ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters query and application is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

  
ABB Cylon Aspect 3.08.01 (jsonProxy.php) Unauthenticated Reflected XSS

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated reflected  
cross-site scripting vulnerability. Input passed to the GET parameters 'query'  
and 'application' is not properly sanitised before being returned to the user.  
This can be exploited to execute arbitrary HTML/JS code in a user's browser  
session in context of an affected site.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5852  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5852.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               http://192.168.73.31/jsonProxy.php?application=%3Cmarquee%3EZSL%3C/marquee%3E?query=%3Cscript%3Ealert(document.cookie)%3C/script%3E

ABB Cylon Aspect 3.08.01 jsonProxy.php Cross Site Scripting

Red Hat Security Advisory 2024-8617-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8617.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:8617-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8617  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2021-47383  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* hw: cpu: intel: Native Branch History Injection (BHI) (CVE-2024-2201)

* kernel: tcp: add sanity checks to rx zerocopy (CVE-2024-26640)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: af_unix: Fix garbage collector racing against connect() (CVE-2024-26923)

* kernel: mac802154: fix llsec key resources release in mac802154_llsec_key_del (CVE-2024-26961)

* kernel: scsi: core: Fix unremoved procfs host directory regression (CVE-2024-26935)

* kernel: tty: Fix out-of-bound vmalloc access in imageblit (CVE-2021-47383)

* kernel: net/sched: taprio: extend minimum interval restriction to entire cycle too (CVE-2024-36244)

* kernel: xfs: fix log recovery buffer allocation for the legacy h_size fixup (CVE-2024-39472)

* kernel: netfilter: nft_inner: validate mandatory meta and payload (CVE-2024-39504)

* kernel: USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages (CVE-2024-40904)

* kernel: mptcp: ensure snd_una is properly initialized on connect (CVE-2024-40931)

* kernel: ipv6: prevent possible NULL dereference in rt6_probe() (CVE-2024-40960)

* kernel: ext4: do not create EA inode under buffer lock (CVE-2024-40972)

* kernel: wifi: mt76: mt7921s: fix potential hung tasks during chip recovery (CVE-2024-40977)

* kernel: net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc() (CVE-2024-40995)

* kernel: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (CVE-2024-40998)

* kernel: netpoll: Fix race condition in netpoll_owner_active (CVE-2024-41005)

* kernel: xfs: don't walk off the end of a directory data block (CVE-2024-41013)

* kernel: xfs: add bounds checking to xlog_recover_process_data (CVE-2024-41014)

* kernel: block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854)

* kernel: netfilter: flowtable: initialise extack before use (CVE-2024-45018)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47383

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2268118  
https://bugzilla.redhat.com/show_bug.cgi?id=2270100  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2277171  
https://bugzilla.redhat.com/show_bug.cgi?id=2278176  
https://bugzilla.redhat.com/show_bug.cgi?id=2278235  
https://bugzilla.redhat.com/show_bug.cgi?id=2282357  
https://bugzilla.redhat.com/show_bug.cgi?id=2293654  
https://bugzilla.redhat.com/show_bug.cgi?id=2296067  
https://bugzilla.redhat.com/show_bug.cgi?id=2297476  
https://bugzilla.redhat.com/show_bug.cgi?id=2297488  
https://bugzilla.redhat.com/show_bug.cgi?id=2297515  
https://bugzilla.redhat.com/show_bug.cgi?id=2297544  
https://bugzilla.redhat.com/show_bug.cgi?id=2297556  
https://bugzilla.redhat.com/show_bug.cgi?id=2297561  
https://bugzilla.redhat.com/show_bug.cgi?id=2297579  
https://bugzilla.redhat.com/show_bug.cgi?id=2297582  
https://bugzilla.redhat.com/show_bug.cgi?id=2297589  
https://bugzilla.redhat.com/show_bug.cgi?id=2300296  
https://bugzilla.redhat.com/show_bug.cgi?id=2300297  
https://bugzilla.redhat.com/show_bug.cgi?id=2311715

Red Hat Security Advisory 2024-8617-03

Red Hat Security Advisory 2024-8614-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include null pointer and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8614.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel-rt security update  
Advisory ID:        RHSA-2024:8614-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8614  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2021-47384  
====================================================================

Summary: 

An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: ovl: fix use after free in struct ovl_aio_req (CVE-2023-1252)

* hw: cpu: intel: Native Branch History Injection (BHI) (CVE-2024-2201)

* kernel: mm/sparsemem: fix race in accessing memory_section->usage (CVE-2023-52489)

* kernel: blk-mq: fix IO hang from sbitmap wakeup race (CVE-2024-26671)

* kernel: fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats (CVE-2024-26686)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: mac802154: fix llsec key resources release in mac802154_llsec_key_del (CVE-2024-26961)

* kernel: hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field (CVE-2021-47384)

* kernel: mptcp: ensure snd_nxt is properly initialized on connect (CVE-2024-36889)

* kernel: ipv6: prevent possible NULL dereference in rt6_probe() (CVE-2024-40960)

* kernel: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (CVE-2024-40998)

* kernel: filelock: fix potential use-after-free in posix_lock_inode (CVE-2024-41049)

* kernel: mm: prevent derefencing NULL ptr in pfn_section_valid() (CVE-2024-41055)

* kernel: nvmet: fix a possible leak when destroy a ctrl during qp establishment (CVE-2024-42152)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47384

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2176140  
https://bugzilla.redhat.com/show_bug.cgi?id=2268118  
https://bugzilla.redhat.com/show_bug.cgi?id=2269189  
https://bugzilla.redhat.com/show_bug.cgi?id=2272811  
https://bugzilla.redhat.com/show_bug.cgi?id=2273109  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2278176  
https://bugzilla.redhat.com/show_bug.cgi?id=2282356  
https://bugzilla.redhat.com/show_bug.cgi?id=2284571  
https://bugzilla.redhat.com/show_bug.cgi?id=2297544  
https://bugzilla.redhat.com/show_bug.cgi?id=2297582  
https://bugzilla.redhat.com/show_bug.cgi?id=2300422  
https://bugzilla.redhat.com/show_bug.cgi?id=2300429  
https://bugzilla.redhat.com/show_bug.cgi?id=2301519

Red Hat Security Advisory 2024-8614-03

Red Hat Security Advisory 2024-8613-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include null pointer and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8613.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security update  
Advisory ID:        RHSA-2024:8613-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8613  
Issue date:         2024-10-30  
Revision:           03  
CVE Names:          CVE-2021-47384  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: ovl: fix use after free in struct ovl_aio_req (CVE-2023-1252)

* hw: cpu: intel: Native Branch History Injection (BHI) (CVE-2024-2201)

* kernel: mm/sparsemem: fix race in accessing memory_section->usage (CVE-2023-52489)

* kernel: blk-mq: fix IO hang from sbitmap wakeup race (CVE-2024-26671)

* kernel: fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats (CVE-2024-26686)

* kernel: mptcp: fix data re-injection from stale subflow (CVE-2024-26826)

* kernel: mac802154: fix llsec key resources release in mac802154_llsec_key_del (CVE-2024-26961)

* kernel: hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field (CVE-2021-47384)

* kernel: mptcp: ensure snd_nxt is properly initialized on connect (CVE-2024-36889)

* kernel: ipv6: prevent possible NULL dereference in rt6_probe() (CVE-2024-40960)

* kernel: ext4: fix uninitialized ratelimit_state->lock access in __ext4_fill_super() (CVE-2024-40998)

* kernel: filelock: fix potential use-after-free in posix_lock_inode (CVE-2024-41049)

* kernel: mm: prevent derefencing NULL ptr in pfn_section_valid() (CVE-2024-41055)

* kernel: powerpc/eeh: avoid possible crash when edev->pdev changes (CVE-2024-41064)

* kernel: nvmet: fix a possible leak when destroy a ctrl during qp establishment (CVE-2024-42152)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-47384

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2176140  
https://bugzilla.redhat.com/show_bug.cgi?id=2268118  
https://bugzilla.redhat.com/show_bug.cgi?id=2269189  
https://bugzilla.redhat.com/show_bug.cgi?id=2272811  
https://bugzilla.redhat.com/show_bug.cgi?id=2273109  
https://bugzilla.redhat.com/show_bug.cgi?id=2275604  
https://bugzilla.redhat.com/show_bug.cgi?id=2278176  
https://bugzilla.redhat.com/show_bug.cgi?id=2282356  
https://bugzilla.redhat.com/show_bug.cgi?id=2284571  
https://bugzilla.redhat.com/show_bug.cgi?id=2297544  
https://bugzilla.redhat.com/show_bug.cgi?id=2297582  
https://bugzilla.redhat.com/show_bug.cgi?id=2300422  
https://bugzilla.redhat.com/show_bug.cgi?id=2300429  
https://bugzilla.redhat.com/show_bug.cgi?id=2300439  
https://bugzilla.redhat.com/show_bug.cgi?id=2301519

Red Hat Security Advisory 2024-8613-03

Outages are inevitable. Our focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is about keeping bad actors out while maintaining stability and reliability.

Source: Igor Goncharenko via Alamy Stock Photo

COMMENTARY

In an era where digital security is paramount, organizations invest heavily in cybersecurity tools to defend against cyberattacks. However, these same tools — designed to protect — can sometimes be the cause of major disruptions. From botched updates to unforeseen errors in protective software, the very systems meant to safeguard us can lead to widespread outages, with the recent cases of CrowdStrike and Verizon standing out as prime examples. 

**The Fine Line Between Protection and Disruption**

Cybersecurity solutions are essential in our interconnected world, helping businesses and governments protect sensitive data, infrastructure, and user privacy. However, when improperly handled, even the best tools can turn from protectors into sources of failure. 

Known for its strong cybersecurity offerings, CrowdStrike rolled out a threat intelligence update to its Falcon platform in July that inadvertently caused a major global outage, affecting airlines, banks, and hospitals. This incident, which resulted from a software glitch during the delivery of its "Rapid Response Content" threat signatures, left critical services temporarily offline, reminding us that even the most advanced security systems aren't infallible. 

Similarly, in September, Verizon experienced a massive network outage that left millions of customers without mobile service across the US. Although the exact cause of the outage is still under investigation, fears of a cyberattack have been discussed. However, early signs suggest that it could have stemmed from a technical issue or mismanagement during a network upgrade — further highlighting how small oversights in maintaining or updating network infrastructure can have outsized consequences. 

**The Domino Effect: More Than Just an Inconvenience**

When cybersecurity or networking systems fail, the impact often ripples far beyond the initial disruption. Take Verizon's outage as an example: Businesses dependent on the network lost critical communication channels, customer service teams were unable to assist clients, and productivity ground to a halt for countless users. These events illustrate the profound dependency modern society has on digital infrastructure, and when that infrastructure falters, so do economies, health services, and day-to-day life. 

But outages like these also create windows of opportunity for cybercriminals. When networks are down or overwhelmed, attackers may exploit system vulnerabilities or use the chaos as cover for more nefarious activities, such as distributed-denial-of-service (DDoS) attacks, ransomware deployments, or supply chain compromises. Therefore, resilience and proper update protocols are just as important as the defensive capabilities of any cybersecurity tool. 

**Lessons for the Industry**

These high-profile outages, including Verizon's and CrowdStrike's, serve as reminders that robust cybersecurity involves more than just tools — it requires continuous testing, resilience planning, and careful management of system updates. 

Key takeaways for businesses include: 

*   Test updates thoroughly: Even the best security patches can introduce new risks if not properly vetted. 
    

*   Invest in incident response: Prepare for outages or failures by developing comprehensive response plans that prioritize minimizing downtime and ensuring customer communication. 
    

*   Stay vigilant: Disruptions provide opportunities for attackers. Ensure that security monitoring continues even during outages. 
    

**Looking Forward**

As technology evolves, so must our approach to cybersecurity. While outages are inevitable, the focus should be on minimizing their scope, addressing underlying causes, and understanding that protecting systems is not just about keeping bad actors out — it's also about maintaining stability and reliability within the infrastructure itself. 

Cybersecurity tools must balance protection with resilience, ensuring that the systems designed to defend us don't inadvertently cause more harm. 

**About the Author**

Director of Security, Owlet Baby Care

Yvonne Dickinson is currently the Director of Security for a global and publicly traded company. Her depth of expertise resides within application and cloud security, although she is a generalist across the other security domains. Yvonne is extremely passionate about advocating for women in STEM fields and strives to make an impact where she can. Although her official title is Security Director, that job is secondary to her primary role as CMO — Chief Mom Officer — to her family. As a technical leader, she strives to find balance in her work and her home so she can succeed at both her jobs, and she empowers her team to do the same.

When Cybersecurity Tools Backfire

The ABB BMS/BAS controller suffers from an unauthenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters 'query' and 'application' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

ABB Cylon Aspect 3.08.01 (jsonProxy.php) Unauthenticated Reflected XSS

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-hc5w-c9f8-9cc4: Langchain Path Traversal vulnerability

Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K.

GHSA-6mvp-gh77-7vwh: Mattermost Server allows user to get private channel names

Delta argues that it lost hundreds of million of dollars in downtime and other costs in the aftermath of the incident, while CrowdStrike says it isn't liable for more than $10 million.

Source: Francis Vachon via Alamy Stock Photo

UPDATE

Delta Air Lines is suing CrowdStrike to recover the $500 million in revenue it lost due to the CrowdStrike outage earlier this year, which led to an assortment of issues and disrupted businesses, airlines, healthcare providers, and more.

The cause of the infamous outage that occurred in July was a defective threat intelligence update for the CrowdStrike Falcon Sensor, a cloud-based endpoint detection and prevention software. After investigating the issue, CrowdStrike reported that its engineering team had discovered a bug in the memory scanning prevention policy, a flaw that was not identified during testing stages. That ultimately led to Microsoft servers displaying the "blue screen of death" across the world, and collective disarray in response.

At the time of the outage, Delta reported that it had to cancel thousands of flights — about 7,000 between July 19 and July 24 — affecting 1.3 million customers and prompting multiple class-action lawsuits.

In its Securities and Exchange Commission (SEC) filing, the airline estimated that recovery from the outage would cost around $170 million.

Now, the airline is seeking legal recourse to regain its lost funds, plus punitive damages for the outage.

**A Multimillion-Dollar Lawsuit Tests Cyber Liability**

Last week, Delta launched a formal complaint against CrowdStrike in a Georgia state court, arguing that the cybersecurity company failed to properly test the Falcon sensor update before deploying, leading to widespread disruption.

"CrowdStrike caused a global catastrophe because it cut corners, took shortcuts, and circumvented the very testing and certification processes it advertised, for its own benefit and profit," Delta said in the lawsuit, which was filed in Fulton County Superior Court in Georgia.

CrowdStrike, however, argues that Delta is operating with "misinformation" and is trying to shift blame for its notably slow recovery from the outage. 

"While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path," a CrowdStrike spokesperson tells Dark Reading. "Delta's claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure."

Indeed, the US Department of Transportation is investigating why Delta took longer to recover from the outage compared with other air carriers. Pete Buttigieg, US transportation secretary, said he also would look into complaints regarding Delta's less-than-stellar customer service during the outage, which resulted in long waits for assistance and unaccompanied minors stranded at airports.

A CrowdStrike spokesperson told the Associated Press that CrowdStrike attempted to settle these disputes with Delta earlier this year; however, there are disagreements as to how much lost revenue CrowdStrike is liable for, with the security firm arguing that it is less than $10 million.

"We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims and they repeatedly refused assistance from both CrowdStrike and Microsoft," the CrowdStrike spokesperson adds. "Any claims of gross negligence and willful misconduct have no basis in fact."

This story was updated at 5:40 p.m. ET on Oct. 28 to reflect comments from CrowdStrike.

Delta Launches $500M Lawsuit Against CrowdStrike

Red Hat Security Advisory 2024-8235-03 - Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, and out of bounds write vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8235.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.14.39 security update  
Advisory ID:        RHSA-2024:8235-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8235  
Issue date:         2024-10-28  
Revision:           03  
CVE Names:          CVE-2023-29401  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.39. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8238

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* glibc: Out of bounds write in iconv may lead to remote code execution  
(CVE-2024-2961)  
* openstack-ironic: Specially crafted image may allow authenticated users  
to gain access to potentially sensitive data (CVE-2024-44082)  
* golang-github-gin-gonic-gin: Gin Web Framework does not properly sanitize  
filename parameter of Context.FileAttachment function (CVE-2023-29401)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)  
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP)  
(CVE-2023-48795)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29401

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2216957  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2273404  
https://bugzilla.redhat.com/show_bug.cgi?id=2309331  
https://issues.redhat.com/browse/OCPBUGS-25727  
https://issues.redhat.com/browse/OCPBUGS-32266  
https://issues.redhat.com/browse/OCPBUGS-37353  
https://issues.redhat.com/browse/OCPBUGS-37552  
https://issues.redhat.com/browse/OCPBUGS-39019  
https://issues.redhat.com/browse/OCPBUGS-41246  
https://issues.redhat.com/browse/OCPBUGS-41836  
https://issues.redhat.com/browse/OCPBUGS-41918  
https://issues.redhat.com/browse/OCPBUGS-42517  
https://issues.redhat.com/browse/OCPBUGS-42518  
https://issues.redhat.com/browse/OCPBUGS-42533  
https://issues.redhat.com/browse/OCPBUGS-42567  
https://issues.redhat.com/browse/OCPBUGS-42603  
https://issues.redhat.com/browse/OCPBUGS-42757  
https://issues.redhat.com/browse/OCPBUGS-42828  
https://issues.redhat.com/browse/OCPBUGS-42986

Tag

#perl