In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners.


CVE-2023-5763: Eclipse GlassFish Security Guide, Release 7

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.
"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.
All the counterfeit packages have been published by

Software Security / Malware

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems.

"These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said.

All the counterfeit packages have been published by an npm user named hktalent (GitHub, X). As of writing, 39 of the packages uploaded by the author are still available for download.

The attack chain is triggered post the installation of the package via an install hook in the package.json that calls a JavaScript code to establish a reverse shell to rsh.51pwn\[.\]com.

"In this particular case, the attacker published dozens of benign-sounding packages with several layers of obfuscation and deceptive tactics in an attempt to ultimately deploy a reverse shell on any machine that simply installs one of these packages," Phylum said.

The findings arrive close on the heels of revelations that two packages published to the Python Package Index (PyPI) under the garb of simplifying internationalization incorporated malicious code designed to siphon sensitive Telegram Desktop application data and system information.

The packages, named localization-utils and locute, were found to retrieve the final payload from a dynamically generated Pastebin URL and exfiltrate the information to an actor-controlled Telegram channel.

The development highlights the increasing interest of threat actors in open-source environments, which allows them to set up impactful supply chain attacks that can target several downstream customers all at once.

"These packages show a dedicated and elaborate effort to avoid detection via static analysis and visual inspection by employing a variety of obfuscation techniques," Phylum said, adding they "serve as yet another stark reminder of the critical nature of dependency trust in our open-source ecosystems."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems

7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.

*   Home
*   Browse
*   7-Zip
*   Discussion

**A free file archiver for extremely high compression**

*   Summary
*   Files
*   Reviews
*   Support
*   Wiki
*   Tickets ▾
    *   Support Requests
    *   Patches
    *   Bugs
    *   Feature Requests
*   News
*   Discussion

Menu ▾ ▴

**7-Zip 23.00**

Created: 2023-05-07

Updated: 2023-09-27

*   **7-Zip 23.00 (beta) was released.**
    
    **Download**
    
    7-Zip for 64-bit Windows x64:  
    https://7-zip.org/a/7z2300-x64.exe
    
    7-Zip for 32-bit Windows x86:  
    https://7-zip.org/a/7z2300.exe
    
    7-Zip for 64-bit Windows ARM64:  
    https://7-zip.org/a/7z2300-arm64.exe
    
    7-Zip (console version) for 64-bit Linux x86-64 (AMD64):  
    https://7-zip.org/a/7z2300-linux-x64.tar.xz
    
    7-Zip (console version) for 32-bit Linux x86:  
    https://7-zip.org/a/7z2300-linux-x86.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM64:  
    https://7-zip.org/a/7z2300-linux-arm64.tar.xz
    
    7-Zip (console version) for 64-bit Linux ARM:  
    https://7-zip.org/a/7z2300-linux-arm.tar.xz
    
    7-Zip (console version) for macOS (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager:  
    https://www.7-zip.org/a/7z2300-extra.7z
    
    **What's new after 7-Zip 22.01:**
    
    *   7-Zip now can use new ARM64 filter for compression to 7z and xz archives. ARM64 filter can increase compression ratio for data containing executable files compiled for ARM64 (AArch64) architecture.  
        Also 7-Zip now parses executable files (that have exe and dll filename extensions) before compressing, and it selects appropriate filter for each parsed file:
        *   BCJ or BCJ2 filter for x86 executable files,
        *   ARM64 filter for ARM64 executable files.  
            Previous versions by default used x86 filter BCJ or BCJ2 for all exe/dll files.
    *   Default section size for BCJ2 filter was changed from 64 MiB to 240 MiB. It can increase compression ratio for executable files larger than 64 MiB.
    *   UDF: support was improved.
    *   cpio: support for hard links.
    *   Some changes and optimizations in WIM creation code.
    *   When new 7-Zip creates multivolume archive, 7-Zip keeps in open state only volumes that still can be changed. Previous versions kept all volumes in open state until the end of the archive creation.
    *   7-Zip for Linux and macOS now can reduce the number of simultaneously open files, when 7-Zip opens, extracts or creates multivolume archive. It allows to avoid the failures for cases with big number of volumes, bacause there is a limitation for number of open files allowed for a single program in Linux and macOS.
    *   There are optimizations in code for 7-Zip's context menu in Explorer: the speed of preparing of the menu showing was improved for cases when big number of files were selected by external program for context menu that contains 7-Zip menu commands.
    *   There are changes in code for the drag-and-drop operations to and from 7-Zip File Manager.  
        And the drag-and-drop operation with right button of mouse now is supported for some cases.
    *   The bugs were fixed:
        *   ZIP archives: if multithreaded zip compression was performed with more than one file to stdout stream (-so switch), 7-zip didn't write "data descriptor" for some files.
        *   ext4 archives: 7-Zip couldn't correctly extract symbolic link to directory from ext4 archives.
        *   HFS and APFS archives: 7-Zip incorrectly decoded uncompressed blocks (64 KiB) in compressed forks.
        *   Some another bugs were fixed.
    
    Source code will be available later.
    
    There are internal changes in source code across the whole code. So some new bugs are possible in this new version. That is why this version is marked as "beta" in this forum message.  
    If you see new bugs and problems that have appeared in this 23.00 version, please write about it in this forum thread.
    
     
    
    Last edit: Igor Pavlov 2023-05-07
    

*   Thanks, Igor, I can't wait to test drive the new version.😃
    

*    
    
    Last edit: AlexS 2023-05-07
    
    *   -myx was changed.  
        7-Zip in default -myx5 mode now parses exe and dll files to select arm64 or x86 filter.  
        Also 7-Zip can select ia64 (Itanium) and armt (ARM-Thumb) filters. But these Itanium and ARM-Thumb exe and dll files now are rare cases.
        
         
        
        Last edit: Igor Pavlov 2023-05-07
        

*   Since the 7zz executable in the macOS archive above will only extract files correctly on versions of macOS that have a utimensat() system call, it would be better to describe that archive more precisely:
    
    7-Zip (console version) for macOS **10.13 or newer** (ARM64 and x86-64):  
    https://7-zip.org/a/7z2300-mac.tar.xz
    
    On versions of macOS before 10.13, only the first file of an archive is extracted, and 7zz dies when trying to set the first extracted file’s timestamp with the missing utimensat() system call.
    
     
    
    Last edit: Christian Carey 2023-05-08
    

*   Here is updated English (United Kingdom) language.
    

*   Hi, i updated my previous translation of brazilian portuguese for 23.00's release.
    

*   Great!
    
    Would be possible, for the next beta, to have an option to list supported archive files first, such as WinRar does?
    

*   Thx for the new update, Igor.
    

*   Wow, one more update with the same boring interface from 25 years ago 🥱 Thanks for reminding us of Windows 98 when we open 7zip 😮‍💨
    
    *   give him a break, he is a one man operation, as far as I know.
        
    *   Funny, I was just thinking, wow, 24 years, and still creating amazing compression software, for free. The dedication is amazing. The interface is adequate for purpose. I use console version a lot as well as GUI, on Linux, Android (Termux), WSL, Windows. Everywhere I need (de)compression, automation, etc., 7-Zip is there for me, and I am grateful. If the GUI bothers you so much, get the source, modify it, share with others. Next time, try to write code for 24 years rather than complain for 24 years.
        
    *   What a dumb comment, you get 7-Zip for free and post crap like this? Why don't you just choose an alternative instead of spreading negative rubbish?
        
         
        
        Last edit: str() 2023-05-09
        
    *   but that interface is good (Extract Here and Extract To "name\" are separate options)
        

*    
    
    Last edit: HITCHER 2023-05-10
    

*   Hello Igor,
    
    I don't know if the topic has ever been discussed before. But is there any chance that 7zip will open and decompress lzip archives? I will be very grateful for your answer.
    
    Best regards  
    WT
    
    *   no plans for lzip support now.
        
        *   Thank you for the information.
            
            Best regards,  
            WT
            
    *   Hi, Witold,
        
        other developers have created their own adaptations of 7-Zip to add the ability to decompress lzip archives:
        
        *   https://github.com/mcmilk/7-Zip-zstd — 7-Zip ZS 22.01 (the full installation, not the Zstandard codec plugin), only for Windows;
        *   https://download.savannah.gnu.org/releases/lzip/7zip/ — a set of source code patches for 7-Zip 16.04, which if you’re comfortable with compiling your own software, could be adapted to patching newer source code versions of 7-Zip. (That’s what the 7-Zip ZS developers have done.)
        
        I haven’t tried either adaptation above. If you don’t use Windows and you’re not comfortable with compiling your own software, then continuing to use a standalone lzip program could be the simplest option.
        
        *   Thank you for your tip, Christian. I have tried the ZS edition. It suits me very well :-) It works very nicely under Windows desktop.
            
            Best regards,  
            WT
            

*   

*   On the About 7-Zip dialog, the version says 23.00, but it doesn't say 23.00 beta.
    
    *   "beta" marker of 23.00 is mentioned only here at forum.  
        So it's just additional warning for user before dowloading.  
        It can show to potential user that the code is new, and it's not so robust is final "non-beta" releases.  
        Next version of 7-Zip will be "23.01" or "23.01 beta".  
        There will be no any another "non-beta" 23.00.
        

*   Thanks for a great tool with a clean and easy interface!  
    One tiny wish: the cmd 7za version with the -stl switch: 'set archive timestamp from the most recently modified file' uses a folder stamp, if the folder is more recent than the most recent file stamp. Not a big thing but sometimes it is very useful to get the most recent modified file stamp instead as originally intended.  
    Please keep up the good work.
    
    *   -xtd switch can exclude directory metadata records from processing, if you don't need them by some reason.
        

Log in to post a comment.

CVE-2023-31102: 7-Zip / Discussion / Open Discussion: 7-Zip 23.00

bcrypt password hashing in Botan before 2.1.0 does not correctly handle passwords with a length between 57 and 72 characters, which makes it easier for attackers to determine the cleartext password.

If you think you have found a security bug in Botan please contact Jack Lloyd (jack@randombit.net). If you would like to encrypt your mail please use:

pub   rsa3072/57123B60 2015-03-23
      Key fingerprint = 4E60 C735 51AF 2188 DF0A  5A62 78E9 8043 5712 3B60
      uid         Jack Lloyd <jack@randombit.net>

This key can be found in the file doc/pgpkey.txt or online at https://keybase.io/jacklloyd and on most PGP keyservers.

**2022¶**

*   2022-11-16: Failure to correctly check OCSP responder embedded certificate
    
    OCSP responses for some end entity are either signed by the issuing CA certificate of the PKI, or an OCSP responder certificate that the PKI authorized to sign responses in their name. In the latter case, the responder certificate (and its validation path certificate) may be embedded into the OCSP response and clients must verify that such certificates are indeed authorized by the CA when validating OCSP responses.
    
    The OCSP implementation failed to verify that an authorized responder certificate embedded in an OCSP response is authorized by the issuing CA. As a result, any valid signature by an embedded certificate passed the check and was allowed to make claims about the revocation status of certificates of any CA.
    
    Attackers that are in a position to spoof OCSP responses for a client could therefore render legitimate certificates of a 3rd party CA as revoked or even use a compromised (and actually revoked) certificate by spoofing an OCSP-“OK” response. E.g. an attacker could exploit this to impersonate a legitimate TLS server using a compromised certificate of that host and get around the revocation check using OCSP stapling.
    
    Introduced in 1.11.34, fixed in 2.19.3
    

**2020¶**

*   2020-12-21 (CVE-2021-24115): Codec encoding/decoding was not constant time
    
    The base64, base32, base58 and hex encoding/decoding routines used lookup tables which could leak information via a cache-based side channel attack. The encoding tables were small and unlikely to be exploitable, but the decoding tables were large enough to cause non-negligible information leakage. In particular parsing an unencrypted PEM-encoded private key within an SGX enclave could be easily attacked to leak key material.
    
    Identified and reported by Jan Wichelmann, Thomas Eisenbarth, Sebastian Berndt, and Florian Sieck.
    
    Fixed in 2.17.3
    
*   2020-07-05: Failure to enforce name constraints on alternative names
    
    The path validation algorithm enforced name constraints on the primary DN included in the certificate but failed to do so against alternative DNs which may be included in the subject alternative name. This would allow a corrupted sub-CA which was constrained by a name constraints extension in its own certificate to issue a certificate containing a prohibited DN. Until 2.15.0, there was no API to access these alternative name DNs so it is unlikely that any application would make incorrect access control decisions on the basis of the incorrect DN. Reported by Mario Korth of Ruhr-Universität Bochum.
    
    Introduced in 1.11.29, fixed in 2.15.0
    
*   2020-03-24: Side channel during CBC padding
    
    The CBC padding operations were not constant time and as a result would leak the length of the plaintext values which were being padded to an attacker running a side channel attack via shared resources such as cache or branch predictor. No information about the contents was leaked, but the length alone might be used to make inferences about the contents. This issue affects TLS CBC ciphersuites as well as CBC encryption using PKCS7 or other similar padding mechanisms. In all cases, the unpadding operations were already constant time and are not affected. Reported by Maximilian Blochberger of Universität Hamburg.
    
    Fixed in 2.14.0, all prior versions affected.
    

**2018¶**

*   2018-12-17 (CVE-2018-20187): Side channel during ECC key generation
    
    A timing side channel during ECC key generation could leak information about the high bits of the secret scalar. Such information allows an attacker to perform a brute force attack on the key somewhat more efficiently than they would otherwise. Found by Ján Jančár using ECTester.
    
    Introduced in 1.11.20, fixed in 2.8.0.
    
*   2018-06-13 (CVE-2018-12435): ECDSA side channel
    
    A side channel in the ECDSA signature operation could allow a local attacker to recover the secret key. Found by Keegan Ryan of NCC Group.
    
    Bug introduced in 2.5.0, fixed in 2.7.0. The 1.10 branch is not affected.
    
*   2018-04-10 (CVE-2018-9860): Memory overread in TLS CBC decryption
    
    An off by one error in TLS CBC decryption meant that for a particular malformed ciphertext, the receiver would miscompute a length field and HMAC exactly 64K bytes of data following the record buffer as if it was part of the message. This cannot be used to leak information since the MAC comparison will subsequently fail and the connection will be closed. However it might be used for denial of service. Found by OSS-Fuzz.
    
    Bug introduced in 1.11.32, fixed in 2.6.0
    
*   2018-03-29 (CVE-2018-9127): Invalid wildcard match
    
    RFC 6125 wildcard matching was incorrectly implemented, so that a wildcard certificate such as b*.domain.com would match any hosts *b*.domain.com instead of just server names beginning with b. The host and certificate would still have to be in the same domain name. Reported by Fabian Weißberg of Rohde and Schwarz Cybersecurity.
    
    Bug introduced in 2.2.0, fixed in 2.5.0
    

**2017¶**

*   2017-10-02 (CVE-2017-14737): Potential side channel using cache information
    
    In the Montgomery exponentiation code, a table of precomputed values is used. An attacker able to analyze which cache lines were accessed (perhaps via an active attack such as Prime+Probe) could recover information about the exponent. Identified in “CacheD: Identifying Cache-Based Timing Channels in Production Software” by Wang, Wang, Liu, Zhang, and Wu (Usenix Security 2017).
    
    Fixed in 1.10.17 and 2.3.0, all prior versions affected.
    
*   2017-07-16: Failure to fully zeroize memory before free
    
    The secure\_allocator type attempts to zeroize memory before freeing it. Due to a error sometimes only a portion of the memory would be zeroed, because of a confusion between the number of elements vs the number of bytes that those elements use. So byte vectors would always be fully zeroed (since the two notions result in the same value), but for example with an array of 32-bit integers, only the first 1/4 of the elements would be zeroed before being deallocated. This may result in information leakage, if an attacker can access memory on the heap. Reported by Roman Pozlevich.
    
    Bug introduced in 1.11.10, fixed in 2.2.0
    
*   2017-04-04 (CVE-2017-2801): Incorrect comparison in X.509 DN strings
    
    Botan’s implementation of X.509 name comparisons had a flaw which could result in an out of bound memory read while processing a specially formed DN. This could potentially be exploited for information disclosure or denial of service, or result in incorrect validation results. Found independently by Aleksandar Nikolic of Cisco Talos, and OSS-Fuzz automated fuzzing infrastructure.
    
    Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16
    
*   2017-03-23 (CVE-2017-7252): Incorrect bcrypt computation
    
    Botan’s implementation of bcrypt password hashing scheme truncated long passwords at 56 characters, instead of at bcrypt’s standard 72 characters limit. Passwords with lengths between these two bounds could be cracked more easily than should be the case due to the final password bytes being ignored. Found and reported by Solar Designer.
    
    Bug introduced in 1.11.0, fixed in 2.1.0.
    

**2016¶**

*   2016-11-27 (CVE-2016-9132) Integer overflow in BER decoder
    
    While decoding BER length fields, an integer overflow could occur. This could occur while parsing untrusted inputs such as X.509 certificates. The overflow does not seem to lead to any obviously exploitable condition, but exploitation cannot be positively ruled out. Only 32-bit platforms are likely affected; to cause an overflow on 64-bit the parsed data would have to be many gigabytes. Bug found by Falko Strenzke, cryptosource GmbH.
    
    Fixed in 1.10.14 and 1.11.34, all prior versions affected.
    
*   2016-10-26 (CVE-2016-8871) OAEP side channel
    
    A side channel in OAEP decoding could be used to distinguish RSA ciphertexts that did or did not have a leading 0 byte. For an attacker capable of precisely measuring the time taken for OAEP decoding, this could be used as an oracle allowing decryption of arbitrary RSA ciphertexts. Remote exploitation seems difficult as OAEP decoding is always paired with RSA decryption, which takes substantially more (and variable) time, and so will tend to mask the timing channel. This attack does seems well within reach of a local attacker capable of a cache or branch predictor based side channel attack. Finding, analysis, and patch by Juraj Somorovsky.
    
    Introduced in 1.11.29, fixed in 1.11.33
    
*   2016-08-30 (CVE-2016-6878) Undefined behavior in Curve25519
    
    On systems without a native 128-bit integer type, the Curve25519 code invoked undefined behavior. This was known to produce incorrect results on 32-bit ARM when compiled by Clang.
    
    Introduced in 1.11.12, fixed in 1.11.31
    
*   2016-08-30 (CVE-2016-6879) Bad result from X509\_Certificate::allowed\_usage
    
    If allowed\_usage was called with more than one Key\_Usage set in the enum value, the function would return true if _any_ of the allowed usages were set, instead of if _all_ of the allowed usages are set. This could be used to bypass an application key usage check. Credit to Daniel Neus of Rohde & Schwarz Cybersecurity for finding this issue.
    
    Introduced in 1.11.0, fixed in 1.11.31
    
*   2016-03-17 (CVE-2016-2849): ECDSA side channel
    
    ECDSA (and DSA) signature algorithms perform a modular inverse on the signature nonce k. The modular inverse algorithm used had input dependent loops, and it is possible a side channel attack could recover sufficient information about the nonce to eventually recover the ECDSA secret key. Found by Sean Devlin.
    
    Introduced in 1.7.15, fixed in 1.10.13 and 1.11.29
    
*   2016-03-17 (CVE-2016-2850): Failure to enforce TLS policy
    
    TLS v1.2 allows negotiating which signature algorithms and hash functions each side is willing to accept. However received signatures were not actually checked against the specified policy. This had the effect of allowing a server to use an MD5 or SHA-1 signature, even though the default policy prohibits it. The same issue affected client cert authentication.
    
    The TLS client also failed to verify that the ECC curve the server chose to use was one which was acceptable by the client policy.
    
    Introduced in 1.11.0, fixed in 1.11.29
    
*   2016-02-01 (CVE-2016-2196): Overwrite in P-521 reduction
    
    The P-521 reduction function would overwrite zero to one word following the allocated block. This could potentially result in remote code execution or a crash. Found with AFL
    
    Introduced in 1.11.10, fixed in 1.11.27
    
*   2016-02-01 (CVE-2016-2195): Heap overflow on invalid ECC point
    
    The PointGFp constructor did not check that the affine coordinate arguments were less than the prime, but then in curve multiplication assumed that both arguments if multiplied would fit into an integer twice the size of the prime.
    
    The bigint\_mul and bigint\_sqr functions received the size of the output buffer, but only used it to dispatch to a faster algorithm in cases where there was sufficient output space to call an unrolled multiplication function.
    
    The result is a heap overflow accessible via ECC point decoding, which accepted untrusted inputs. This is likely exploitable for remote code execution.
    
    On systems which use the mlock pool allocator, it would allow an attacker to overwrite memory held in secure\_vector objects. After this point the write will hit the guard page at the end of the mmap’ed region so it probably could not be used for code execution directly, but would allow overwriting adjacent key material.
    
    Found by Alex Gaynor fuzzing with AFL
    
    Introduced in 1.9.18, fixed in 1.11.27 and 1.10.11
    
*   2016-02-01 (CVE-2016-2194): Infinite loop in modular square root algorithm
    
    The ressol function implements the Tonelli-Shanks algorithm for finding square roots could be sent into a nearly infinite loop due to a misplaced conditional check. This could occur if a composite modulus is provided, as this algorithm is only defined for primes. This function is exposed to attacker controlled input via the OS2ECP function during ECC point decompression. Found by AFL
    
    Introduced in 1.7.15, fixed in 1.11.27 and 1.10.11
    

**2015¶**

*   2015-11-04: TLS certificate authentication bypass
    
    When the bugs affecting X.509 path validation were fixed in 1.11.22, a check in Credentials\_Manager::verify\_certificate\_chain was accidentally removed which caused path validation failures not to be signaled to the TLS layer. So for affected versions, certificate authentication in TLS is bypassed. As a workaround, applications can override the call and implement the correct check. Reported by Florent Le Coz in GH #324
    
    Introduced in 1.11.22, fixed in 1.11.24
    
*   2015-10-26 (CVE-2015-7824): Padding oracle attack on TLS
    
    A padding oracle attack was possible against TLS CBC ciphersuites because if a certain length check on the packet fields failed, a different alert type than one used for message authentication failure would be returned to the sender. This check triggering would leak information about the value of the padding bytes and could be used to perform iterative decryption.
    
    As with most such oracle attacks, the danger depends on the underlying protocol - HTTP servers are particularly vulnerable. The current analysis suggests that to exploit it an attacker would first have to guess several bytes of plaintext, but again this is quite possible in many situations including HTTP.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7825): Infinite loop during certificate path validation
    
    When evaluating a certificate path, if a loop in the certificate chain was encountered (for instance where C1 certifies C2, which certifies C1) an infinite loop would occur eventually resulting in memory exhaustion. Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.6, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7826): Acceptance of invalid certificate names
    
    RFC 6125 specifies how to match a X.509v3 certificate against a DNS name for application usage.
    
    Otherwise valid certificates using wildcards would be accepted as matching certain hostnames that should they should not according to RFC 6125. For example a certificate issued for *.example.com should match foo.example.com but not example.com or bar.foo.example.com. Previously Botan would accept such a certificate as also valid for bar.foo.example.com.
    
    RFC 6125 also requires that when matching a X.509 certificate against a DNS name, the CN entry is only compared if no subjectAlternativeName entry is available. Previously X509\_Certificate::matches\_dns\_name would always check both names.
    
    Found in a review by Sirrix AG and 3curity GmbH.
    
    Introduced in 1.11.0, fixed in 1.11.22
    
*   2015-10-26 (CVE-2015-7827): PKCS #1 v1.5 decoding was not constant time
    
    During RSA decryption, how long decoding of PKCS #1 v1.5 padding took was input dependent. If these differences could be measured by an attacker, it could be used to mount a Bleichenbacher million-message attack. PKCS #1 v1.5 decoding has been rewritten to use a sequence of operations which do not contain any input-dependent indexes or jumps. Notations for checking constant time blocks with ctgrind (https://github.com/agl/ctgrind) were added to PKCS #1 decoding among other areas. Found in a review by Sirrix AG and 3curity GmbH.
    
    Fixed in 1.11.22 and 1.10.13. Affected all previous versions.
    
*   2015-08-03 (CVE-2015-5726): Crash in BER decoder
    
    The BER decoder would crash due to reading from offset 0 of an empty vector if it encountered a BIT STRING which did not contain any data at all. This can be used to easily crash applications reading untrusted ASN.1 data, but does not seem exploitable for code execution. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    
*   2015-08-03 (CVE-2015-5727): Excess memory allocation in BER decoder
    
    The BER decoder would allocate a fairly arbitrary amount of memory in a length field, even if there was no chance the read request would succeed. This might cause the process to run out of memory or invoke the OOM killer. Found with afl.
    
    Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11
    

**2014¶**

*   2014-04-10 (CVE-2014-9742): Insufficient randomness in Miller-Rabin primality check
    
    A bug in the Miller-Rabin primality test resulted in only a single random base being used instead of a sequence of such bases. This increased the probability that a non-prime would be accepted by is\_prime or that a randomly generated prime might actually be composite. The probability of a random 1024 bit number being incorrectly classed as prime with a single base is around 2^-40. Reported by Jeff Marrison.
    
    Introduced in 1.8.3, fixed in 1.10.8 and 1.11.9

CVE-2017-7252: Security Advisories — Botan

By Waqas
Software is the backbone of modern technology, serving various purposes across different sectors. The vast array of software…
This is a post from HackRead.com Read the original post: Exploring Software Categories: From Basics to Specialized Applications

Software is the backbone of modern technology, serving various purposes across different sectors. The vast array of software types caters to the complex and specific needs of users, ranging from basic applications to highly specialized programs.

Understanding the different categories of software and their respective uses is integral to learning and understanding the technological advances and their vast applications in our daily lives.

1.  **System Software:** System software forms the foundation of computer systems. Operating systems like Windows, macOS, and Linux are vital in managing hardware resources, providing essential services to other software, and enabling users to interact with their devices. Without these operating systems, applications wouldn’t function.
2.  **Application Software:** This category covers an extensive range of programs designed to perform specific tasks for users. From productivity suites like Microsoft Office and Google Workspace for creating documents, spreadsheets, and presentations to web browsers such as Chrome, Firefox, and Safari for accessing the internet, application software encompasses tools that support everyday activities.
3.  **Programming Software:** Programming software is used by developers to create other software. This includes text editors, compilers, debuggers, and integrated development environments (IDEs) that aid in writing, testing, and debugging code. Examples include Visual Studio, Eclipse, and Sublime Text.
4.  **Driver Software:** Drivers facilitate communication between the operating system and various hardware components, ensuring that devices like printers, scanners, and graphics cards work seamlessly with the computer. They provide the necessary instructions for the system to recognize and operate connected hardware.
5.  **Utilities:** Utilities encompass a wide range of software designed for system maintenance and optimization. These tools perform tasks like disk cleanup, antivirus scans, data backup, and file compression, ensuring smooth system operations and data security.
6.  **Middleware:** Middleware acts as an intermediary between different applications, enabling seamless communication and data management across multiple systems. It is used extensively in enterprise environments and in connecting disparate systems to streamline business processes.
7.  **Firmware:** Embedded into hardware devices, the firmware provides low-level control for the specific functions of the device. It’s integral to the functioning of devices such as routers, modems, and IoT (Internet of Things) devices.
8.  **Embedded software**: Embedded software refers to computer programs or software that are specifically designed to perform specific functions within a larger mechanical or electrical system. These programs are typically written to control or monitor the operation of embedded systems, which are specialized computing systems that perform dedicated functions within a larger system. Embedded software is commonly found in various devices and systems such as consumer electronics, automotive systems, industrial machines and equipment medical devices, aerospace and defense systems.

Each type of software serves distinct purposes, contributing to the advancement of technology in various fields:

**In business and industry**, Enterprise Resource Planning (ERP) software integrates various processes like finance, human resources, and supply chain management. Customer Relationship Management (CRM) software helps businesses manage interactions with customers and potential customers.

**Educational software** supports learning and teaching in classrooms and at home, offering interactive tools for various subjects and educational levels.

**Healthcare software** aids in patient management, electronic health records, diagnostic tools, and medical research.

**The entertainment industry** thrives on multimedia software for content creation, editing, and production, including video editing, animation, and music composition software.

The wide variety of software types highlights how much technology affects our daily lives. From handling simple computer tasks to running complex business operations, the software keeps changing and getting better, propelling advancements and developing how we engage with the world. Knowing about different kinds of software and what they do is essential in keeping up with the ever-growing world of technology.

****_RELATED ARTICLES_****

1.  Crucial Cybersecurity Software Features
2.  What Is Incident Management Software?
3.  The Role of Software Escrow in Mitigating Business Risks
4.  Antivirus Software: The Best Deals, Coupons and Discounts
5.  Integrating Pay-Per-Minute Chat Software in Customer Service

Exploring Software Categories: From Basics to Specialized Applications

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures.

Thursday, November 2, 2023 14:11

Windows CE — an operating system that, despite being out for 27 years, never had an official explanation for why it was called “CE” — finally reached its official end-of-life period this week. 

This was Microsoft’s first operating system for embedded and pocket devices, making an appearance on personal pocket assistants, some of the first BlackBerry-likes, laptops and more during its lifetime.  

In 2020, Microsoft announced a clear migration path for devices using Windows CE and warned of its impending end-of-life (meaning there’d be no more support, security patches, etc.) by telling users to run a container on top of Windows 10 IoT. 

However, Microsoft says it will continue license sales for Windows Embedded Compact 2013 (the last time Windows CE received a full version update until 2028). I’ve written before about the dangers of people thinking it’s cool to still run Windows 7, which was already a surprise to me, but then by reading more about Windows CE this week, I found that some of the most important hardware the U.S. relies on still use Windows CE: voting machines. 

A Windows CE phone was at the center of the “Hillary Clinton emails” drama during the 2016 presidential election, and since then, security researchers have found that some voting machines using Windows CE are vulnerable to various exploits.   

I found one DEF CON 25 attendee in 2017 who went to the conference’s first-ever “Voting Village” where researchers poked and prodded various voting systems, including the ExpressPoll 5000 voter registration system that used Windows CE 5.0. Needless to say, the ExpressPoll 5000 didn’t stand a chance. 

I couldn’t find any information on if there are still any ExpressPoll 5000s in the wild, but the Maryland State Board of Elections was still accepting the devices into their pool of devices that could be certified to be used in elections with an “acceptance test” as of 2016. 

Other Diebold voting machines used in the 2016 presidential election also ran outdated versions of Windows CE. (Vice News had a video segment on this topic that’s since been scrubbed from the internet, but there’s a great written recap of the segment here.)  

Again, there is no real proof that these systems are still being used in the wild. After the security concerns stemming from the 2016 election, the U.S. took a much tougher look at election security and continues to invest heavily in more secure voting machines, so there’s a possibility these devices are all now out of service, patched, or hopefully just buried in a ditch somewhere.  

But it does get to a larger point, that a lot of the technology our government relies on is \*old\*. Many voting systems used in the 2020 presidential election relied on Windows 7, which also is now at its end-of-life and isn’t receiving any security updates. Support for Windows 8.1 ended at the beginning of this year, and who knows what devices are floating out there still using versions of that OS, and Windows 10 will reach its end-of-life period in October 2025, so by the time we get to the 2028 election (I can’t even fathom that as a real year still), I suspect we’ll be seeing lots of stories of all the voting devices relying on that.  

**The one big thing **

The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures. Although Arid Viper is believed to be based out of Gaza, Talos has no evidence indicating or refuting that this campaign is related in any way to the Israel-Hamas war. The malicious apps Arid Viper uses are very similar to other legitimate apps, so it’s fairly easy for an unsuspecting user to get hit.  

**Why do I care? **

Spyware is very dangerous no matter how you twist it, but in this particular case, Arid Viper’s spyware collects the target’s sensitive personal information off their devices and disables security notifications so the actor can install more malware. The use of spyware across the globe continues to be a major issue that governments have had a hard time reigning in (and sometimes the governments themselves are the ones using it). 

**So now what? **

Our blog post has more details on the malicious apps being used in this campaign, so potential targets know what to be on the lookout for. We also have several new IOCs available for defenders to add to their blocklists. Potentially sensitive targets like politicians, journalists or activists may want to enable “safe” modes on their mobile devices, which can help protect against all types of spyware.  

**Top security headlines of the week **

**U.S. President Joe Biden signed a sweeping Executive Order this week attempting to regulate the use of AI and put several privacy safeguards in place.** The order also calls on Congress to pass national AI privacy legislation. Under the new rules, leading AI developers will need to share safety test results and other information about their software with the government. The National Institute of Standards and Technology will also create new standards to ensure AI tools are safe and secure before they’re publicly released. Federal agencies will now also need to change the way they use AI, with the hopes that the private sector will follow suit. Federal benefits programs and contractors will need to ensure that any AI tools they rely on do not deepen any racial biases in their activities. However, privacy experts only view the Executive Order as a small first step that needs to be augmented by national legislation and enforcement. (AP News, ABC News) 

**The U.S. government is preparing for an influx of Iranian-backed cyber attacks in retaliation for the U.S.’ support of Israel in its war against Hamas.** FBI Director Christopher Wray told a Congressional committee this week that, “The cyber targeting of American interests and critical infrastructure that we already see conducted by Iran and non-state actors alike we can expect to get worse if the conflict expands.” New research also indicates that Iranian threat actors have carried out a range of cyber espionage activities across the Middle East, looking to collect sensitive intelligence and disrupt important services. There may be up 15 different hacking groups affiliated directly with, or serving as a proxy for, the Iranian Revolutionary Guard Corps or the Iranian Ministry of Intelligence. (Politico, The New York Times) 

**Cloud computing company Citrix is warning of the mass exploitation of a critical vulnerability in its NetScaler ADC/Gateway devices.** Known as “Citrix Bleed,” CVE-2023-4966 is an information disclosure vulnerability that could allow attackers to steal valid session tokens from internet-facing Netscaler devices running vulnerable software. Citrix disclosed the vulnerability on Oct. 10, warning users to update affected devices immediately. However, security researchers soon found that attackers had been exploiting the vulnerability since August. Researcher Kevin Beaumont reported on his personal social media channels that he found an estimated 20,000 instances of exploited Citrix devices where session tokens were stolen. (HelpNet Security, Ars Technica) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #140: Chicken Soup and Contact Centers 
*   Talos Takes Ep. #160: Patching 101 
*   Cisco Talos Incident Response On Air for Q3 2023 
*   Arid Viper Campaign Targets Arabic-Speaking Users 
*   Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

Riyadh, Saudi Arabia 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

Lansing, Michigan 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: 21d709b0593c19ad2798903ae02de7ecdbf8033b3e791b70d7595bca64b99721**   
**MD5:** af8a072f20c8e647f53eb735528f070d   
**Typical Filename:** Head Office.exe   
**Claimed Product:** Head Office   
**Detection Name:** Win.Dropper.Pykspa::100.sbx.vioc 

**SHA 256:** 032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe   
**MD5:** a5cc0738a563489458f6541c3d3dc722   
**Typical Filename:** wuauclt.exe   
**Claimed Product:** Microsoft® Windows® Operating System   
**Detection Name:** Win.Dropper.Vools::100.sbx.tg 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c      
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c      
**Typical Filename:** AAct.exe      
**Claimed Product:** N/A        
**Detection Name:** PUA.Win.Tool.Kmsauto::1201 

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd

You’d be surprised to know what devices are still using Windows CE

CulturePulse's AI model promises to create a realistic virtual simulation of every Israeli and Palestinian citizen. But don't roll your eyes: It's already been put to the test in other conflict zones.

Training artificial intelligence models does not typically involve coming face-to-face with an armed soldier who is pointing a gun at you and shouting at your driver to get out of the car. But the system that F. LeRon Shults and Justin Lane, cofounders of CulturePulse, are developing for the United Nations is not a typical AI model.

“I got pulled over by the \[Israeli\] military, by a guy holding \[a military rifle\] because we had a Palestinian taxi driver who drove past a line he wasn't supposed to,” Shults tells WIRED. “So that was an adventure.”

Shults and Lane were in the West Bank in September, just weeks before Hamas attacked Israel on October 7, sparking what has become one of the worst periods of violence in the region in at least 50 years.

Shults and Lane—both Americans who are now based in Europe—were on the ground as part of a contract they signed with the UN in August to develop a first-of-its-kind AI model that they hope will help analyze solutions to the Israel-Palestinian conflict.

Shults and Lane are aware that claiming that AI could “solve the crisis” between Israelis and Palestinians is likely to result in a lot of eye-rolling if not outright hostility, especially given the horrific scenes coming out of Gaza daily. So they are quick to dispel that this is what they are trying to do.

“Quite frankly, if I were to phrase it that way, I'd roll my eyes too,” Shults says. “The key is that the model is not designed to resolve the situation; it's to understand, analyze, and get insights into implementing policies and communication strategies.”

The conflict in the region is centuries old and deeply complex, and it's made even more complicated by the current crisis. Countless efforts at finding a political solution have failed, and any eventual end to the crisis will need support not just from the two sides involved, but likely the wider international community. All of this makes it impossible for an AI system to simply spit out a fully formed solution. Instead, CulturePulse aims to pinpoint the underlying causes of the conflict.

“We know that you can't solve a problem this complex with a single AI system. That's not ever going to be feasible in my opinion,” Lane tells WIRED. “What is feasible is using an intelligent AI system—using a digital twin of a conflict—to explore the potential solutions that are there.”

The digital twin Lane is speaking of is CulturePulse’s multi-agent AI model that they are currently building for the UN. The model will ultimately create a virtual version of each and every one of the 15 million people who live in Israel and the Palestinian territories, each imbued with demographics, religious beliefs, and moral values that echo their real-world counterparts, according to Shults and Lane.

In total, CulturePulse’s model can factor in over 80 categories to each “agent,” including traits like anger, anxiety, personality, morality, family, friends, finances, inclusivity, racism, and hate speech.

“These models are entire artificial societies, with thousands or millions of simulated adaptive artificially intelligent agents that are networked with each other, and they're designed in a way that is more psychologically realistic and more sociologically realistic,” Shults says. “Basically you have a laboratory, an artificial laboratory, that you can play with on your PC in ways that you could never do ethically, certainly, in the real world.”

The system will allow the UN to see how the virtual society would react to changes in economic prosperity, heightened security, changing political influences, and a range of other parameters. Shults and Lane claim their model predicts outcomes with clinical accuracy of over 95 percent correlation to real-world outcomes.

“It goes beyond just learning randomly and finding patterns like machine learning, and it goes beyond statistics, which gives you correlations,” Shults says. “It actually gets to a causality, because of the multi-agent AI system which grows the conflict, or the polarization, or the peaceful immigration policy from the ground up. So it shows you what you want to create before you try it out in the real world.”

Discussions around AI and the Israel-Hamas war have so far been focused on the threat posed by generative AI to push disinformation. While those threats have yet to materialize, news cycles have been clouded by disinformation and misinformation being shared by all sides. Rather than trying to eliminate this disruptive element, CulturePulse’s model will factor it into its analysis.

“We actually deliberately want to make sure that those materials that are biased are being put into these models. They just need to be put into the model in a psychologically real way,” Lane says.

The horrific massacres and humanitarian crises happening in Israel and Gaza over the past month have brought home the pressing need for a solution to the deeply rooted conflict. But before the latest outbreak in violence in the region, the UN Development Program (UNDP) was already exploring new options in trying to find a resolution, signing an initial five-month contact with CulturePulse in August.

The application of artificial intelligence technologies to conflict situations has been around since at least 1996, with machine learning being used to predict where conflicts may occur. The use of AI in this area has expanded in the intervening years, being used to improve logistics, training, and other aspects of peacekeeping missions. Lane and Shults believe they could use artificial intelligence to dig deeper and find the root causes of conflicts.

Their idea for an AI program that models the belief systems that drive human behavior first began when Lane moved to Northern Ireland a decade ago to study whether computation modeling and cognition could be used to understand issues around religious violence.

In Belfast, Lane figured out that by modeling aspects of identity and social cohesion, and identifying the factors that make people motivated to fight and die for a particular cause, he could accurately predict what was going to happen next.

“We set out to try and come up with something that could help us better understand what it is about human nature that sometimes results in conflict, and then how can we use that tool to try and get a better handle or understanding on these deeper, more psychological issues at really large scales,” Lane says.

The result of their work was a study published in 2018 in _The Journal for Artificial Societies and Social Simulation,_ which found that people are typically peaceful but will engage in violence when an outside group threatens the core principles of their religious identity.

A year later, Lane wrote that the model he had developed predicted that measures introduced by Brexit—the UK’s departure from the European Union that included the introduction of a hard border in the Irish Sea between Northern Ireland and the rest of the UK—would result in a rise in paramilitary activity. Months later, the model was proved right.

The multi-agent model developed by Lane and Shults relied on distilling more than 50 million articles from GDelt, a project that ​​monitors “the world's broadcast, print, and web news from nearly every corner of every country in over 100 languages.” But feeding the AI millions of articles and documents was not enough, the researchers realized. In order to fully understand what was driving the people of Northern Ireland to engage in violence against their neighbors, they would need to conduct their own research.

Lane spent months finding and speaking to those directly involved in the violence, such as members of the Ulster Volunteer Force (UVF), a paramilitary group loyal to the British crown, and the Irish Republican Army (IRA), a paramilitary group seeking the end of British rule on the island of Ireland. The information that Lane gathered in these interviews was fed into his model in order to give a more complete understanding of the psychology behind the violence that had riven the country for three decades.

While Lane is now based in Slovakia, he maintains the links he built up while in Northern Ireland, returning at least once a year to speak to the people again, and update his model with the latest information. If during these conversations Lane hears about a particular issue or a reason why someone took a particular action that’s not present in the AI model, the team will see if there is lab data to back it up before putting it into his model.

“And if the data doesn’t exist, we'll go out and we'll do our own experimentation with universities to see if there is evidence, and then we will build that into our project,” Lane says.

In recent years, Lane and Shults have worked with a number of groups and governments to apply their model to better understand situations across the globe, including the conflicts in South Sudan and the Balkans. The model has also been used in the Syrian Refugee Crisis, where Lane and Shults traveled to the Greek island of Lesbos to gather firsthand information to help their system integrate refugees with host families. CulturePulse has also worked with the Norwegian government to tackle the spread of Covid-19 misinformation by better understanding the reasons why someone is sharing inaccurate information.

Key to the success of all of these efforts is the collection of firsthand information about what’s happening on the ground. And so, when they signed the contract with the UNDP in August, the first thing Shults and Lane wanted to arrange was a visit to Israel and the West Bank, where they spent “about a week” gathering data. “We met with the UN and different NGOs going out to the villages, seeing firsthand what it looks like with the settler dynamics that are there,” Shults says. The pair attempted to go to Gaza but were refused entry.

The trip to Israel also included time speaking to their employers to find out exactly what it is they are hoping to get from this project.

“We spent a whole week extracting from the UN officials we met information that's relevant, that we need to know for the model, getting a sense of their understanding of the dynamics, the data that they might have that could inform the model's calibration and final validation,” Shults says.

Shults would not discuss the detailed parameters the UN had specified be built into the model, but his team gives the UN team regular updates over Zoom on the construction of the model and “the simulation experiments that are being run to test out the conditions and mechanisms that might lead to outcomes that they desire,” he says.

The UNDP has not yet responded to WIRED’s request for comment.

CulturePulse’s contract with the UNDP runs out in January, but they are hopeful of signing a phase-two contract that would see them build out a fully functional model. CulturePulse this month also signed a nine-month contract with UNDP to work on a system that would help resolve cultural and religious issues still causing conflict in Bosnia and Herzegovina since the end of the Bosnian War in 1995.

The reason the UN is turning to AI in the Israeli-Palestinian conflict, according to Lane, is that it simply has nowhere else to turn. “The way that the UN phrased it to us is that there's no more low-hanging fruit in that situation,” Lane says. “They needed to try something that was new and innovative, something that was really thinking outside of the box yet still really addressing the root issues of the problem.”

The UN Hired an AI Company to Untangle the Israeli-Palestinian Crisis

A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.

CVE-2023-5408

A race condition occurred between the functions lmLogClose and txEnd in JFS, in the Linux Kernel, executed in different threads. This flaw allows a local attacker with normal user privileges to crash the system or leak internal kernel information.

Syzkaller reported an error "slab-use-after-free Write in txEnd".

crash report：

==================================================================
BUG: KASAN: slab-use-after-free in instrument\_atomic\_write include/linux/instrumented.h:87 \[inline\]
BUG: KASAN: slab-use-after-free in clear\_bit include/asm-generic/bitops/instrumented-atomic.h:41 \[inline\]
BUG: KASAN: slab-use-after-free in txEnd+0x2a3/0x5a0 fs/jfs/jfs\_txnmgr.c:535
Write of size 8 at addr ffff888021bee840 by task jfsCommit/130

CPU: 3 PID: 130 Comm: jfsCommit Not tainted 6.3.0-rc7-pasta #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Call Trace:
 <TASK>
 \_\_dump\_stack lib/dump\_stack.c:88 \[inline\]
 dump\_stack\_lvl+0xd9/0x150 lib/dump\_stack.c:106
 print\_address\_description mm/kasan/report.c:319 \[inline\]
 print\_report+0xc1/0x5e0 mm/kasan/report.c:430
 kasan\_report+0xc0/0xf0 mm/kasan/report.c:536
 check\_region\_inline mm/kasan/generic.c:181 \[inline\]
 kasan\_check\_range+0x144/0x190 mm/kasan/generic.c:187
 instrument\_atomic\_write include/linux/instrumented.h:87 \[inline\]
 clear\_bit include/asm-generic/bitops/instrumented-atomic.h:41 \[inline\]
 txEnd+0x2a3/0x5a0 fs/jfs/jfs\_txnmgr.c:535
 txLazyCommit fs/jfs/jfs\_txnmgr.c:2679 \[inline\]
 jfs\_lazycommit+0x75f/0xb10 fs/jfs/jfs\_txnmgr.c:2727
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308
 </TASK>

Allocated by task 86743:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
 \_\_\_\_kasan\_kmalloc mm/kasan/common.c:374 \[inline\]
 \_\_\_\_kasan\_kmalloc mm/kasan/common.c:333 \[inline\]
 \_\_kasan\_kmalloc+0xa3/0xb0 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:580 \[inline\]
 kzalloc include/linux/slab.h:720 \[inline\]
 open\_inline\_log fs/jfs/jfs\_logmgr.c:1159 \[inline\]
 lmLogOpen+0x562/0x1430 fs/jfs/jfs\_logmgr.c:1069
 jfs\_mount\_rw+0x2f6/0x6d0 fs/jfs/jfs\_mount.c:257
 jfs\_fill\_super+0xa00/0xd40 fs/jfs/super.c:565
 mount\_bdev+0x351/0x410 fs/super.c:1380
 legacy\_get\_tree+0x109/0x220 fs/fs\_context.c:610
 vfs\_get\_tree+0x8d/0x350 fs/super.c:1510
 do\_new\_mount fs/namespace.c:3042 \[inline\]
 path\_mount+0x675/0x1e30 fs/namespace.c:3372
 do\_mount fs/namespace.c:3385 \[inline\]
 \_\_do\_sys\_mount fs/namespace.c:3594 \[inline\]
 \_\_se\_sys\_mount fs/namespace.c:3571 \[inline\]
 \_\_x64\_sys\_mount+0x283/0x300 fs/namespace.c:3571
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Freed by task 16288:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 kasan\_set\_track+0x25/0x30 mm/kasan/common.c:52
 kasan\_save\_free\_info+0x2b/0x40 mm/kasan/generic.c:521
 \_\_\_\_kasan\_slab\_free mm/kasan/common.c:236 \[inline\]
 \_\_\_\_kasan\_slab\_free+0x13b/0x1a0 mm/kasan/common.c:200
 kasan\_slab\_free include/linux/kasan.h:162 \[inline\]
 \_\_cache\_free mm/slab.c:3390 \[inline\]
 \_\_do\_kmem\_cache\_free mm/slab.c:3577 \[inline\]
 \_\_kmem\_cache\_free+0xcd/0x2c0 mm/slab.c:3584
 lmLogClose+0x595/0x720 fs/jfs/jfs\_logmgr.c:1461
 jfs\_umount+0x2ef/0x430 fs/jfs/jfs\_umount.c:114
 jfs\_put\_super+0x85/0x1d0 fs/jfs/super.c:194
 generic\_shutdown\_super+0x158/0x480 fs/super.c:500
 kill\_block\_super+0x9b/0xf0 fs/super.c:1407
 deactivate\_locked\_super+0x98/0x160 fs/super.c:331
 deactivate\_super+0xb1/0xd0 fs/super.c:362
 cleanup\_mnt+0x2ae/0x3d0 fs/namespace.c:1177
 task\_work\_run+0x168/0x260 kernel/task\_work.c:179
 resume\_user\_mode\_work include/linux/resume\_user\_mode.h:49 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:171 \[inline\]
 exit\_to\_user\_mode\_prepare+0x210/0x240 kernel/entry/common.c:204
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:286 \[inline\]
 syscall\_exit\_to\_user\_mode+0x1d/0x50 kernel/entry/common.c:297
 do\_syscall\_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Last potentially related work creation:
 kasan\_save\_stack+0x22/0x40 mm/kasan/common.c:45
 \_\_kasan\_record\_aux\_stack+0x7b/0x90 mm/kasan/generic.c:491
 kvfree\_call\_rcu+0x70/0xad0 kernel/rcu/tree.c:3327
 neigh\_destroy+0x431/0x660 net/core/neighbour.c:941
 neigh\_release include/net/neighbour.h:449 \[inline\]
 neigh\_cleanup\_and\_release+0x1f8/0x280 net/core/neighbour.c:103
 neigh\_periodic\_work+0x60c/0xac0 net/core/neighbour.c:1025
 process\_one\_work+0x98a/0x15c0 kernel/workqueue.c:2390
 worker\_thread+0x669/0x1090 kernel/workqueue.c:2537
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308

The buggy address belongs to the object at ffff888021bee800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 64 bytes inside of
 freed 1024-byte region \[ffff888021bee800, ffff888021beec00)

The buggy address belongs to the physical page:
page:ffffea000086fb80 refcount:1 mapcount:0 mapping:0000000000000000
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffff888012440700 ffffea0000583ed0 ffffea0000609790
raw: 0000000000000000 ffff888021bee000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected
page\_owner tracks the page as allocated
 prep\_new\_page mm/page\_alloc.c:2553 \[inline\]
 get\_page\_from\_freelist+0x119c/0x2d40 mm/page\_alloc.c:4326
 \_\_alloc\_pages+0x1cb/0x4a0 mm/page\_alloc.c:5592
 \_\_alloc\_pages\_node include/linux/gfp.h:237 \[inline\]
 kmem\_getpages mm/slab.c:1360 \[inline\]
 cache\_grow\_begin+0x9b/0x3b0 mm/slab.c:2570
 cache\_alloc\_refill+0x27e/0x380 mm/slab.c:2943
 \_\_\_\_cache\_alloc mm/slab.c:3019 \[inline\]
 \_\_\_\_cache\_alloc mm/slab.c:3002 \[inline\]
 \_\_do\_cache\_alloc mm/slab.c:3202 \[inline\]
 slab\_alloc\_node mm/slab.c:3250 \[inline\]
 \_\_kmem\_cache\_alloc\_node+0x360/0x3f0 mm/slab.c:3541
 \_\_do\_kmalloc\_node mm/slab\_common.c:966 \[inline\]
 \_\_kmalloc+0x4e/0x190 mm/slab\_common.c:980
 kmalloc include/linux/slab.h:584 \[inline\]
 kzalloc include/linux/slab.h:720 \[inline\]
 ieee802\_11\_parse\_elems\_full+0x106/0x1320 net/mac80211/util.c:1609
 ieee802\_11\_parse\_elems\_crc.constprop.0+0x99/0xd0
 net/mac80211/ieee80211\_i.h:2265
 ieee802\_11\_parse\_elems net/mac80211/ieee80211\_i.h:2272 \[inline\]
 ieee80211\_bss\_info\_update+0x410/0xb50 net/mac80211/scan.c:212
 ieee80211\_rx\_bss\_info net/mac80211/ibss.c:1120 \[inline\]
 ieee80211\_rx\_mgmt\_probe\_beacon net/mac80211/ibss.c:1609 \[inline\]
 ieee80211\_ibss\_rx\_queued\_mgmt+0x18b2/0x2d30 net/mac80211/ibss.c:1638
 ieee80211\_iface\_process\_skb net/mac80211/iface.c:1583 \[inline\]
 ieee80211\_iface\_work+0xa47/0xd60 net/mac80211/iface.c:1637
 process\_one\_work+0x98a/0x15c0 kernel/workqueue.c:2390
 worker\_thread+0x669/0x1090 kernel/workqueue.c:2537
 kthread+0x2e8/0x3a0 kernel/kthread.c:376
 ret\_from\_fork+0x1f/0x30 arch/x86/entry/entry\_64.S:308
page last free stack trace:
 reset\_page\_owner include/linux/page\_owner.h:24 \[inline\]
 free\_pages\_prepare mm/page\_alloc.c:1454 \[inline\]
 free\_pcp\_prepare+0x4e3/0x920 mm/page\_alloc.c:1504
 free\_unref\_page\_prepare mm/page\_alloc.c:3388 \[inline\]
 free\_unref\_page+0x1d/0x4e0 mm/page\_alloc.c:3483
 slab\_destroy mm/slab.c:1613 \[inline\]
 slabs\_destroy+0x85/0xc0 mm/slab.c:1633
 \_\_cache\_free\_alien mm/slab.c:773 \[inline\]
 cache\_free\_alien mm/slab.c:789 \[inline\]
 \_\_\_cache\_free+0x203/0x3e0 mm/slab.c:3417
 qlink\_free mm/kasan/quarantine.c:168 \[inline\]
 qlist\_free\_all+0x4f/0x1a0 mm/kasan/quarantine.c:187
 kasan\_quarantine\_reduce+0x188/0x1d0 mm/kasan/quarantine.c:294
 \_\_kasan\_slab\_alloc+0x63/0x90 mm/kasan/common.c:305
 kasan\_slab\_alloc include/linux/kasan.h:186 \[inline\]
 slab\_post\_alloc\_hook mm/slab.h:769 \[inline\]
 slab\_alloc\_node mm/slab.c:3257 \[inline\]
 slab\_alloc mm/slab.c:3266 \[inline\]
 \_\_kmem\_cache\_alloc\_lru mm/slab.c:3443 \[inline\]
 kmem\_cache\_alloc+0x1bd/0x3f0 mm/slab.c:3452
 vm\_area\_alloc+0x20/0x100 kernel/fork.c:458
 mmap\_region+0x389/0x2270 mm/mmap.c:2553
 do\_mmap+0x853/0xf20 mm/mmap.c:1364
 vm\_mmap\_pgoff+0x1af/0x280 mm/util.c:542
 ksys\_mmap\_pgoff+0x41f/0x5a0 mm/mmap.c:1410
 do\_syscall\_x64 arch/x86/entry/common.c:50 \[inline\]
 do\_syscall\_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888021bee700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888021bee780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>_ffff888021bee800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb_
                                           ^
 ffff888021bee880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888021bee900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Through analysis, it was found that a race condition occurred between two
functions lmLogClose and txEnd, which were executed in different threads.
The possible sequence is as follows:

-------------------------------------------------------------------------
cpu1(free thread)        |        cpu2(use thread)
-------------------------------------------------------------------------
lmLogClose               |        txEnd
                         |        log = JFS\_SBI(tblk->sb)->log;
sbi->log = NULL;         |
kfree(log); \[1\] free log |
                         |        clear\_bit(log\_FLUSH, &log->flag); \[2\] UAF

Fix it by add a mutex lock between lmLogClose and txEnd:

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
---
 fs/jfs/jfs\_debug.c  | 1 +
 fs/jfs/jfs\_debug.h  | 1 +
 fs/jfs/jfs\_logmgr.c | 2 ++
 fs/jfs/jfs\_txnmgr.c | 8 ++++++++
 4 files changed, 12 insertions(+)

diff --git a/fs/jfs/jfs\_debug.c b/fs/jfs/jfs\_debug.c
index 44b62b3c322e..a9c9266b222b 100644
--- a/fs/jfs/jfs\_debug.c
+++ b/fs/jfs/jfs\_debug.c
@@ -78,3 +78,4 @@ void jfs\_proc\_clean(void)
 }
 
 #endif /\* PROC\_FS\_JFS \*/
+DEFINE\_MUTEX(txEnd\_lmLogClose\_mutex);
\\ No newline at end of file
diff --git a/fs/jfs/jfs\_debug.h b/fs/jfs/jfs\_debug.h
index 48e2150c092e..25da8ee71f5e 100644
--- a/fs/jfs/jfs\_debug.h
+++ b/fs/jfs/jfs\_debug.h
@@ -107,3 +107,4 @@ int jfs\_xtstat\_proc\_show(struct seq\_file \*m, void \*v);
 #endif				/\* CONFIG\_JFS\_STATISTICS \*/
 
 #endif				/\* \_H\_JFS\_DEBUG \*/
+extern struct mutex txEnd\_lmLogClose\_mutex;
\\ No newline at end of file
diff --git a/fs/jfs/jfs\_logmgr.c b/fs/jfs/jfs\_logmgr.c
index 695415cbfe98..05c5391075db 100644
--- a/fs/jfs/jfs\_logmgr.c
+++ b/fs/jfs/jfs\_logmgr.c
@@ -1442,6 +1442,7 @@ int lmLogClose(struct super\_block \*sb)
 	jfs\_info("lmLogClose: log:0x%p", log);
 
 	mutex\_lock(&jfs\_log\_mutex);
+	mutex\_lock(&txEnd\_lmLogClose\_mutex);
 	LOG\_LOCK(log);
 	list\_del(&sbi->log\_list);
 	LOG\_UNLOCK(log);
@@ -1490,6 +1491,7 @@ int lmLogClose(struct super\_block \*sb)
 	kfree(log);
 
       out:
+	mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 	mutex\_unlock(&jfs\_log\_mutex);
 	jfs\_info("lmLogClose: exit(%d)", rc);
 	return rc;
diff --git a/fs/jfs/jfs\_txnmgr.c b/fs/jfs/jfs\_txnmgr.c
index ffd4feece078..5b4351e59535 100644
--- a/fs/jfs/jfs\_txnmgr.c
+++ b/fs/jfs/jfs\_txnmgr.c
@@ -490,6 +490,7 @@ void txEnd(tid\_t tid)
 	struct jfs\_log \*log;
 
 	jfs\_info("txEnd: tid = %d", tid);
+	mutex\_lock(&txEnd\_lmLogClose\_mutex);
 	TXN\_LOCK();
 
 	/\*
@@ -500,6 +501,11 @@ void txEnd(tid\_t tid)
 
 	log = JFS\_SBI(tblk->sb)->log;
 
+	if (!log) {
+		mutex\_unlock(&txEnd\_lmLogClose\_mutex);
+		return;
+	}
+
 	/\*
 	 \* Lazy commit thread can't free this guy until we mark it UNLOCKED,
 	 \* otherwise, we would be left with a transaction that may have been
@@ -515,6 +521,7 @@ void txEnd(tid\_t tid)
 		spin\_lock\_irq(&log->gclock);	// LOGGC\_LOCK
 		tblk->flag |= tblkGC\_UNLOCKED;
 		spin\_unlock\_irq(&log->gclock);	// LOGGC\_UNLOCK
+		mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 		return;
 	}
 
@@ -561,6 +568,7 @@ void txEnd(tid\_t tid)
 	 \* wakeup all waitors for a free tblock
 	 \*/
 	TXN\_WAKEUP(&TxAnchor.freewait);
+	mutex\_unlock(&txEnd\_lmLogClose\_mutex);
 }
 
 /\*
-- 
2.25.1

CVE-2023-3397: Linux Kernel: [PATCH] fs/jfs: Add a mutex named txEnd_lmLogClose_mutex to prevent a race  condition between txEnd and lmLogClose functions

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

Release date: November 1, 2023

Here's what's new in SolarWinds Hybrid Cloud Observability 2023.4.

SolarWinds Hybrid Cloud Observability runs on the SolarWinds Platform.

**Learn more**

*   See the Hybrid Cloud Observability 2023.4 system requirements.
*   For information about working with Hybrid Cloud Observability, see the Hybrid Cloud Observability Administrator Guides.

**New features and improvements in Hybrid Cloud Observability**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

**New Vulnerability Dashboard and Risk scorecard**

This release introduces a new vulnerability and risk dashboard, available for Hybrid Cloud Observability Advanced users. View vulnerability and risk severity, determined by imported CVE information from CVEs based on CVSS v3. Schedule CVE data imports, and match CVE information to individual nodes. See calculated risk scores for individual monitored nodes and an aggregated risk scored for your environment.

**Platform Connect supports more device types**

Platform Connect now supports sending information for more device types to SolarWinds Observability, including application and virtualization.

**Greater visibility for simplified SD-WAN monitoring**

Real-time Tunnel and WAN metrics like service provider, packet loss, latency, and jitter are now available for use in dashboard widgets and PerfStack for Meraki, VeloCloud, and Viptela SDWAN devices.

**Anomaly Based Alerts improvements**

Anomaly Based Alerts now includes a new visual representation of the normal operating range (NOR) of a device’s metrics. The entity detail page contains NOR charts for every observed metric present for the entity that is triggering an Anomaly-Based Alert.

You can now define anomaly-based alerts for virtualization entities. See the list of supported entities with their metrics below:

Orion.VIM.ClusterStatistics:

AvgCPULoad

AvgMemoryUsage

Orion.VIM.HostStatistics:

AvgCpuLoad

AvgMemUsage

AvgNetworkUtilization

Orion.VIM.VMStatistics:

AvgCPULoad

AvgIOPSRead

AvgIOPSTotal

AvgIOPSWrite

AvgMemoryUsage

AvgNetworkUsageRate

**AlertStack improvements**

AlertStack is now available under the “Alerts and Activities” menu.

The AlertStack cluster detail page now supports filtering of occurrences together with maps. Occurrences can be filtered based on the Status and Element Type. Accordingly, the map nodes reflect this filtering as well.

AlertStack now supports creation of incidents in SolarWinds Service Desk (SSD) for AlertStack clusters. This action can be done for clusters in open or suspended states only.

Return to top

**Fixes**

For information about new features and fixes in the SolarWinds Platform, see the SolarWinds Platform 2023.4 Release Notes.

 

Case number

Description

01189602, 01296329, 01268284

In deployments with additional polling engines (APEs), attempting to integrate the SolarWinds Platform with DPA would install the DPA Business Layer on the APE. This caused problems with the DPA integration, including:

*   Application relationships added on the Manage Client Application Relationships page were automatically removed.
    
*   Integration fails with the message There was an error when trying to enable the integration with the DPA server: Establishing federation with jSWIS failed.
    
*   Attempting to add a DPA server returns the message Cannot find a DPA server at this address or port. Check your DPA server details and network connection.
    

01231016

When custom properties used in alerts are created in a different SolarWinds Platform product, the associated column in the All Active Alerts page in EOC is not blank.

01354791

When you run a report that queries the SolarWinds log database, the results of the query are shown instead, not the message Query is not valid.

01288735

In a large, complex environment, network configuration management jobs and inventory jobs run as expected.

01358044

Network configuration management jobs no longer make unnecessary APE license checks, which were causing the jobs to run slowly.

00837847, 01358148, 01426785

Inventory collection was updated to prevent database blocks, which were affecting performance.

01352472

If you run a job that saves the results of a policy report to a file, and the file name includes a macro, the macro is parsed correctly and the report's content and formatting are accurate.

01336072

When SolarWinds high availability (HA) is deployed, a network configuration search performed after a failover includes all configs. The search is not limited to only the most recently downloaded configs.

01357688

A vulnerability that could expose a password has been fixed.

01350788

A misspelled word in INFO messages in the NCM.Collector.Jobs_[*].log file has been corrected.

01333319

The Config Details page shows the downloaded time based on the SolarWinds Platform time zone, not UTC time.

01288735, 01387785

When an inventory job retrieves a large Flash Size value, it records the value correctly and no longer returns the following error:

Arithmetic overflow error converting expression to data type int.

01395082

Real Time Change Notification works as expected when the IP address provided to it is not the primary IP address for the node.\*

01428683, 01330623, 01349629

In 2023.2, the default timeout value for SWJobEngineWorker2x64.exe was increased from 20 minutes to 2 hours. In deployments with a large number of jobs that did not finish before the 2-hour timeout, memory usage increased significantly. To prevent this issue, the default timeout value has been decreased to 20 minutes.

01295129, 01350421, 01428125

When the SolarWinds Platform is configured to use Windows authentication, running interface percentile traffic reports no longer returns an error.

01367640

If an interface name includes special characters, the special characters are no longer escaped on the Interfaces with High Percent Usage (no paging) resource. This behavior was preventing database maintenance from running as scheduled.

01355454

The load time for the Interface Availability widget has been significantly decreased.

01349629, 01362966

By default, network discovery enables all pollers on a device. So, if a topology poller is disabled on the List Resources or Manage Pollers page, it is enabled again when network discovery runs. A new advanced configuration option is available to enable you to override this default behavior. If do not want certain topology pollers to be enabled when network discovery runs:

1.  Open the Advanced Configuration options page by pasting the following into your browser URL field after the hostname or IP address:
    
    /Orion/Admin/AdvancedConfiguration/Global.aspx
    
2.  Under Topology, locate the PollersDiscoveryBlackList field.
    
3.  Enter a comma-separated list of topology pollers that should **not** be enabled when network discovery runs.
    

01348970, 01350142, 01361854, 01362953, 01420814, 01430172

Out-of-the-box Switch Stack alerts can be copied and edited, and they are triggered as expected.

01235174, 01401553

Universal Device Poller gauges load without errors and performance is improved.

01373033

If application data is corrupted, the Manage Applications and Service Ports page no longer attempts to list the applications. Corrupt data does not prevent the page from opening with the following message:

Unexpected Website Error  
Sequence contains no elements

Additionally, a daily maintenance task detects and removes any corrupt application data.

01323874

If a user without permission to view NetFlow data attempts to access a NetFlow page, permissions are evaluated and the Restricted page message is displayed before the page loads. The page is no longer loaded and then hidden, and attempts to refresh the page do not affect performance.

01321325

A change to the NetFlowInterfaceSources\_Metadata table in the SolarWinds Platform database prevents deadlocks in environments with a large number of VMware devices.

01400259, 01419304, 01420644

If a deployment includes more than one application template with the same name, the Configuration Wizard no longer fails with the following error:

Database configuration failed: Error while executing script- Subquery returned more than 1 value.

01360008, 01379355, 01390806, 01399847, 01400259

The SolarWinds Platform Web Console no longer becomes unresponsive or stops functioning due to missing keys in the cloud monitoring resource file.

01337117

On the Node Details Summary page, when you click Real Time Event Viewer and then click the Message column for an event, the Message Details popup opens as expected.

N/A

When you add a node with Microsoft SQL Server 2022 deployed, AppInsight for SQL is discovered.

01290468, 01305182, 01317562, 01320352, 01320666

During upgrades data from old tables is migrated successfully and the obsolete tables are removed. In a previous version, incomplete data migration could cause issues such as:

*   The Configuration Wizard failed with the message Invalid object name 'APM_ComponentStatus_Hourly.
    
*   The SolarWinds Platform database size decreased significantly.
    
*   The Application Component Details page did not consistently display messages.
    

01183556, 01337907, 01353375, 01389703

If the Configuration Wizard fails during an upgrade, attempting to rerun the wizard no longer fails with the message Error while executing script- There is already an object named 'CLM_CloudJobSettings' in the database.

01337806

When a problem occurs with the API poller, the following message was improved to provide more information about the cause of the problem:

Index was outside the bounds of the array.

01142194, 01357225, 01438644

When a node is deleted or unmanaged, Application Dependency Mapping (ADM) polling does not continue for that node. In previous versions, continuing to poll a deleted or unmanaged node for ADM data caused the ADM\_ProcessingQueue table to become very large.

01379396

Long status messages associated with an application monitor are displayed correctly after an upgrade.

00690113

Alerts on API Pollers that should be triggered when the response time exceeds a threshold are no longer triggered when the response time is below the threshold.

01142194

If ADM polling is disabled for the SolarWinds Platform, the node detail page does not display the Application Dependency Polling Enabled check box.

00990851, 01415486

If AppInsight for IIS runs for long periods, the APM\_IisBb\_Request\_Detail table no longer grows without limits, causing performance issues.

01372348, 01384875

The CreateApplication verb in SWIS for the AppInsight for SQL template now works when you are using a remote node and database. Issues with credentials and connection testing have been resolved.

01401922

The default poll no longer fails when more than one array is in a Nimble cluster.

00385337

The Vserver Status widget and the Vservers on this Cluster widget now show the same Vserver capacity data.

01382411

The Ethernet Ports Used Over Time now shows data for the selected time period instead of only the data for the current day.

01361966

When a wireless node is discovered with UDT port monitoring enabled and devices from the node are added to the Watchlist, the Watchlist widget no longer displays type conversion errors such as:

Conversion failed when converting the nvarchar value 'Vanguard_WLC' to data type int.

00814339

The Port Details widget now displays the MAC address, IP address, or Hostname for all devices.

00570890, 00582046, 00717223

The All User Log Ins widget displays data about the currently open endpoint, not the first endpoint that was opened.

01314714, 01333769, 01351695, 01365630, 01365850, 01382555, 01398156, 01412701, 01420009, 01426518, 01436135

The Port Details widget displays IP addresses even if the VLAN port is not monitored.\*

01308188, 01332779, 01380614, 01382170, 01396520, 01404094

When a node uses automatic private IP addressing (APIPA), the vendor and machine type are reported correctly.

01353982, 01401047

Database maintenance no longer fails with the following message:

SolarWinds.Data.DatabaseMaintenance.StandardTableHandlerDAL - Failed to execute procedure: VIM_dbm_Clusters_ComputeDiskDepletion System.Data.SqlClient.SqlException (0x80131904): Arithmetic overflow error converting expression to data type bigint.

Cursor is not open.

01429919

The bulk insert query no longer runs slowly and causes performance issues on the database.

01238012

The Calls by Region widgets display the correct data.

01348659, 01371344

IP SLA operations function correctly, and the ipsla.bussiness.layer log file no longer includes the message Violation of PRIMARY KEY constraint.

01238012, 01294332

The FTP server is no longer filled with failed files, and VoIP views displays call manager information correctly.

01394210

After a call manager is removed, any associated CDR files are no longer processed, which prevents putting an unnecessary load on the FTP server.

01373525, 01378655

Call managers are polled only by the assigned polling engine, not by all polling engines.

01203334

When CDR files for different call managers are stored in separate folders on the FTP server, CDR files for all call managers are processed. VNQM no longer ignores CDR files for all call managers except the last one added.

01269194, 01439830

Avaya RTCP data is collected and displayed as expected.\*

01329850

A large number of CDR or CMR files on the FTP server no longer cause an out of memory exception.\*

\*This fix was added after the RC release.

Return to top

**Installation or upgrade**

For new installations, you can download the installation file from the product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Get the installer.

For upgrades, go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).

For more information, see the SolarWinds Platform Product Installation and Upgrade Guide.

You must be on Orion Platform 2020.2.1 or later to upgrade to SolarWinds Hybrid Cloud Observability 2023.4. If you are on a version earlier than Orion Platform 2020.2.1, first upgrade to 2020.2.6 and then upgrade to 2023.4.

Return to top

**Before you upgrade!**

If you are upgrading from a previous version, be aware of the following considerations:

Upgrading from Orion Platform 2020.2.6 or older -

*   Before upgrading from Orion Platform 2020.2.6 and earlier to SolarWinds Hybrid Cloud Observability, check the SolarWinds Platform release notes for additional information.

Return to top

**Legal notices**

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Tag

#mac