisory 2023-7622-03 - An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7622.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7622-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7622Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Tag

#linux