Red Hat Security Advisory 2024-4197-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a HTTP response splitting vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4197.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: httpd:2.4/httpd security updateAdvisory ID:        RHSA-2024:4197-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4197Issue date:         2024-07-01Revision:           03CVE Names:          CVE-2023-38709====================================================================Summary: An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.Security Fix(es):* httpd:2.4: httpd: HTTP response splitting (CVE-2023-38709)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-38709References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2273491

Red Hat Security Advisory 2024-4197-03

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest.
"These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex

The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest.

"These APKs continue the group's trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans," SentinelOne security researcher Alex Delamotte said in a new report shared with The Hacker News.

The campaign, dubbed CapraTube, was first outlined by the cybersecurity company in September 2023, with the hacking crew employing weaponized Android apps impersonating legitimate apps like YouTube to deliver a spyware called CapraRAT, a modified version of AndroRAT with capabilities to capture a wide range of sensitive data.

Transparent Tribe, suspected to be of Pakistan origin, has leveraged CapraRAT for over two years in attacks targeting the Indian government and military personnel. The group has a history of leaning into spear-phishing and watering hole attacks to deliver a variety of Windows and Android spyware.

"The activity highlighted in this report shows the continuation of this technique with updates to the social engineering pretexts as well as efforts to maximize the spyware's compatibility with older versions of the Android operating system while expanding the attack surface to include modern versions of Android," Delamotte explained.

The list of new malicious APK files identified by SentinelOne is as follows -

*   Crazy Game (com.maeps.crygms.tktols)
*   Sexy Videos (com.nobra.crygms.tktols)
*   TikToks (com.maeps.vdosa.tktols)
*   Weapons (com.maeps.vdosa.tktols)

CapraRAT uses WebView to launch a URL to either YouTube or a mobile gaming site named CrazyGames\[.\]com, while, in the background, it abuses its permissions to access locations, SMS messages, contacts, and call logs; make phone calls; take screenshots; or record audio and video.

A notable change to the malware is that permissions such as READ\_INSTALL\_SESSIONS, GET\_ACCOUNTS, AUTHENTICATE\_ACCOUNTS, and REQUEST\_INSTALL\_PACKAGES are no longer requested, suggesting that the threat actors are aiming to use it as a surveillance tool than a backdoor.

"The updates to the CapraRAT code between the September 2023 campaign and the current campaign are minimal, but suggest the developers are focused on making the tool more reliable and stable," Delamotte said.

"The decision to move to newer versions of the Android OS are logical, and likely align with the group's sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop which was released 8 years ago."

The disclosure comes as Promon disclosed a novel type of Android banking malware called Snowblind that, in ways similar to FjordPhantom, attempts to bypass detection methods and make use of the operating system's accessibility services API in a surreptitious manner.

"Snowblind \[...\] performs a normal repackaging attack but uses a lesser-known technique based on seccomp that is capable of bypassing many anti-tampering mechanisms," the company said.

"Interestingly, FjordPhantom and Snowblind target apps from Southeast Asia and leverage powerful new attack techniques. That seems to indicate that malware authors in that region have become extremely sophisticated."

"The updates to the CapraRAT code between the September 2023 campaign and the current campaign are minimal, but suggest the developers are focused on making the tool more reliable and stable," Delamotte said.

"The decision to move to newer versions of the Android OS are logical, and likely align with the group's sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop which was released 8 years ago."

The disclosure comes as Promon disclosed a novel type of Android malware called Snowblind that, in ways similar to FjordPhantom, attempts to bypass detection methods and make use of the operating system's accessibility services API in a surreptitious manner.

"Snowblind \[...\] performs a normal repackaging attack but uses a lesser-known technique based on seccomp that is capable of bypassing many anti-tampering mechanisms," the company said.

"Interestingly, FjordPhantom and Snowblind target apps from Southeast Asia and leverage powerful new attack techniques. That seems to indicate that malware authors in that region have become extremely sophisticated."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CapraRAT Spyware Disguised as Popular Apps Threatens Android Users

A list of topics we covered in the week of June 24 to June 30 of 2024

June 28, 2024 - The Arkansas Attorney General filed a lawsuit against webshop Temu for allegedly being dangerous malware which is after personal data.

June 27, 2024 - Researchers have found an online repository leaking sensitive data, including driving licenses and other identity documents.

June 27, 2024 - A competitor of the infamous Atomic Stealer targeting Mac users, has just launched a new campaign to lure in more victims.

June 26, 2024 - LockBit claimed to have breached Federal Reserve but in fact the data came from Evolve Bank & Trust

June 26, 2024 - Malwarebytes Premium blocked 100% of malware during the most recent testing by the AV Lab Cybersecurity Foundation.

 A week in security (June 24 &#8211; June 30) 

A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper validation of the 'redirect' parameter. Consequently, an attacker can execute arbitrary JavaScript code in the context of the user's browser session. This vulnerability could be exploited to steal cookies, potentially leading to account takeover.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-5062

**Reflected Cross-Site Scripting (XSS) in zenml**

Moderate severity GitHub Reviewed Published Jun 30, 2024 to the GitHub Advisory Database • Updated Jul 1, 2024

**Affected versions**

\= 0.57.1

**Description**

A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper validation of the 'redirect' parameter. Consequently, an attacker can execute arbitrary JavaScript code in the context of the user's browser session. This vulnerability could be exploited to steal cookies, potentially leading to account takeover.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-5062
*   zenml-io/zenml@21edd86
*   https://huntr.com/bounties/ceddd3c1-a9da-4d6c-85c4-41d4d1e1102f

Published to the GitHub Advisory Database

Jun 30, 2024

GHSA-3434-hc3m-8mmm: Reflected Cross-Site Scripting (XSS) in zenml

Google has announced that it's going to start blocking websites that use certificates from Entrust starting around November 1, 2024, in its Chrome browser, citing compliance failures and the certificate authority's inability to address security issues in a timely manner.
"Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust

Cybersecurity / Website Security

Google has announced that it's going to start blocking websites that use certificates from Entrust starting around November 1, 2024, in its Chrome browser, citing compliance failures and the certificate authority's inability to address security issues in a timely manner.

"Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted \[certificate authority\] owner," Google's Chrome security team said.

To that end, the tech giant said it intends to no longer trust TLS server authentication certificates from Entrust starting with Chrome browser versions 127 and higher by default. However, it said that these settings can be overridden by Chrome users and enterprise customers should they wish to do so.

Google further noted that certificate authorities play a privileged and trusted role in ensuring encrypted connections between browsers and websites, and that Entrust's lack of progress when it comes to publicly disclosed incident reports and unrealized improvement commitments poses risks to the internet ecosystem.

The blocking action is expected to cover Windows, macOS, ChromeOS, Android, and Linux versions of the browser. The notable exception is Chrome for iOS and iPadOS, due to Apple's policies that don't permit the Chrome Root Store from being used.

As a result, users navigating to a website that serves a certificate issued by Entrust or AffirmTrust will be greeted by an interstitial message that warns them that their connection is not secure and isn't private.

Affected website operators are urged to move to a publicly-trusted certificate authority owner to minimize disruption by October 31, 2024. According to Entrust's website, its solutions are used by Microsoft, Mastercard, VISA, and VMware, among others.

"While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome's blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store," Google said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google to Block Entrust Certificates in Chrome Starting November 2024

Plus: A cloud company says notorious Russian hacker group APT29 attacked it, Chinese hackers use ransomware to hide their espionage campaigns, and a bank popular with startups discloses a cyberattack.

WIRED learned this week that Amazon Web Services investigated claims that the AI search startup Perplexity may have violated the cloud company's rules by appearing to pull data from websites that have attempted to shield themselves from such scraping. The news comes after WIRED published findings last week about the AI search chatbot's indiscriminate data-scraping practices and questionable content generation. WIRED's inquiries to AWS about the matter spurred it to look at Perplexity's activities. A separate WIRED investigation into Quora's Poe AI platform found that it downloaded entire articles from a variety of publishers and shared the files with users, effectively circumventing paywalls.

The US Justice Department announced convictions earlier this week related to a series of violent home invasions in which more than a dozen men threatened, assaulted, tortured, or kidnapped 11 people as part of efforts to steal cryptocurrency.

On Wednesday, WikiLeaks founder Julian Assange agreed to plead guilty to one count of espionage in US court, finally concluding a protracted legal battle between the US government and the controversial, anonymity-focused publisher. The American Privacy Rights Act—the latest in an endless parade of “comprehensive” US privacy bills—got pulled from a congressional hearing and is now unlikely to receive a full vote. And a new tailor-built platform created by the firm SITU Research has been used for the first time in the International Criminal Court as a tool for prosecuting a war crimes case.

Concrete proof is finally starting to emerge from San Jose and New York City that AI gunshot detection systems operate substantially below their advertised accuracy rates. Deepfake creators are revictimizing individuals from the GirlsDoPorn sex trafficking operation by hosting altered versions of videos from that platform. And bureaucratic hurdles are making it even more difficult for health care providers like hospitals to recover and come back online after ransomware attacks.

But wait, there's more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Google Is Piloting a Face-Recognition Office Security System**

At its campus in Kirkland, Washington, Google is rolling out a face recognition system to detect “unauthorized individuals” and block their access to its offices, according to a document about the plan viewed by CNBC. Security cameras inside Google spaces have already been collecting face data and comparing it to employee badge photos in an attempt to flag people who are not regular employees or part of the broader Google workforce. If the system identifies a person of interest, Google’s “Security and Resilience Services” team will work to identify would-be intruders “who may pose a security risk to Google’s people, products, or locations,” according to the document. People who work at or visit the Kirkland campus will not be able to opt out of having their face data collected by the system, but the document notes that data is collected “strictly for immediate use and not stored.” It adds that employees can opt out of having their badge images stored by Google and that this cache of images is only being used to test the system. The document says that the goal of the program is to “maintain safety and security of our people and spaces.”

**German Cloud Company Says It Was the Target of Russian “Cozy Bear” Hackers**

The German cloud company Teamviewer confirmed on Friday that it suffered a cyberattack earlier this week. The company accused the notorious Russian hacking group APT29—also called “Cozy Bear” and “Midnight Blizzard”—of carrying out the attack. “Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment,” Teamviewer said in a statement. The company later confirmed that “the attack was contained within TeamViewer’s internal corporate IT environment and did not touch the product environment, our connectivity platform, or any customer data.”

**Chinese Hackers Have Been Using Ransomware Attacks to Mask Their Activities**

Suspected Chinese government-backed hackers, including the group known as “ChamelGang,” have deployed ransomware in dozens of high-profile attacks as a distraction while they conduct espionage operations on victims' networks. Researchers from the security firms SentinelOne, Recorded Future, and TeamT5 have found evidence, for example, that attackers used the tactic in hacks of a critical Indian health care platform and Brazil's presidential office. Espionage actors are participating in “an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence,” the researchers wrote.

**Evolve Bank, Used by Startups, Confirms LockBit Ransomware Attack**

On Wednesday, Evolve Bank and Trust, a financial firm popular with fintech startups, confirmed that it was the victim of a ransomware attack and data breach that may impact customers. “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers,” the bank said in a statement on Wednesday. The prolific and aggressive ransomware gang known as LockBit recently posted data on its dark-web leak site that it claimed had been stolen from Evolve.

Google Is Piloting Face Recognition for Office Security

PRESS RELEASE

BROWNWOOD, Texas, June 26, 2024 /PRNewswire/ -- Landmark Admin, LLC ("Landmark"), is providing notice of a recent data security incident. Landmark is a third-party administrator for life insurance carriers and may have received certain personal information from producers, insureds, policy owners or policy beneficiaries for insurance policies which Landmark administered.

What Happened?

On or about May 13, 2024, Landmark detected suspicious activity on its system and later learned that an unauthorized third party accessed its network. Upon discovery of this incident, Landmark immediately disconnected indicated systems and remote access to the network and promptly engaged a specialized third-party cybersecurity firm and IT personnel to assist with securing the environment, as well as to conduct a comprehensive forensic investigation to determine the nature and scope of the incident. While the forensic investigation remains ongoing, Landmark found evidence to suggest some of its files may have been compromised by an unauthorized third-party.

Based on these findings, Landmark began reviewing the affected systems to identify the specific individuals and the types of information that may have been compromised.

What Information Was Impacted? 

The following information may have been subject to unauthorized access: first name/initial and last name; address; Social Security number; tax identification number; driver's license number/state-issued identification card; passport number; financial account number; medical information; date of birth; health insurance policy number; and life and annuity policy information.

The information varies by individual. Affected individuals will be notified by mail of information that was impacted.

What Remediation Measures Were Taken?

Landmark takes the privacy and security of personal information seriously. Since the discovery, Landmark moved quickly to investigate and secure its systems. Landmark has taken steps to further enhance its network security, and took steps, and will continue to take steps, to mitigate the risk of future harm.

What Steps Can Individuals Take?

Landmark encourages everyone to remain vigilant against incidents of identity theft by reviewing their account statements and monitoring their credit reports for any suspicious activity. Individuals can obtain free copies of their credit reports by going to the following website: www.annualcreditreport.com or by calling them toll-free at 1-877-322-8228. (Hearing impaired consumers can access their TDD service at 1-877-730-4204.)

You can also obtain more information from the Federal Trade Commission (FTC) about identity theft and ways to protect yourself. The FTC has an identity theft hotline: 877-438-4338; TTY: 1-866-653-4261. They also provide information on-line at www.ftc.gov/idtheft.

Other Important Information: 

If you have questions about the Incident not addressed in this notice please call the help line at 1-844-428-5109 and representatives are available for 90 days from the date of this letter to assist you between the hours of 8:00 a.m. to 8:00 p.m. Eastern time, Monday through Friday excluding U.S. holidays.

Landmark sincerely regrets any concern or inconvenience this matter may cause and remains dedicated to ensuring the privacy and security of all information in our control.

Landmark Admin, LLC Provides Notice of Data Privacy Incident

WIRED was able to download stories from publishers like The New York Times and The Atlantic using Poe’s Assistant bot. One expert calls it “prima facie copyright infringement,” which Quora disputes.

Poe, an AI chatbot platform owned by the question-and-answer site Quora and backed by a $75 million Andreessen Horowitz investment, is providing users with downloadable HTML files of articles published by paywalled journalistic outlets.

Prompting the service’s Assistant bot with the URL of this WIRED story about the AI-powered search service Perplexity plagiarizing one of our stories, for example, yields a detailed, 235-word summary and a 1-MB file containing an HTML capture of the entire article, which users can download from Poe’s servers directly from the chatbot.

WIRED was similarly able to retrieve articles from paywalled sites including The New York Times, Bloomberg Businessweek, The Atlantic, Forbes, Defector, and 404 Media in downloadable format simply by entering URLs into the Assistant bot’s interface. This appears to be just the latest example of the AI industry’s cavalier approach to intellectual property law, which is rapidly undermining existing business models in fields like journalism and music.

“This is a significant copyright issue,” James Grimmelmann, professor of digital and information law at Cornell University, wrote in an email. “Because they made a copy on their own server, that's prima facie copyright infringement.” (Quora disputes this, comparing Poe to a cloud storage service.)

When asked to summarize the content of a test website controlled by my colleague Dhruv Mehrotra, the bot did not return a summary but did return an HTML file. According to the website’s server logs, immediately after the Assistant bot was prompted to summarize the site, a server identifying itself as “Quora Bot” visited the site. It did not attempt to visit the site’s robots.txt page, suggesting that Poe and Quora ignore the Robots Exclusion Protocol, a widely accepted though not legally binding web standard.

A prominent media executive, whom WIRED granted anonymity to candidly discuss a legally sensitive matter his company is actively investigating, says that his publication also observed servers identifying themselves as Quora bots accessing its site immediately after giving Poe’s chatbot prompts about specific articles; these prompts, he says, yielded much or all of the text of these articles.

“Poe is a platform that lets users ask questions and have back-and-forth dialog with a variety of AI-powered bots provided by third parties,” Quora spokesperson Autumn Besselman wrote in an email. “We do not have or train our own AI models. Poe has a feature that enables a user to show the contents of a URL to a bot, but the bot will only see content that it is served by the domain. We would be happy to connect with your technical team to help them make sure your paywalled content isn’t served to people using Poe.”

“The file attachments on Poe are created at the direction of users and operate similarly to cloud storage services, ‘read it later’ services, and ‘web clipper’ products, which we believe are all consistent with copyright law,” Besselman wrote in response to an email asking follow-up questions. Andreessen Horowitz did not respond to a request for comment.

Quora cofounder Adam D’Angelo is a former Facebook CTO as well as an OpenAI board member. (D’Angelo was among the board members who voted to fire OpenAI CEO Sam Altman last year and was the only member who subsequently joined a new board formed after Altman’s return.) In March, nearly three months after Andreessen Horowitz announced that it had led a funding round for Quora, he sat for an interview with David George, a general partner at the venture firm who asked about the relationship between Quora and Poe.

“We’d love to have all of this as integrated as possible,” said D’Angelo. “If you think about the relationship between Facebook and Facebook Messenger, these are two products built by the same company, but they share a lot. I think that Poe and Quora might evolve to a similar kind of relationship. We’d love to get more of the human aspects of Quora into Poe. We’d also love to get the whole Quora dataset into the Poe bots and we’re also working—we’ve launched some of this already—to get some of the Poe AI to generate answers that are available on Quora.”

A user who goes to Poe’s website is prompted to start a chat with one of a number of chatbots. These range from bots offering direct access to various large language models and specialized bots like Mrstherapist (“Your very own therapist with relationship, trauma, stress etc.”) to the Assistant bot, the default option.

The Assistant bot is designated on the site as “by Poe” and as powered by AI firm Anthropic. This doesn’t mean that the bot is Anthropic’s; as the company points out, customers with access to its API can implement its models in their own products however they see fit. Claude, the Anthropic model on which the Assistant bot is apparently built, does not have access to the internet but can work with text provided to it—in this case, seemingly, by Quora crawlers that scrape websites in response to prompts. The HTML file the Assistant bot offers for download after being prompted with an article’s URL re-creates the article when opened in a browser, making it functionally equivalent to a PDF file.

Journalism companies have threatened and carried out legal action over claims that AI companies are infringing on their copyrights. The New York Times, for example, is suing OpenAI and Microsoft alleging infringement, and Forbes reportedly recently sent Perplexity a letter accusing it of “willful infringement.” (OpenAI, Microsoft, and Perplexity have denied wrongdoing.) Publishers whose articles WIRED was able to download were furious when apprised of the situation.

“As the law and The Times’ terms of service make clear,” wrote Charlie Stadtlander, a spokesperson for The New York Times, in an email, “scraping or reproducing The Times' content is prohibited without our prior written permission.”

“These stupid chatbots drive me fucking crazy,” wrote Defector co-owner and editor in chief Tom Ley in a text message. “Defector does not condone having its precious blogs stolen by a dumb chatbot backed by egghead-ass Andreessen Horowitz.”

Quora’s Chatbot Platform Poe Allows Users to Download Paywalled Articles on Demand

Though the Chicago-area hospital did not pay a ransom, a host of sensitive medical information is now at risk.

Source: Helen Sessions via Alamy Stock Photo

A full 791,000 of patients have had their personal information compromised in a cyberattack that resulted in Lurie Children's Hospital in Chicago taking its systems offline.

Cybercriminals accessed the children's hospital's systems, disrupting its patient portal, communications, and ability to access medical records.

In a data breach notification this week, the hospital cited the investigation as ongoing and said that the threat actors accessed the systems between Jan. 26 and 31, 2024.

Once the hospital went offline, it implemented standard response procedures, including its downtime procedures, though it has remained open throughout the duration of the investigation thus far.

While still determining the nature and scope of the attack, the hospital said, information "relating to certain individuals, such as name, address, date of birth, dates of service, driver's license number, email address, health claims information, health plan, health plan beneficiary number, medical condition or diagnosis, medical record number, medical treatment, prescription information, Social Security number, and telephone number, was impacted," though it varies depending on the individual.

The hospital's notice did not specifically say that it was the victim of a ransomware attack, but it noted that the hospital did not pay a ransom of any kind.

"Experts have advised that making a payment to cybercriminals does not guarantee the deletion or retrieval of data that has been taken," according to the hospital.

The cybercriminals in question are in the Rhysida ransomware gang, which has claimed responsibility of the attack, listing the hospital on its website and the apparent 600GB it claims to have stolen as "sold."

The hospital is in the process of informing affected individuals and is providing 24 months to Experian Identity Works. A call center is available to address questions and concerns about the information released on the cyberattack as well.

Hundreds of Thousands Impacted in Children's Hospital Cyberattack

Red Hat Security Advisory 2024-0045-03 - Red Hat OpenShift Container Platform release 4.16.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service, memory exhaustion, and resource exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0045.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.16.0 security update  
Advisory ID:        RHSA-2024:0045-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0045  
Issue date:         2024-06-27  
Revision:           03  
CVE Names:          CVE-2023-29483  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.0 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.16.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container  
Platform 4.16.0. See the following advisory for the container images for  
this release:

https://access.redhat.com/errata/RHSA-2024:0041

Security Fix(es):

* dnspython: denial of service in stub resolver (CVE-2023-29483)  
* golang: net/http/cookiejar: incorrect forwarding of sensitive headers and  
cookies on HTTP redirect (CVE-2023-45289)  
* golang: net/http: memory exhaustion in Request.ParseMultipartForm  
(CVE-2023-45290)  
* containers/image: digest type does not guarantee valid type  
(CVE-2024-3727)  
* golang: crypto/x509: Verify panics on certificates with an unknown public  
key algorithm (CVE-2024-24783)  
* golang: net/mail: comments in display names are incorrectly handled  
(CVE-2024-24784)  
* golang: html/template: errors returned from MarshalJSON methods may break  
template escaping (CVE-2024-24785)  
* golang-protobuf: encoding/protojson, internal/encoding/json: infinite  
loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON  
(CVE-2024-24786)  
* jose: resource exhaustion (CVE-2024-28176)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at   
https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

CVEs:

CVE-2023-29483

References:

https://access.redhat.com/security/updates/classification/#important  
https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html  
https://bugzilla.redhat.com/show_bug.cgi?id=2262921  
https://bugzilla.redhat.com/show_bug.cgi?id=2268017  
https://bugzilla.redhat.com/show_bug.cgi?id=2268018  
https://bugzilla.redhat.com/show_bug.cgi?id=2268019  
https://bugzilla.redhat.com/show_bug.cgi?id=2268021  
https://bugzilla.redhat.com/show_bug.cgi?id=2268022  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2268820  
https://bugzilla.redhat.com/show_bug.cgi?id=2274520  
https://bugzilla.redhat.com/show_bug.cgi?id=2274767

Tag

#web