Red Hat Security Advisory 2024-1899-03 - Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1899.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.56 security update  
Advisory ID:        RHSA-2024:1899-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1899  
Issue date:         2024-04-26  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.56. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:1896

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.[y]/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-1899-03

Red Hat Security Advisory 2024-1896-03 - Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1896.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.56 security update  
Advisory ID:        RHSA-2024:1896-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1896  
Issue date:         2024-04-25  
Revision:           03  
CVE Names:          CVE-2023-39326  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.56 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.56. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:1899

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)  
* golang: net/http/internal: Denial of Service (DoS) via Resource  
Consumption via HTTP requests (CVE-2023-39326)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-39326

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/OCPBUGS-30289  
https://issues.redhat.com/browse/OCPBUGS-30809  
https://issues.redhat.com/browse/OCPBUGS-30829  
https://issues.redhat.com/browse/OCPBUGS-30914  
https://issues.redhat.com/browse/OCPBUGS-32205  
https://issues.redhat.com/browse/OCPBUGS-32226

Red Hat Security Advisory 2024-1896-03

Red Hat Security Advisory 2024-1892-03 - Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1892.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.10 packages and security update  
Advisory ID:        RHSA-2024:1892-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1892  
Issue date:         2024-04-26  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of  Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.15.10. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:1887

Security Fix(es):

* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273

Red Hat Security Advisory 2024-1892-03

Red Hat Security Advisory 2024-1887-03 - Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1887.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.10 bug fix and security update  
Advisory ID:        RHSA-2024:1887-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1887  
Issue date:         2024-04-25  
Revision:           03  
CVE Names:          CVE-2023-47108  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.10 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.10. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:1892

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)  
* cluster-monitoring-operator: credentials leak (CVE-2024-1139)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-47108

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://bugzilla.redhat.com/show_bug.cgi?id=2262158  
https://issues.redhat.com/browse/OCPBUGS-25985  
https://issues.redhat.com/browse/OCPBUGS-27029  
https://issues.redhat.com/browse/OCPBUGS-28769  
https://issues.redhat.com/browse/OCPBUGS-29922  
https://issues.redhat.com/browse/OCPBUGS-30138  
https://issues.redhat.com/browse/OCPBUGS-30306  
https://issues.redhat.com/browse/OCPBUGS-30507  
https://issues.redhat.com/browse/OCPBUGS-31081  
https://issues.redhat.com/browse/OCPBUGS-31335  
https://issues.redhat.com/browse/OCPBUGS-31348  
https://issues.redhat.com/browse/OCPBUGS-31469  
https://issues.redhat.com/browse/OCPBUGS-31471  
https://issues.redhat.com/browse/OCPBUGS-31500  
https://issues.redhat.com/browse/OCPBUGS-31503  
https://issues.redhat.com/browse/OCPBUGS-31538  
https://issues.redhat.com/browse/OCPBUGS-31599  
https://issues.redhat.com/browse/OCPBUGS-31619  
https://issues.redhat.com/browse/OCPBUGS-31651  
https://issues.redhat.com/browse/OCPBUGS-31667  
https://issues.redhat.com/browse/OCPBUGS-31670  
https://issues.redhat.com/browse/OCPBUGS-31754  
https://issues.redhat.com/browse/OCPBUGS-31764  
https://issues.redhat.com/browse/OCPBUGS-31807

Red Hat Security Advisory 2024-1887-03

By Waqas
The official website of Samourai Wallet has been seized, while its official app on the Apple Store and Google Play has been removed.
This is a post from HackRead.com Read the original post: Feds Bust Privacy-Centric Samourai Wallet Over BTC Money Laundering

The United States has taken down the popular “privacy-focused” Bitcoin wallet Samourai, arresting founders and accusing them of laundering $2 billion in crypto, including dark web funds.

The US Department of Justice has arrested the founders of Samourai Wallet, a popular Bitcoin wallet marketed for its strong privacy features. Keonne Rodriguez and William Lonergan Hill now face charges of conspiracy to commit money laundering and operating an unlicensed money transmitting business.

The seized website of the Samourai Wallet (Screenshot: Hackread.com)

Samourai Wallet, known for its “Whirlpool” and “Ricochet” anonymization tools, had long attracted users seeking enhanced privacy for their Bitcoin transactions. However, the DOJ alleges that this cover of secrecy facilitated a staggering amount of illicit activity.

According to the indictment, Samourai allegedly processed over $2 billion in transactions, with at least $100 million originating from illegal dark web marketplaces like Silk Road and Hydra Market.

“For almost 10 years, Keonne Rodriguez and William Hill allegedly operated a mobile cryptocurrency mixing platform which provided other criminals a virtual haven for the clandestine exchange of illicit funds, the facilitation of more than $2 billion in illegal transactions, and $100 million in dark web money laundering,” stated FBI Assistant Director in Charge James Smith. “The FBI is committed to exposing covert financial schemes and ensuring no one can hide behind a screen to perpetuate financial wrongdoing.”

The indictment further accuses Rodriguez and Hill of profiting from these alleged illegal transactions. Samourai allegedly generated millions in fees through its services, raising questions about the company’s true mission.

The takedown of Samourai Wallet has sent shivers down the spines of privacy-focused crypto enthusiasts. Some argue that the ability to conduct anonymous transactions is a core principle of cryptocurrency, essential for protecting users from financial surveillance. Others, however, see the case as validating concerns that criminals can exploit anonymity tools.

The outcome of this case is likely to have a lasting impact on the cryptocurrency industry. It could lead to increased scrutiny of privacy-focused technologies and potentially stricter regulations for cryptocurrency exchanges and wallets.

In the meantime, Samourai Wallet’s website has been seized, and their mobile application is expected to be removed from app stores. Whether Rodriguez and Hill will be found guilty remains to be seen, their arrest goes on to show the the potential consequences for those who operate in the restricted areas of cryptocurrency and anonymity.

1.  Crypto tumbler BestMixer.io seized for money laundering
2.  New Dark Web Market Styx: Focuses on Money Laundering
3.  Android Money Transfer XHelper App was Laundering Money
4.  DeepDotWeb admin pleads guilty to money laundering, kickbacks
5.  2 Russians charged in Mt. Gox Bitcoin heist, BTC-e money laundering
6.  US Blacklists Tornado Cash, GitHub Removes Co-Founder in Response

Feds Bust Privacy-Centric Samourai Wallet Over BTC Money Laundering

By Waqas
As the number of applications and systems used in businesses grows, so do the threats and vulnerabilities that…
This is a post from HackRead.com Read the original post: Ensuring the Security and Efficiency of Web Applications and Systems

As the number of applications and systems used in businesses grows, so do the threats and vulnerabilities that can lead to unauthorized access, data breaches, and other security risks. An integral aspect of web application security is protecting both data and applications from potential attacks. 

To do so, it’s essential to be knowledgeable about security fundamentals and stay up-to-date with emerging technologies and methodologies. 

Understanding the importance of web application security benefits system users by safeguarding their data and instills confidence in the business, developers, and stakeholders. Focusing on security and efficiency will build a strong foundation for your web applications and systems, ensuring their long-term success and resilience against ever-evolving threats.

****Understanding Web Application Security****

When securing your web applications, you must be aware of the common vulnerabilities and threats that can compromise your application’s security. Some of the most prevalent issues include:

*   **SQL Injection:** Attackers can insert harmful SQL code into inputs, leading to unauthorized data access or manipulation.
*   **Cross-site Scripting (XSS):** Vulnerable applications may allow the execution of harmful scripts within users’ web browsers.
*   **Cross-site Request Forgery (CSRF):** An attacker can trick users into performing actions they did not intend.

Regularly assessing and auditing your web applications can help in identifying and fixing these vulnerabilities.

****Encryption and Secure Data Transmission****

Utilizing encryption methods, such as HTTPS with SSL/TLS certificates, ensures that sensitive information remains confidential while traveling between the user’s browser and your web server.

It is also important to encrypt any sensitive data stored in your application, such as user credentials and personal information, to prevent unauthorized access or data leaks.

Implementing strong authentication and authorization mechanisms is crucial for maintaining the security of your web applications. Following best practices when designing these mechanisms can help protect your system against unauthorized access:

*   **Use Two-Factor Authentication (2FA):** By requiring users to provide two forms of identification, such as a password and a temporary code, you can greatly enhance the security of your application.
*   **Role-based Access Control (RBAC):** Assign specific permissions and roles to users, limiting their access and actions to only what is necessary.
*   **Session Management:** Implement proper session management controls by handling cookies securely, using secure tokens, and setting appropriate expiration times.

By addressing these areas, you can take a significant step towards ensuring the security and efficiency of your web applications and systems.

****Strategic Security Measures for Applications****

To ensure the security and efficiency of web applications and systems, it’s crucial to implement strategic security measures that protect your valuable data. 

****Firewalls and Intrusion Detection Systems****

A key component of any application security strategy is firewalls and intrusion detection systems. Firewalls play a crucial role in filtering incoming and outgoing network traffic, helping to block unauthorized access and prevent attacks. 

Intrusion detection systems, on the other hand, actively monitor your network for potential threats and vulnerabilities. By deploying both firewalls and intrusion detection systems, you can significantly enhance your application’s security and defend against various cyber-attacks.

****Best Practices for Secure Coding****

Another vital aspect of application security is following best practices for secure coding. By adhering to industry standards and guidelines, you can mitigate common security risks such as code injection or cross-site scripting. Some secure coding practices include input validation, proper error handling, and secure data storage.

****Regular Security Audits and Compliance****

Performing regular security audits is essential for maintaining a secure application. These audits usually involve comprehensive security testing, including penetration testing reports that help identify vulnerabilities within your application. 

Additionally, staying up-to-date with compliance requirements is crucial—by conducting periodic security audits and adhering to compliance standards, you can ensure that your application remains secure and maintains its users’ trust.

Taking these strategic measures helps strengthen your application’s defense against potential threats. Through the implementation of firewalls and intrusion detection systems, adherence to secure coding practices, and regular security audits and compliance, you can build a robust and secure application for your users.

****Preventing Data Breaches and Ensuring Data Integrity****

Input validation is a crucial aspect of securing web applications and systems. It involves checking the data entered by users to ensure it conforms to acceptable formats and doesn’t contain malicious content. By incorporating input validation techniques, you can reduce the risk of unauthorized access to sensitive data, ensuring its integrity and confidentiality.

One effective method of preventing SQL injection attacks, a common cause of data breaches, is to use parameterized queries. These help maintain separation between the SQL code and user-supplied data, reducing opportunities for hackers to manipulate queries. By using full-stack hosting, you can benefit from a robust infrastructure that supports various languages and frameworks, making it easier to implement secure coding practices.

****Data Backup and Recovery Strategies****

Backing up data allows you to quickly recover from a breach, minimizing downtime and potential damage to your business or user reputation.

Implementing a solid data recovery strategy is essential to restore the integrity and privacy of your data in case of a breach. This can include having multiple copies of your backups stored in different locations to ensure at least one remains protected in the event of a breach.

To ensure data integrity, consider using checksums and digital signatures to detect tampering or corruption within your backups. By maintaining a consistent backup and recovery strategy, you can better protect your sensitive data and uphold privacy standards.

****Ensuring Operational Efficiency and Robust Security****

Scalability ensures that your systems can handle growing workloads, maintain performance, and keep running smoothly without affecting the user experience. One way to improve scalability is by implementing decentralized systems.

Decentralized systems distribute processing and data across multiple nodes, reducing the chance of single points of failure and improving availability. A decentralized architecture can also share resources more efficiently, enhance fault tolerance, and maintain security.

****Ongoing Monitoring and Real-Time Response****

Another crucial aspect of ensuring operational efficiency and robust security is continuous monitoring. By actively monitoring your web applications and systems, you can detect potential security threats, vulnerabilities, and performance bottlenecks early on. Therefore, implement a system that provides real-time response to address issues promptly and minimize the impact on users.

To achieve continuous monitoring, consider the following practices:

*   Deploy Security Operations Centers (SOCs) for dedicated monitoring and response.
*   Use automated tools for vulnerability scanning and security testing.
*   Establish strict access control to limit unauthorized access to sensitive information and systems.

****Conclusion****

It is crucial to adopt a comprehensive approach to ensure the security and efficiency of web applications and systems. This includes employing reliable security measures and practices that defend against unauthorized access, data breaches, and other threats. Fortifying your web applications will help protect sensitive information and guarantee user trust.

Regular updates help maintain the highest level of security, as they often include patches to fix vulnerabilities and improve performance. Equally important is the need to implement strong authentication methods. 

Implementing data encryption is another essential measure to safeguard sensitive information. Encrypting data will make it unreadable to unauthorized parties, thus maintaining its confidentiality. By consistently prioritizing security, you can cultivate confidence from your users, strengthen your reputation, and maintain your web applications’ integrity.

1.  Best Paid and Free OSINT Tools for 2024
2.  Unveiling Vulnerabilities: Penetration Testing Services
3.  Can Vulnerability Scanning Replace Penetration Testing?
4.  Steps In Penetration Testing, Methodology In Cybersecurity
5.  AttackSurfaceMapper; new automated penetration testing tool

Ensuring the Security and Efficiency of Web Applications and Systems

Mattermost versions 9.6.0, 9.5.x before 9.5.3, 9.4.x before 9.4.5, and 8.1.x before 8.1.12 fail to handle JSON parsing errors in custom status values, which allows an authenticated attacker to crash other users' web clients via a malformed custom status.



Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-4182

**Mattermost crashes web clients via a malformed custom status**

Moderate severity GitHub Reviewed Published Apr 26, 2024 to the GitHub Advisory Database • Updated Apr 26, 2024

**Package**

gomod github.com/mattermost/mattermost-server (Go)

**Affected versions**

\>= 8.1.0, <= 8.1.11

\>= 9.4.0, <= 9.4.4

\>= 9.5.0, <= 9.5.2

\>= 9.6.0-rc1, <= 9.6.0

**Patched versions**

8.1.12

9.4.5

9.5.3

9.6.1

**Description**

Published to the GitHub Advisory Database

Apr 26, 2024

Last updated

Apr 26, 2024

GHSA-8f99-g2pj-x8w3: Mattermost crashes web clients via a malformed custom status

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

**python-jose denial of service via compressed JWT tokens**

Moderate severity GitHub Reviewed Published Apr 26, 2024 to the GitHub Advisory Database • Updated Apr 26, 2024

GHSA-cjwg-qfpm-7377: python-jose denial of service via compressed JWT tokens

Hackers can influence voters with media and breach campaigns, or try tampering with votes. Or they can combine these tactics to even greater effect.

Source: Lennart Worthmann via Alamy Stock Photo

If history has anything to tell us, the most significant cyber threat to this year's elections won't be a leak, a distributed denial-of-service (DDoS) attack, or a fake news video. Instead, it will be some combination of these or more.

In cyberspace's salad days, hackers caused all kinds of fuss using simple, direct methods: hiding viruses in advertisements, hacking websites with easily guessed passwords, and so on. While that still happens, attackers often have to get more creative by chaining multiple tactics together in order to achieve their goals, thanks to greater cybersecurity awareness and protections.

So too with elections. In 2006, aides to Joe Lieberman's presidential campaign had to resort to their personal emails when a DoS attack froze their IT systems. A decade later, famously, came the Podesta email leak. Now, according to Mandiant, part of Google Cloud, the most potent threats to the democratic process are chained attacks.

"In the most significant cyber incidents targeting elections that Mandiant has tracked, threat actors have deliberately layered multiple tactics in hybrid operations in such a way that the effect of each component magnifies the others," the firm wrote in a new report.

**Combination Election Attacks**

One case study Mandiant pointed to occurred in 2014 when Ukraine's presidential elections were interrupted by a Russian cyber onslaught, following the ouster of its pro-Russian president Viktor Yanukovich, and Russia's invasion of Crimea.

A week before election day, Russian actors hiding behind the hacktivist moniker "Cyber Berkut" struck websites relating to NATO and Ukrainian media outlets with DDoS attacks. That set the stage for when, with four days to go, the same fake hacktivist group broke into the country's central election computers and deleted files and rendered the vote tallying system inoperable.

A day later, they added to the chaos by breaking more election infrastructure, then leaking the emails and documents stored there to the wider Internet. Lastly, just 40 minutes before election results were to be broadcast to the public, the country's Central Election Commission reportedly removed some kind of virus that was designed to present fake results in favor of the far-right, ultra-nationalist candidate.

This extreme brand of combination cyber warfare might have only happened in a country experiencing such upheaval, but other chained cyberattacks have struck more-stable democracies since.

In 2020, two 20-something Iranian nationals carried out a campaign against multiple US states' voting-related websites. They managed to obtain confidential voter information from at least one of them, which they used to send intimidating and misleading emails, including by spreading a video with disinformation about election infrastructure vulnerabilities. They also breached one media company, which, as the Department of Justice noted, could have provided them another channel through which to disseminate their false claims.

"Leaks are particularly powerful. Potentially more powerful when boosted through the compromise of legitimate media," says John Hultquist, chief analyst with Mandiant Intelligence at Google Cloud.

The breach/fake news ploy is a potent concoction. "These disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran," warns Madison Horn, herself a 2024 candidate running for a congressional seat in Oklahoma's 5th district. "Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 US election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity."

**The Threat From Cybercrime**

It's not only state-sponsored actors that pose a threat to the democratic process, Mandiant noted. Insiders, hacktivists, and cybercriminals all muddy the waters in their own ways.

In most cases, "The avenues for these campaigns are popular social media platforms — X, Telegram, Facebook — and YouTube, making the digital battlefield as accessible as it is dangerous," Horn warns.

From January 2023 to March 2024, the cybersecurity firm BrandShield tracked suspicious new social media accounts and web domains relating to Joe Biden's and Donald Trump's presidential campaigns. It found hundreds of imposter accounts across social media sites, as well as 2,335 suspect websites claiming some sort of affiliation with the president and 9,639 for the former president (helped by a 197% boost following his arrest in August).

Fake Trump site. Source: BrandShield

Fake sites and accounts are useful for spreading scams or malware and for stealing funds that voters intended to go to candidates, or they can be used in concert with other tactics to achieve greater ends.

"They can be used to get people's information, and maybe try to influence their views by distributing fake news," says BrandShield CEO Yoav Keren, formerly an adviser in the Israeli Knesset. "I would even think that they can use these platforms to interact with real people from the campaigns, to infiltrate their systems. These impersonations can be used in a lot of different ways."

"I don't want to give too many good ideas to the bad guys," he says, "but they usually come up with them before I do."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

The Biggest 2024 Elections Threat: Kitchen-Sink Attack Chains

Plus, new details emerge on the Scattered Spider cybercrime network and ArcaneDoor.

Thursday, April 25, 2024 14:00

I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database.  

Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability that’s disclosed and/or patched is now so far behind, it could take up to 100 days for the National Institute of Standards and Technology (NIST) to catch up, and that would be assuming no new vulnerabilities are disclosed during that period. 

While the U.S. government and NIST try to sort out a potential solution, and hopefully await more funding and restructuring, NIST says it’s hoping to launch a consortium to help either rebuild the NVD or create a replacement.  

Other security experts have floated the idea of other companies or organizations creating a brand-new solution of their own. The main problem with that is, what’s in it for them?  

What works about the NVD is that it’s funded by the U.S. government, so the money is always coming in to help fund the workforce and at least gives MITRE and the other private companies who contribute to the NVD motivation to keep working on it. 

To start up a whole new database of \*every\* CVE out there would take countless man-hours, and then what at the end? Would the company or person(s) who created it start charging for access? 

Several open-source solutions have_man-hours_ popped up over the past few weeks, such as “NVD Data Overrides,” which “is meant to provide additional data that is currently missing from NVD.” However, these types of volunteer projects still can’t assign CVSS scores, because only the NVD is authorized to hand out official NVD CVSS scores. 

This brings up another problem for private companies that may want to develop a solution: Do they want to play referee?  

Sometimes, when there’s a disagreement on how severe a vulnerability is and what severity score to assign it, the NVD will weigh in and provide their own, independently calculated CVSS score. Who really wants to be the “bad guy” to get between a massive tech company like Microsoft or Apple and a security researcher saying a vulnerability is a 9.5 out of 10 CVSS? 

I absolutely give major credit to any volunteers or open-source developers who are working on their own solutions for essentially nothing — but how long can we expect them to keep maintaining these databases? 

Unfortunately, I don’t have a great answer for this, either. I’m far from an expert on vulnerability management, nor do I have any connections to the federal government. But I do feel the onus is on the government to come up with a solution, and potentially provide incentives for companies and researchers to participate in this new proposed consortium because I don’t see the incentives there for the private sector to come up with their own solution.  

**The one big thing **

ArcaneDoor is a new campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Talos and Cisco PSIRT recently identified a previously unknown actor, now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.   

**Why do I care? **

Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organizations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary. Potential targets can also follow the steps detailed in the Cisco ASA Forensic Investigation Procedures for First Responders. When following these procedures, first responders should NOT attempt to collect a core dump or reboot the device if they believe that the device has been compromised, based on the lina memory region output. Talos also released some Snort signatures to detect the activity on the wire including access attempts. Snort Signatures 63139, 62949 and 45575 have been released to detect the implants or associated behaviors. 

**Top security headlines of the week **

**A previously known Windows print spooler bug is still being actively exploited, according to Microsoft.** The company’s threat research team recently disclosed that APT28, a well-known Russian state-sponsored actor, is exploiting the vulnerability to deliver a previously unknown malware called “GooseEgg.” Microsoft disclosed and patched CVE-2022-38028 in October 2022, but APT28 may have been exploiting it as far back as 2020. The actor’s exploitation involved modifying a JavaScript constraints file in the printer spooler and executing it with SYSTEM-level permissions. The new research prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2022-38028 to its Known Exploited Vulnerabilities (KEV) catalog. If installed, GooseEgg can load other applications with System-level permissions and allow the adversary to execute remote code on the targeted device or deploy other backdoors. Another set of print spooler vulnerabilities, called PrintNightmare, made headlines in July 2021, though no one reported active exploitation of that vulnerability at the time. (SC Magazine, Security Week) 

**A new investigation revealed how members of the group Scattered Spider are partnering with Russian state-sponsored actors to carry out ransomware attacks.** Scattered Spider is made up of younger individuals based out of the U.S., U.K. and Canada. They are primarily English speakers who have been blamed for several notable ransomware attacks, including one against MGM Casinos that disrupted operations at several casinos and hotels last year. The group specializes in social engineering, more recently using LinkedIn to steal employee information and use that to infiltrate corporate networks. Members, some as young as teenagers, are connecting over the dark web and online forums like Discord and use their advanced knowledge of Western civilization to provide crucial details to Russian actors. The “60 Minutes” investigation also included new details about The Community (aka “The Comm,” the online collection of hackers who like to brag about their recent cybercrimes, often through Telegram. (CBS News) 

**The U.S. government has re-upped a law that expands government surveillance by opening the door for private companies to partner with the government on these types of activities.** The controversial Foreign Intelligence Surveillance Act (FISA) was re-approved just hours after it lapsed. The White House and proponents in U.S. Congress argued that the powers granted in Section 702 of the FISA helps prevent the spread of terrorism and cyber attacks and that any lapse in those powers would harm the government’s ability to gather crucial intelligence. However, privacy advocates say that the FISA is an overreach, and provides too much power for private companies to potentially spy on consumers. The bill also includes a new definition of “electronic communications service provider,” which could allow the U.S. government to force Big Tech companies and telecommunications providers to hand over users’ data if requested. (NBC News, TechCrunch) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #180: What are the dangers of enabling sideloading and third-party apps? 
*   Suspected CoralRaider continues to expand victimology using three information stealers 
*   Brute-force attacks surge worldwide, warns Cisco Talos    
*   Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs 
*   Rare Computer Virus Detected in Ukrainian Network, Confidential Document Potentially Compromised 

**Upcoming events where you can find Talos **

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._ _Several open-source solutions have_

Tag

#web