Red Hat Security Advisory 2024-2433-03 - An update for avahi is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2433.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: avahi security updateAdvisory ID:        RHSA-2024:2433-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2433Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2023-38469====================================================================Summary: An update for avahi is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Avahi is an implementation of the DNS Service Discovery and Multicast DNS specifications for Zero Configuration Networking. It facilitates service discovery on a local network. Avahi and Avahi-aware applications allow you to plug your computer into a network and, with no configuration, view other people to chat with, view printers to print with, and find shared files on other computers.Security Fix(es):* avahi: Reachable assertion in avahi_dns_packet_append_record (CVE-2023-38469)* avahi: Reachable assertion in avahi_escape_label (CVE-2023-38470)* avahi: Reachable assertion in dbus_set_host_name (CVE-2023-38471)* avahi: Reachable assertion in avahi_rdata_parse (CVE-2023-38472)* avahi: Reachable assertion in avahi_alternative_host_name (CVE-2023-38473)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38469References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2191687https://bugzilla.redhat.com/show_bug.cgi?id=2191690https://bugzilla.redhat.com/show_bug.cgi?id=2191691https://bugzilla.redhat.com/show_bug.cgi?id=2191692https://bugzilla.redhat.com/show_bug.cgi?id=2191694

Red Hat Security Advisory 2024-2433-03

Red Hat Security Advisory 2024-2410-03 - An update for harfbuzz is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2410.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: harfbuzz security updateAdvisory ID:        RHSA-2024:2410-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2410Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2023-25193====================================================================Summary: An update for harfbuzz is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:HarfBuzz is an implementation of the OpenType Layout engine.Security Fix(es):* harfbuzz: allows attackers to trigger O(n^2) growth via consecutive marks (CVE-2023-25193)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-25193References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2167254

Red Hat Security Advisory 2024-2410-03

Red Hat Security Advisory 2024-2396-03 - An update for squashfs-tools is now available for Red Hat Enterprise Linux 9. Issues addressed include a traversal vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2396.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: squashfs-tools security updateAdvisory ID:        RHSA-2024:2396-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2396Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2021-40153====================================================================Summary: An update for squashfs-tools is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:SquashFS is a highly compressed read-only file system for Linux. These packages contain the utilities for manipulating squashfs file systems.Security Fix(es):* squashfs-tools: unvalidated filepaths allow writing outside of destination (CVE-2021-40153)* squashfs-tools: possible Directory Traversal via symbolic link (CVE-2021-41072)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2021-40153References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=1998621https://bugzilla.redhat.com/show_bug.cgi?id=2004957

Red Hat Security Advisory 2024-2396-03

Red Hat Security Advisory 2024-2394-03 - An update for kernel is now available for Red Hat Enterprise Linux 9. Issues addressed include code execution, double free, integer overflow, memory exhaustion, memory leak, null pointer, out of bounds access, out of bounds read, out of bounds write, privilege escalation, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2394.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2024:2394-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2394  
Issue date:         2024-04-30  
Revision:           03  
CVE Names:          CVE-2020-26555  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: GSM multiplexing race condition leads to privilege escalation (CVE-2023-6546)

* kernel: multiple use-after-free vulnerabilities (CVE-2024-1086, CVE-2023-3567, CVE-2023-4133, CVE-2023-6932, CVE-2023-39198, CVE-2023-51043, CVE-2023-51779, CVE-2023-51780, CVE-2024-1085, CVE-2024-26582)

* kernel: Bluetooth BR/EDR PIN Pairing procedure is vulnerable to an impersonation attack (CVE-2020-26555)

* kernel: memcg does not limit the number of POSIX file locks allowing memory exhaustion (CVE-2022-0480)

* kernel: multiple NULL pointer dereference vulnerabilities (CVE-2022-38096, CVE-2023-6622, CVE-2023-6915, CVE-2023-42754, CVE-2023-46862, CVE-2023-52574, CVE-2024-0841, CVE-2023-52448)

* kernel: integer overflow in l2cap_config_req() in net/bluetooth/l2cap_core.c (CVE-2022-45934)

* kernel: netfilter: nf_tables: out-of-bounds access in nf_tables_newtable() (CVE-2023-6040)

* kernel: GC's deletion of an SKB races with unix_stream_read_generic()  leading to UAF (CVE-2023-6531)

* kernel: Out of boundary write in perf_read_group() as result of overflow a perf_event's read_size (CVE-2023-6931)

* kernel: Bluetooth Forward and Future Secrecy Attacks and Defenses (CVE-2023-24023)

* kernel: irdma: Improper access control (CVE-2023-25775)

* Kernel: double free in hci_conn_cleanup of the bluetooth subsystem (CVE-2023-28464)

* kernel: Bluetooth: HCI: global out-of-bounds access in net/bluetooth/hci_sync.c (CVE-2023-28866)

* kernel: race condition between HCIUARTSETPROTO and HCIUARTGETPROTO in hci_uart_tty_ioctl (CVE-2023-31083)

* kernel: multiple out-of-bounds read vulnerabilities (CVE-2023-37453, CVE-2023-39189, CVE-2023-39193, CVE-2023-6121, CVE-2023-39194)

* kernel: netfilter: race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP (CVE-2023-42756)

* kernel: lib/kobject.c vulnerable to fill_kobj_path out-of-bounds write (CVE-2023-45863)

* kernel: smb: client: fix potential OOBs in smb2_parse_contexts() (CVE-2023-52434)

* kernel: mm/sparsemem: fix race in accessing memory_section->usage (CVE-2023-52489)

* kernel: net: fix possible store tearing in neigh_periodic_work() (CVE-2023-52522)

* kernel: multiple memory leak vulnerabilities (CVE-2023-52529, CVE-2023-52581)

* kernel: net: bridge: data races indata-races in br_handle_frame_finish() (CVE-2023-52578)

* kernel: net/core: kernel crash in ETH_P_1588 flow dissector (CVE-2023-52580)

* kernel: net/sched: act_ct: fix skb leak and crash on ooo frags (CVE-2023-52610)

* kernel: CIFS Filesystem Decryption Improper Input Validation Remote Code Execution Vulnerability in function receive_encrypted_standard of client (CVE-2024-0565)

* kernel: tls: race between async notify and socket close (CVE-2024-26583)

* kernel: tls: handle backlogging of crypto requests (CVE-2024-26584)

* kernel: tls: race between tx work scheduling and socket close (CVE-2024-26585)

* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)

* kernel: i2c: i801: Fix block process call transactions (CVE-2024-26593)

* kernel: sched/membarrier: reduce the ability to hammer on sys_membarrier (CVE-2024-26602)

* kernel: netfilter: nf_tables: reject QUEUE/DROP verdict parameters (CVE-2024-26609)

* kernel: local dos vulnerability in scatterwalk_copychunks (CVE-2023-6176)

* kernel: perf/x86/lbr: Filter vsyscall addresses (CVE-2023-52476)

* kernel: netfilter: nf_tables: disallow timeout for anonymous sets (CVE-2023-52620)

* kernel: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() (CVE-2024-26633)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2020-26555

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/index  
https://bugzilla.redhat.com/show_bug.cgi?id=1918601  
https://bugzilla.redhat.com/show_bug.cgi?id=2049700  
https://bugzilla.redhat.com/show_bug.cgi?id=2133452  
https://bugzilla.redhat.com/show_bug.cgi?id=2151959  
https://bugzilla.redhat.com/show_bug.cgi?id=2177759  
https://bugzilla.redhat.com/show_bug.cgi?id=2185519  
https://bugzilla.redhat.com/show_bug.cgi?id=2188102  
https://bugzilla.redhat.com/show_bug.cgi?id=2210024  
https://bugzilla.redhat.com/show_bug.cgi?id=2213132  
https://bugzilla.redhat.com/show_bug.cgi?id=2218332  
https://bugzilla.redhat.com/show_bug.cgi?id=2219359  
https://bugzilla.redhat.com/show_bug.cgi?id=2221039  
https://bugzilla.redhat.com/show_bug.cgi?id=2221463  
https://bugzilla.redhat.com/show_bug.cgi?id=2221702  
https://bugzilla.redhat.com/show_bug.cgi?id=2226777  
https://bugzilla.redhat.com/show_bug.cgi?id=2226787  
https://bugzilla.redhat.com/show_bug.cgi?id=2226788  
https://bugzilla.redhat.com/show_bug.cgi?id=2231410  
https://bugzilla.redhat.com/show_bug.cgi?id=2239845  
https://bugzilla.redhat.com/show_bug.cgi?id=2239848  
https://bugzilla.redhat.com/show_bug.cgi?id=2244720  
https://bugzilla.redhat.com/show_bug.cgi?id=2246980  
https://bugzilla.redhat.com/show_bug.cgi?id=2250043  
https://bugzilla.redhat.com/show_bug.cgi?id=2252731  
https://bugzilla.redhat.com/show_bug.cgi?id=2253034  
https://bugzilla.redhat.com/show_bug.cgi?id=2253632  
https://bugzilla.redhat.com/show_bug.cgi?id=2254961  
https://bugzilla.redhat.com/show_bug.cgi?id=2254982  
https://bugzilla.redhat.com/show_bug.cgi?id=2255283  
https://bugzilla.redhat.com/show_bug.cgi?id=2255498  
https://bugzilla.redhat.com/show_bug.cgi?id=2256490  
https://bugzilla.redhat.com/show_bug.cgi?id=2256822  
https://bugzilla.redhat.com/show_bug.cgi?id=2257682  
https://bugzilla.redhat.com/show_bug.cgi?id=2258013  
https://bugzilla.redhat.com/show_bug.cgi?id=2258518  
https://bugzilla.redhat.com/show_bug.cgi?id=2260005  
https://bugzilla.redhat.com/show_bug.cgi?id=2262126  
https://bugzilla.redhat.com/show_bug.cgi?id=2262127  
https://bugzilla.redhat.com/show_bug.cgi?id=2265285  
https://bugzilla.redhat.com/show_bug.cgi?id=2265517  
https://bugzilla.redhat.com/show_bug.cgi?id=2265518  
https://bugzilla.redhat.com/show_bug.cgi?id=2265519  
https://bugzilla.redhat.com/show_bug.cgi?id=2265520  
https://bugzilla.redhat.com/show_bug.cgi?id=2265645  
https://bugzilla.redhat.com/show_bug.cgi?id=2265646  
https://bugzilla.redhat.com/show_bug.cgi?id=2265653  
https://bugzilla.redhat.com/show_bug.cgi?id=2267041  
https://bugzilla.redhat.com/show_bug.cgi?id=2267695  
https://bugzilla.redhat.com/show_bug.cgi?id=2267750  
https://bugzilla.redhat.com/show_bug.cgi?id=2267758  
https://bugzilla.redhat.com/show_bug.cgi?id=2267760  
https://bugzilla.redhat.com/show_bug.cgi?id=2267761  
https://bugzilla.redhat.com/show_bug.cgi?id=2267788  
https://bugzilla.redhat.com/show_bug.cgi?id=2267795  
https://bugzilla.redhat.com/show_bug.cgi?id=2269189  
https://bugzilla.redhat.com/show_bug.cgi?id=2269217  
https://bugzilla.redhat.com/show_bug.cgi?id=2270080  
https://bugzilla.redhat.com/show_bug.cgi?id=2270118  
https://bugzilla.redhat.com/show_bug.cgi?id=2270883  
https://issues.redhat.com/browse/RHEL-15897  
https://issues.redhat.com/browse/RHEL-15937  
https://issues.redhat.com/browse/RHEL-16024  
https://issues.redhat.com/browse/RHEL-17986  
https://issues.redhat.com/browse/RHEL-19081  
https://issues.redhat.com/browse/RHEL-2376  
https://issues.redhat.com/browse/RHEL-2421  
https://issues.redhat.com/browse/RHEL-2466  
https://issues.redhat.com/browse/RHEL-2907  
https://issues.redhat.com/browse/RHEL-3923  
https://issues.redhat.com/browse/RHEL-5226  
https://issues.redhat.com/browse/RHEL-5228  
https://issues.redhat.com/browse/RHEL-6012  
https://issues.redhat.com/browse/RHEL-7936  
https://issues.redhat.com/browse/RHEL-9127

Red Hat Security Advisory 2024-2394-03

Red Hat Security Advisory 2024-2387-03 - An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9. Issues addressed include cross site scripting and information leakage vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2387.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: mod_jk and mod_proxy_cluster security update  
Advisory ID:        RHSA-2024:2387-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2387  
Issue date:         2024-04-30  
Revision:           03  
CVE Names:          CVE-2023-6710  
====================================================================

Summary: 

An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.

The mod_proxy_cluster module is a plugin for the Apache HTTP Server that provides load-balancer functionality.

Security Fix(es):

* httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure (CVE-2023-41081)

* mod_cluster/mod_proxy_cluster: Stored Cross site Scripting (CVE-2023-6710)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-6710

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/index  
https://bugzilla.redhat.com/show_bug.cgi?id=2238847  
https://bugzilla.redhat.com/show_bug.cgi?id=2254128  
https://issues.redhat.com/browse/RHEL-27497  
https://issues.redhat.com/browse/RHEL-27511

Red Hat Security Advisory 2024-2387-03

Red Hat Security Advisory 2024-2377-03 - An update for zziplib is now available for Red Hat Enterprise Linux 9.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2377.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: zziplib security updateAdvisory ID:        RHSA-2024:2377-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2377Issue date:         2024-04-30Revision:           03CVE Names:          CVE-2020-18770====================================================================Summary: An update for zziplib is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The zziplib is a lightweight library to easily extract data from zip files.Security Fix(es):* zziplib: invalid memory access at zzip_disk_entry_to_file_header in mmapped.c (CVE-2020-18770)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2020-18770References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/indexhttps://bugzilla.redhat.com/show_bug.cgi?id=2246907

Red Hat Security Advisory 2024-2377-03

March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the xz compression library, which would enable an attacker to silently gain access to a targeted affected system. How did that coordination work under the hood? In this article we will give a behind the scenes glimpse into what this looked like at Red Hat.DiscoveryOn Wednesday, March 27, Andres contacted the Debian security team via their contact email (security@debian.org) and let them know about the oddities he found in a SSH slowdown when using a n

March 29, 2024 is a day that will hardly be forgotten by the open source community: Andres Freund disclosed his findings about the compromise in the xz compression library, which would enable an attacker to silently gain access to a targeted affected system. How did that coordination work under the hood? In this article we will give a behind the scenes glimpse into what this looked like at Red Hat.

****Discovery****

On Wednesday, March 27, Andres contacted the Debian security team via their contact email (security@debian.org) and let them know about the oddities he found in a SSH slowdown when using a new XZ library that was shipped by Debian.

The Debian security team relayed this information to the Red Hat Information Security (InfoSec) team. Our InfoSec team is responsible for protecting our network perimeter and company assets.

****Understanding the threat****

InfoSec involved Red Hat’s Product Security (ProdSec) department, the ones in charge of securing the software that we provide to our customers and community. Then, this global multidisciplinary team containing many of our finest developers, PenTesters, offensive analysts, managers, directors and program managers started the then confidential efforts to properly establish, understand and assess the findings from Andres.

After establishing the gravity of the situation, InfoSec and ProdSec engaged their Incident Response Plans (IRP), sharing a more complete view of this embargoed incident to help further understand how it works and assess any potential compromise to our products, both upstream and especially in Red Hat Enterprise Linux (RHEL), as well Red Hat internal assets.

At this stage, there were two major fronts: The most urgent was to determine to what extent, if any, the malware had infiltrated our products. The second was to analyze the malicious nature of the package and better understand its cleverly concealed malicious payloads.

****Securing the fort****

Our next step was establishing the affectedness of our systems, as this presented a number of concerns: Were build systems compromised? Were any other external or internal systems affected? Was there any data exfiltration? If so, was a footprint left behind?

Over the course of the investigation, we found that this is a kind of dormant malware targeting a very specific set of systems: Specifically the x86\_64 architecture, requiring both systemd and sshd. It was not targeting BSDs, Android cell phones, wi-fi routers, IoT devices, Raspberry Pis, or anything else. Essentially, it had to be a standard Linux server.

Querying VirusTotal for the rogue .o object file hash returned no results, so it was indeed something not widely known prior to Andres’ finding.

At this point, we established that this had not affected RHEL and Fedora stable branches. While no Fedora stable builds were affected, Fedora 40 beta nightly builds, the leading edge of Linux innovation, were affected.

The collaboration kept moving swiftly throughout Thursday afternoon (in US time zones), with our InfoSec team delivering the first YARA rules, ProdSec evaluating the Vulnerability Management aspects (which version affects what), and the ProdSec Supply Chain team verifying if our productization pipeline was sound and not using affected versions.

Early Thursday morning, Red Hat and IBM executives were briefed about this incident and given a complete picture of what was known so far.

****Multi-vendor collaboration****

At this stage, distro-lists at Openwall were beginning to see some traffic, but due to the limited reach of this community, we engaged the US Cybersecurity and Infrastructure Security Agency (CISA) to start a collaborative Vulnerability Information and Coordination Environment (VINCE) ticket. This enabled other vendors not participating in distro-lists, as well as the vulnerability discoverer by Andres Freund, to be engaged continuously.

Collaboration continued to flow with the ticket creation, moving around the clock through 48 participating entities: BSDs, proprietary software vendors, national Security Response teams and the heavyweights of the hardware and software landscape were working together to advance and level the field on the findings, investigation progress, other products’ affectedness and more, all done at speed to make the issue public as soon as possible.

****To CVE or not to CVE****

Historically, malware has been categorically and intentionally omitted from the CVE ecosystem. They are typically beyond the control of the vendors who provide software. However, in this case it was embedded into the vendor code, there was a vulnerable condition and relying on antivirus software to detect the existence of this malicious software can leave room for detection failure.

During the discussion with other CVE Numbering Authorities (CNAs), we erred on the side of caution. This is a condition that:

*   Has to be looked for and detected
*   Compromises confidentiality, integrity, and availability
*   Is described by an existing CWE type
*   Is a type of compromise that has a precedent of assigned CVEs
*   Affects a very specific name-version-release (NVR)
*   Is a high profile issue that needs the CVE ID as an industry-wide common identifier

That said, as a CNA, we decided to assign a CVE for this vulnerability: CVE-2024-3094.

****Good Friday****

On Friday, all the ducks (and there were a lot of them) were lined up and while this probably ruined a fair number of holidays, the participants in the VINCE ticket, including the finder, agreed to bring this to the public as soon as possible. As soon as Andres’ post went live in OSS-Security, CISA alerted the general public and Red Hat published a post as well. We had our Communications team fully engaged, informed and ready for the inquiries. Minutes after disclosure in OSS-Security, we started receiving inquiries from major news outlets asking for more information.

The impacted distros immediately pulled back the affected libraries and prepared statements to their user bases.

It was good (no pun intended) that in the end, this attack only affected a very limited set of worldwide systems in a small number of leading-edge distributions, including Fedora, and there was no evidence of further tampering or manipulation in affected systems.

To err on the side of safety, all Red Hat assets that were running the affected Fedora versions were deemed as tainted and were required to be reinstalled or redone.

Although this event had the potential to really hurt the open source community, at the end of the day, it actually displayed its strength. Multiple people, organizations and contributors worked together to stop a very real threat. The imminent incident has been stopped and remediated, but the work is not done. Many lessons have been learned around the world from this event, and I think it is fair to say that the open source community will implement improvements to minimize future risks with our distributions.

Understanding Red Hat’s response to the XZ security incident

Red Hat Security Advisory 2024-2098-03 - An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2098.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: container-tools:rhel8 security and bug fix updateAdvisory ID:        RHSA-2024:2098-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2098Issue date:         2024-04-29Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Bug Fix(es):* container_init_t does not possess ptrace process context [rhel-8.9.0.z] (JIRA:RHEL-28923)Security Fix(es):* podman: full container escape at build time (CVE-2024-1753)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2098-03

Red Hat Security Advisory 2024-2097-03 - An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2097.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: container-tools:4.0 security updateAdvisory ID:        RHSA-2024:2097-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2097Issue date:         2024-04-29Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* buildah: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-2097-03

Red Hat Security Advisory 2024-2088-03 - An update is now available for the Red Hat build of Cryostat 2 on RHEL 8. Issues addressed include denial of service, memory exhaustion, and memory leak vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2088.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat build of Cryostat security update  
Advisory ID:        RHSA-2024:2088-03  
Product:            Cryostat  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:2088  
Issue date:         2024-04-29  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

An update is now available for the Red Hat build of Cryostat 2 on RHEL 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

An update is now available for the Red Hat build of Cryostat 2 on RHEL 8.

Security Fix(es):

* vert.x: io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)

* vertx-core: io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)

* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)

* golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)

* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2260840  
https://bugzilla.redhat.com/show_bug.cgi?id=2263139  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2272907

Tag

#red_hat