In Veritas NetBackup OpsCenter, an unauthenticated remote attacker may be able to perform remote command execution through a Java classloader manipulation. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10.

**Remedial Actions**

To address all the vulnerabilities listed below, upgrade to version 8.3.0.2, 9.0.0.1, 9.1.0.1, or 10.0 and apply the appropriate HotFix linked above.

**Issue**

**Issue #1: Unauthorized account creation, modification**

Under specific conditions an authenticated remote attacker may be able to create or modify accounts.

*   CVE ID: To Be Assigned
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.9 (/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
*   Affected Versions: 10.0 and earlier
*   Recommended actions:
    *   Review OpsCenter user accounts to ensure this vulnerability has not been exploited in your OpsCenter implementation. Use these instructions to view the OpsCenter user account information.
    *   Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the appropriate HotFix.

**Issue #2: Remote command execution.**

An unauthenticated remote attacker may compromise the host by exploiting an incorrectly patched vulnerability.

*   CVE ID: To Be Assigned
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.8 (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
*   Affected Versions: 9.1.0.1 and earlier
*   Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the HotFix as needed.

**Issue #3: Remote command execution.**

An unauthenticated remote attacker may be able to perform a remote command execution through a Java classloader manipulation.

*   CVE ID: To Be Assigned
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.8 (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
*   Affected Versions: 8.2 and earlier
*   Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0.

**Issue #4: Path Traversal vulnerability**

NetBackup OpsCenter may be vulnerable to a Path Traversal attack via esapi-2.2.3.1 third party component.

*   CVE ID: CVE-2022-23457
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
*   Affected Versions: 10.0 and earlier
*   Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the HotFix.

**Issue #5: Local privilege escalation**

An attacker with local access to a NetBackup OpsCenter server could potentially escalate their privileges.

*   CVE ID: To Be Assigned
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.3 (/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
*   Affected Versions: 8.2 and earlier
*   Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0.

**Issue #6: Hard coded credentials vulnerability**

A hard-coded credential was discovered in NetBackup OpsCenter that could be used to exploit the underlying VxSS subsystem

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
*   Affected Versions: 10.0 and earlier
*   Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the appropriate HotFix.

**Issue #7: DOM XSS vulnerability**

NetBackup OpsCenter is vulnerable to a DOM XSS attack.

*   CVE ID: TBA
*   Severity: Medium
*   CVSS v3.1 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
*   Affected Versions: 10.0 and earlier
*   Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0 and apply the appropriate HotFix.

**Issue #8: Information leakage**

Certain OpsCenter endpoints could allow an unauthenticated remote attacker to gain sensitive information.

*   CVE ID: To Be Assigned
*   Severity: Medium
*   CVSS v3.1 Base Score: 4.3 (/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
*   Affected Versions: 8.2 and earlier
*   Recommended action: Upgrade to 8.3.0.2 or 9.0.0.1, or 9.1.0.1, or 10.0.

**Acknowledgement**

Veritas would like to thank the following Airbus Security Team members for notifying us about several of the issues in this advisory: Mouad Abouhali, Benoit Camredon, Nicholas Devillers, Anais Gantet, and Jean-Romain Garnier.

**Disclaimer**

AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-36950: HotFix for Security Advisory Impacting NetBackup OpsCenter

In Veritas NetBackup OpsCenter, an unauthenticated remote attacker may compromise the host by exploiting an incorrectly patched vulnerability. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10.

CVE-2022-36951: HotFix for Security Advisory Impacting NetBackup OpsCenter

In Veritas NetBackup OpsCenter, a hard-coded credential exists that could be used to exploit the underlying VxSS subsystem. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10.

CVE-2022-36952: HotFix for Security Advisory Impacting NetBackup OpsCenter

In Veritas NetBackup OpsCenter, an attacker with local access to a NetBackup OpsCenter server could potentially escalate their privileges. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10.

CVE-2022-36949: HotFix for Security Advisory Impacting NetBackup OpsCenter

In Veritas NetBackup OpsCenter, under specific conditions, an authenticated remote attacker may be able to create or modify OpsCenter user accounts. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10.

CVE-2022-36954: HotFix for Security Advisory Impacting NetBackup OpsCenter

In Veritas NetBackup OpsCenter, certain endpoints could allow an unauthenticated remote attacker to gain sensitive information. This affects 8.x through 8.3.0.2, 9.x through 9.0.0.1, 9.1.x through 9.1.0.1, and 10.

CVE-2022-36953: HotFix for Security Advisory Impacting NetBackup OpsCenter

Red Hat Security Advisory 2022-5636-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include information leakage, privilege escalation, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2022:5636-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5636  
Issue date:        2022-07-19  
CVE Names:         CVE-2022-1012 CVE-2022-1729 CVE-2022-32250  
====================================================================  
1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: Small table perturb size in the TCP source port generation  
algorithm can lead to information leak (CVE-2022-1012)

* kernel: race condition in perf_event_open leads to privilege escalation  
(CVE-2022-1729)

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-32250)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Backport request of "genirq: use rcu in kstat_irqs_usr()" (BZ#2083311)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2064604 - CVE-2022-1012 kernel: Small table perturb size in the TCP source port generation algorithm can lead to information leak  
2086753 - CVE-2022-1729 kernel: race condition in perf_event_open leads to privilege escalation  
2092427 - CVE-2022-32250 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
kernel-4.18.0-147.70.1.el8_1.src.rpm

aarch64:  
bpftool-4.18.0-147.70.1.el8_1.aarch64.rpm  
bpftool-debuginfo-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-core-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-cross-headers-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debug-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debug-core-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debug-debuginfo-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debug-devel-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debug-modules-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debug-modules-extra-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debuginfo-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-debuginfo-common-aarch64-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-devel-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-headers-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-modules-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-modules-extra-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-tools-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-tools-debuginfo-4.18.0-147.70.1.el8_1.aarch64.rpm  
kernel-tools-libs-4.18.0-147.70.1.el8_1.aarch64.rpm  
perf-4.18.0-147.70.1.el8_1.aarch64.rpm  
perf-debuginfo-4.18.0-147.70.1.el8_1.aarch64.rpm  
python3-perf-4.18.0-147.70.1.el8_1.aarch64.rpm  
python3-perf-debuginfo-4.18.0-147.70.1.el8_1.aarch64.rpm

noarch:  
kernel-abi-whitelists-4.18.0-147.70.1.el8_1.noarch.rpm  
kernel-doc-4.18.0-147.70.1.el8_1.noarch.rpm

ppc64le:  
bpftool-4.18.0-147.70.1.el8_1.ppc64le.rpm  
bpftool-debuginfo-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-core-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-cross-headers-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debug-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debug-core-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debug-devel-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debug-modules-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debuginfo-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-devel-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-headers-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-modules-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-modules-extra-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-tools-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-147.70.1.el8_1.ppc64le.rpm  
kernel-tools-libs-4.18.0-147.70.1.el8_1.ppc64le.rpm  
perf-4.18.0-147.70.1.el8_1.ppc64le.rpm  
perf-debuginfo-4.18.0-147.70.1.el8_1.ppc64le.rpm  
python3-perf-4.18.0-147.70.1.el8_1.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-147.70.1.el8_1.ppc64le.rpm

s390x:  
bpftool-4.18.0-147.70.1.el8_1.s390x.rpm  
bpftool-debuginfo-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-core-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-cross-headers-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debug-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debug-core-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debug-debuginfo-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debug-devel-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debug-modules-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debug-modules-extra-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debuginfo-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-debuginfo-common-s390x-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-devel-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-headers-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-modules-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-modules-extra-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-tools-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-tools-debuginfo-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-zfcpdump-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-zfcpdump-core-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-zfcpdump-debuginfo-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-zfcpdump-devel-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-zfcpdump-modules-4.18.0-147.70.1.el8_1.s390x.rpm  
kernel-zfcpdump-modules-extra-4.18.0-147.70.1.el8_1.s390x.rpm  
perf-4.18.0-147.70.1.el8_1.s390x.rpm  
perf-debuginfo-4.18.0-147.70.1.el8_1.s390x.rpm  
python3-perf-4.18.0-147.70.1.el8_1.s390x.rpm  
python3-perf-debuginfo-4.18.0-147.70.1.el8_1.s390x.rpm

x86_64:  
bpftool-4.18.0-147.70.1.el8_1.x86_64.rpm  
bpftool-debuginfo-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-core-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-cross-headers-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debug-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debug-core-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debug-devel-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debug-modules-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debuginfo-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-devel-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-headers-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-modules-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-modules-extra-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-tools-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-147.70.1.el8_1.x86_64.rpm  
kernel-tools-libs-4.18.0-147.70.1.el8_1.x86_64.rpm  
perf-4.18.0-147.70.1.el8_1.x86_64.rpm  
perf-debuginfo-4.18.0-147.70.1.el8_1.x86_64.rpm  
python3-perf-4.18.0-147.70.1.el8_1.x86_64.rpm  
python3-perf-debuginfo-4.18.0-147.70.1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1729  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFkOtzjgjWX9erEAQjajxAAgUzK2KiGHsT+vCZ8Viq3nuejOLCyRt+w  
NlT2opRwOMSQBWj24HO++knH3MTkoNX5jC8Jn2B5cdWzaGAlOoazqjaQ9qbpeOKJ  
2Q0qgh7ncwl0I57G7OljTlK3xLhzUw41KGB+f/hr/vSQL/16UI533LOWXnpfmPix  
Ra9e+CCwW8iJvctUpKuuwKxqsj7rm01kbdscwyiaUJOjbt+zcMk0q+nkkRKVxLuA  
WIvKC8yJAuKPBpSs9kx2mzDrjS6Y4NZOPFU/hBnwuZi5zOQfF/eTCXZV+7/Ggtxa  
oghs4g0FNsqXEuuW1w39/fk7vohCv3V0wILJlEo4AYD4JnjX30RykdpWMWmpaODY  
UAufCkXE5YnjReQFY5D2ea/2vAL6fO2JSS7uZlDOiIB4phyb2O5RM86jkc/My5TO  
fU2s8ZMwLrLQODkELo8WzQzUWEsHcLPTxsP3CWGKpEKq5ycnuKr5kxcx8cWgoFLP  
s2ItnSFeaV6FPpPDo5SWdaYt09GB6f1gf3s7NMXYDamlZcb2SeCzrgAf+nW8BTMh  
fCdHRsA1P7ZUE8RDmZeZ5JfGOpU/ZnlNsXFtY0yDX3VEE8uSccAiV2wLPmGrSbPg  
RSYkjgjn1hC/t6JfWQ+WSFt7sCP0DT+noui4yPtx3XBRc4F6LCfaE/gnAOBNBgbO  
a0TEWeBBtZ8=tzSO  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5636-01

Red Hat Security Advisory 2022-5704-01 - Updated images are now available for Red Hat Advanced Cluster Security. Issues addressed include a privilege escalation vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256====================================================================                   Red Hat Security AdvisorySynopsis:          Moderate: ACS 3.71 enhancement and security updateAdvisory ID:       RHSA-2022:5704-01Product:           RHACSAdvisory URL:      https://access.redhat.com/errata/RHSA-2022:5704Issue date:        2022-07-25CVE Names:         CVE-2021-40528 CVE-2022-1621 CVE-2022-1629                   CVE-2022-22576 CVE-2022-25313 CVE-2022-25314                   CVE-2022-27774 CVE-2022-27776 CVE-2022-27782                   CVE-2022-29173 CVE-2022-29824====================================================================1. Summary:Updated images are now available for Red Hat Advanced Cluster Security. Theupdated image includes bug fixes and feature improvements.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.2. Description:Release of ACS 3.71 provides these changes:Security Fix(es):* go-tuf: No protection against rollback attacks for roles other than root(CVE-2022-29173)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVEpage(s) listed in the References section.New Features:* New RHACS dashboard and widgets* New default policy for privilege escalation: detects if a deployment isrunning with a container that has allowPrivilegeEscalation set to true.This policy is enabled by default. The privilege escalation setting isenabled in Kubernetes pods by default.* New default policy for externally exposed service: detects if adeployment has any service that is externally exposed through any methods.The policy is disabled by default.* Ability to assign multiple RHACS roles to users and groups: Allows you toassign multiple roles using key-value pairs to a single user or group.* List of network policies in Deployment tab for violations: A newinformation section has been added to help resolve a "missing Kubernetesnetwork policy" violation that lists all the Kubernetes network policiesapplicable to the namespace of the offending deployment.* Alpine 3.16 support for ScannerEnhancements:* Change to roxctl image scan behavior: The default value for the- --include-snoozed option of the roxctl image scan command is set to false.If the --include-snoozed option is set to false, the scan does not includesnoozed CVEs.* Diagnostic bundles update: These now include notifiers, auth providersand auth provider groups, access control roles with attached permission setand access scope, and system configuration information. Users with theDebugLogs permission can read listed entities from a generated diagnosticbundle regardless of their respective permissions.* Align OCP4-CIS scanning benchmarks control numbers: The CIS controlnumber has been added to compliance scan results to enable customers toreference the original control from the CIS benchmark standard.Notable technical changes:* eBPF is now the default collection method: Updated the default collectionmethod for Collector to eBPF.Deprecated features:* RenamePolicyCategory and DeletePolicyCategory API endpoints* Permissions: AuthPlugin, AuthProvider, Group, Licenses, Role, User,Indicator, NetworkBaseline, ProcessWhitelist, Risk, APIToken,BackupPlugins, ImageIntegration, Notifier, SignatureIntegration,ImageComponent* Retrieving groups by property* vulns fields of storage.Node object in response payload of v1/nodes* /v1/cves/suppress and /v1/cves/unsuppressRemoved features:* Anchore, Tenable, and Docker Trusted Registry integrations* External authorization plug-in for scoped access control* FROM option in the Disallowed Dockerfile line policy field* PodSecurityPolicy (PSP) Kubernetes objects3. Solution:To take advantage of the new features, bug fixes, and enhancements in RHACS3.71 you are advised to upgrade to RHACS 3.71.0. For details on how toapply this update, which includes the changes described in this advisory,refer to:https://access.redhat.com/articles/112584. Bugs fixed (https://bugzilla.redhat.com/):2082400 - CVE-2022-29173 go-tuf: No protection against rollback attacks for roles other than root5. JIRA issues fixed (https://issues.jboss.org/):ROX-11898 - Release RHACS 3.71.06. References:https://access.redhat.com/security/cve/CVE-2021-40528https://access.redhat.com/security/cve/CVE-2022-1621https://access.redhat.com/security/cve/CVE-2022-1629https://access.redhat.com/security/cve/CVE-2022-22576https://access.redhat.com/security/cve/CVE-2022-25313https://access.redhat.com/security/cve/CVE-2022-25314https://access.redhat.com/security/cve/CVE-2022-27774https://access.redhat.com/security/cve/CVE-2022-27776https://access.redhat.com/security/cve/CVE-2022-27782https://access.redhat.com/security/cve/CVE-2022-29173https://access.redhat.com/security/cve/CVE-2022-29824https://access.redhat.com/security/updates/classification/#moderate7. Contact:The Red Hat security contact is <secalert@redhat.com>. More contactdetails at https://access.redhat.com/security/team/contact/Copyright 2022 Red Hat, Inc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1iQIVAwUBYuFju9zjgjWX9erEAQiWQw/+OGMhyOtp3q6Ypqpl1hEi3YCkXQOsdzmRV/2ULky7w4rO8xA9u8hZjDtrsxhHmY3PSYv2fRxLAX87d0FJEoUOGJ7JEQT+L+VF08Zqzz+CRUVBubN27UKdMb8nAZ0S083XleTGd0u/gLTvdejRsfsNvfs+rlOSxv1cmlChC8HXlVg5UH6OAEspZ2P02AZdCgHCnlO5qHQT7BGeFPko4KMXAFf9HddawffcF9nEC2jDlQ+KXFPTFWIcXnrCE89kQa32QFnks7Tt1RAgG+y2+xJj46LBU/nFeOpJiu7eLDeKPn4WkmDsLaKIYDtpxXydJhRodnPukQHp4Jxik9HwEwl4L5F4p7bznM6P6KsihRVrRxfhmHmjm7k43m9u9rNpeey6nrjAKEsZT5wOuNfpgtVAkBrN1fJ4X+tDwEbCeeEXZX1LL2kd8DsUD5Qw4Zs+uaqMqKtuqm9neiEpVOS9/Ktc6hTtt+Cw5l8uXS6NMQZeVl+bTkN6kVzVjSRl2hA5/VWL2Jd9cLjxp3jiIBLpiYZ1Usg8dt0FLgFe3mQvD7GUMl7nrE4BEF/pwk1tRcEtzZfta5PpqyW2lYX6KXXgwibDND7xv7QXV8GP2RdFbZC8K+XGCSf/RiD77cH/Uojpto9NnGfnhO3rMeVGnTbUQx57+QEqJLWHfLVQ+tIPRnmepo8=I5j4-----END PGP SIGNATURE-------RHSA-announce mailing listRHSA-announce@redhat.comhttps://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5704-01

Red Hat Security Advisory 2022-5685-01 - The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: java-11-openjdk security update  
Advisory ID:       RHSA-2022:5685-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5685  
Issue date:        2022-07-21  
CVE Names:         CVE-2022-21540 CVE-2022-21541 CVE-2022-34169  
====================================================================  
1. Summary:

An update for java-11-openjdk is now available for Red Hat Enterprise Linux  
8.1 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime  
Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es):

* OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)  
(CVE-2022-34169)

* OpenJDK: class compilation issue (Hotspot, 8281859) (CVE-2022-21540)

* OpenJDK: improper restriction of MethodHandle.invokeBasic() (Hotspot,  
8281866) (CVE-2022-21541)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2108540 - CVE-2022-21540 OpenJDK: class compilation issue (Hotspot, 8281859)  
2108543 - CVE-2022-21541 OpenJDK: improper restriction of MethodHandle.invokeBasic() (Hotspot, 8281866)  
2108554 - CVE-2022-34169 OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
java-11-openjdk-11.0.16.0.8-1.el8_1.src.rpm

aarch64:  
java-11-openjdk-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-debuginfo-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-debugsource-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-demo-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-devel-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-devel-debuginfo-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-headless-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-headless-debuginfo-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-javadoc-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-javadoc-zip-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-jmods-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.aarch64.rpm  
java-11-openjdk-src-11.0.16.0.8-1.el8_1.aarch64.rpm

ppc64le:  
java-11-openjdk-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-debuginfo-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-debugsource-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-demo-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-devel-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-devel-debuginfo-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-headless-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-headless-debuginfo-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-javadoc-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-javadoc-zip-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-jmods-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.ppc64le.rpm  
java-11-openjdk-src-11.0.16.0.8-1.el8_1.ppc64le.rpm

s390x:  
java-11-openjdk-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-debuginfo-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-debugsource-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-demo-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-devel-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-devel-debuginfo-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-headless-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-headless-debuginfo-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-javadoc-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-javadoc-zip-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-jmods-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.s390x.rpm  
java-11-openjdk-src-11.0.16.0.8-1.el8_1.s390x.rpm

x86_64:  
java-11-openjdk-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-debuginfo-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-debugsource-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-demo-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-devel-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-devel-debuginfo-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-devel-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-headless-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-headless-debuginfo-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-headless-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-javadoc-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-javadoc-zip-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-jmods-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-slowdebug-debuginfo-11.0.16.0.8-1.el8_1.x86_64.rpm  
java-11-openjdk-src-11.0.16.0.8-1.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-21540  
https://access.redhat.com/security/cve/CVE-2022-21541  
https://access.redhat.com/security/cve/CVE-2022-34169  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYuFkWtzjgjWX9erEAQhmyA/9EIKYnVlNNsXbaxdcihqe2OGnf8lljgIU  
91S/5ALN3gLf+/LH31uTNPQd6NkXtDetofylAfGyuvzZQ3rhiDtUviGfPeiCTpqw  
vuUXEIBwcFDp1Crlyq8/tvb7cPFc0ou2SGEQBFJQh7BUQqh819H8rSsKuYxRhBPl  
ui/LOJb4w164sZAZq70Iiq8Vu5rCWrqn8hsBisLJs8Dh7UN28zCsKfNzo0J4AOTz  
hhwul/bOmaplx7W1OKwnKXiBUSM9gKK6AeCYgjyJ7wrTjatbzkkTyLk6YMa42mjO  
MpCI27VfM+lQcEwgaIQHpb9xC5HC03wvAuxMZAMsHOCLZvdkIX59ZfX0QMm5H4DF  
3QLEse18FfavzE+Bl1x2NSywIUPjOSbluCZ8spFWQ3J3Aol4WlOWH4ONFwlXIIGr  
yUxQ9kkjJaUgs9es9Ue9ZctK2Vr8dF9MN5+2Hq+akSCm7bSkCHDX7WHzme6WqMdD  
Lq8VnWFDsHA6nHL0hn4E3FBFataeOdpAGdvre8ikYTRLp2FkaWpUEspmXS4aP+wz  
fr1nvGCKx0jXJ57ck86PytMR8GmGcwjz5a6UkDIuuJ3jTBSCoYv7/PY+NfoQfTnx  
Hu9a8i/4CyaeIru6o/hCZK9DXAI7Pm8jtxjZaqztwaGZ/FN0RY9ZyuLciNeb383E  
/oTa30L4uX8=JcNG  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5685-01

Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow attackers with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow, and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application

Tag

#sap