ISHACK AI BOT

Red Hat: CVE-2023-38264: IBM JDK: Object Request Broker (ORB) denial of service (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 05/14/2024 Created 06/07/2024 Added 06/07/2024 Modified 06/28/2024 Description The IBM SDK, Java Technology Edition's Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters.IBM X-Force ID:260578. Solution(s) redhat-upgrade-java-1-8-0-ibm redhat-upgrade-java-1-8-0-ibm-demo redhat-upgrade-java-1-8-0-ibm-devel redhat-upgrade-java-1-8-0-ibm-headless redhat-upgrade-java-1-8-0-ibm-jdbc redhat-upgrade-java-1-8-0-ibm-plugin redhat-upgrade-java-1-8-0-ibm-src redhat-upgrade-java-1-8-0-ibm-webstart References CVE-2023-38264 RHSA-2024:3685 RHSA-2024:4160

Alma Linux: CVE-2024-27281: Moderate: ruby:3.0 security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 06/04/2024 Added 06/03/2024 Modified 09/18/2024 Description An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1. Solution(s) alma-upgrade-ruby alma-upgrade-ruby-bundled-gems alma-upgrade-ruby-default-gems alma-upgrade-ruby-devel alma-upgrade-ruby-doc alma-upgrade-ruby-irb alma-upgrade-ruby-libs alma-upgrade-rubygem-abrt alma-upgrade-rubygem-abrt-doc alma-upgrade-rubygem-bigdecimal alma-upgrade-rubygem-bson alma-upgrade-rubygem-bson-doc alma-upgrade-rubygem-bundler alma-upgrade-rubygem-bundler-doc alma-upgrade-rubygem-did_you_mean alma-upgrade-rubygem-io-console alma-upgrade-rubygem-irb alma-upgrade-rubygem-json alma-upgrade-rubygem-minitest alma-upgrade-rubygem-mongo alma-upgrade-rubygem-mongo-doc alma-upgrade-rubygem-mysql2 alma-upgrade-rubygem-mysql2-doc alma-upgrade-rubygem-net-telnet alma-upgrade-rubygem-openssl alma-upgrade-rubygem-pg alma-upgrade-rubygem-pg-doc alma-upgrade-rubygem-power_assert alma-upgrade-rubygem-psych alma-upgrade-rubygem-racc alma-upgrade-rubygem-rake alma-upgrade-rubygem-rbs alma-upgrade-rubygem-rdoc alma-upgrade-rubygem-rexml alma-upgrade-rubygem-rss alma-upgrade-rubygem-test-unit alma-upgrade-rubygem-typeprof alma-upgrade-rubygem-xmlrpc alma-upgrade-rubygems alma-upgrade-rubygems-devel References https://attackerkb.com/topics/cve-2024-27281 CVE - 2024-27281 https://errata.almalinux.org/8/ALSA-2024-3500.html https://errata.almalinux.org/8/ALSA-2024-3546.html https://errata.almalinux.org/8/ALSA-2024-3670.html https://errata.almalinux.org/8/ALSA-2024-4499.html https://errata.almalinux.org/9/ALSA-2024-3668.html https://errata.almalinux.org/9/ALSA-2024-3671.html https://errata.almalinux.org/9/ALSA-2024-3838.html View more

Huawei EulerOS: CVE-2024-27395: kernel security update Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 05/14/2024 Created 10/09/2024 Added 10/08/2024 Modified 01/28/2025 Description In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix Use-After-Free in ovs_ct_exit Since kfree_rcu, which is called in the hlist_for_each_entry_rcu traversal of ovs_ct_limit_exit, is not part of the RCU read critical section, it is possible that the RCU grace period will pass during the traversal and the key will be free. To prevent this, it should be changed to hlist_for_each_entry_safe. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-27395 CVE - 2024-27395 EulerOS-SA-2024-2207

Alma Linux: CVE-2024-4777: Moderate: firefox security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 05/14/2024 Created 05/22/2024 Added 05/22/2024 Modified 01/28/2025 Description Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126, Firefox ESR < 115.11, and Thunderbird < 115.11. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2024-4777 CVE - 2024-4777 https://errata.almalinux.org/8/ALSA-2024-3783.html https://errata.almalinux.org/8/ALSA-2024-3784.html https://errata.almalinux.org/9/ALSA-2024-2883.html https://errata.almalinux.org/9/ALSA-2024-2888.html

Alma Linux: CVE-2024-32021: Important: git security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 06/27/2024 Added 06/26/2024 Modified 11/14/2024 Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. Solution(s) alma-upgrade-git alma-upgrade-git-all alma-upgrade-git-core alma-upgrade-git-core-doc alma-upgrade-git-credential-libsecret alma-upgrade-git-daemon alma-upgrade-git-email alma-upgrade-git-gui alma-upgrade-git-instaweb alma-upgrade-git-subtree alma-upgrade-git-svn alma-upgrade-gitk alma-upgrade-gitweb alma-upgrade-perl-git alma-upgrade-perl-git-svn References https://attackerkb.com/topics/cve-2024-32021 CVE - 2024-32021 https://errata.almalinux.org/8/ALSA-2024-4084.html https://errata.almalinux.org/9/ALSA-2024-4083.html

Huawei EulerOS: CVE-2024-27397: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 10/09/2024 Added 10/08/2024 Modified 10/08/2024 Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Solution(s) huawei-euleros-2_0_sp11-upgrade-bpftool huawei-euleros-2_0_sp11-upgrade-kernel huawei-euleros-2_0_sp11-upgrade-kernel-abi-stablelists huawei-euleros-2_0_sp11-upgrade-kernel-tools huawei-euleros-2_0_sp11-upgrade-kernel-tools-libs huawei-euleros-2_0_sp11-upgrade-python3-perf References https://attackerkb.com/topics/cve-2024-27397 CVE - 2024-27397 EulerOS-SA-2024-2207

Alma Linux: CVE-2024-30045: Important: .NET 7.0 security update (Multiple Advisories) Severity 7 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 05/18/2024 Added 05/17/2024 Modified 01/28/2025 Description .NET and Visual Studio Remote Code Execution Vulnerability Solution(s) alma-upgrade-aspnetcore-runtime-7.0 alma-upgrade-aspnetcore-runtime-8.0 alma-upgrade-aspnetcore-runtime-dbg-8.0 alma-upgrade-aspnetcore-targeting-pack-7.0 alma-upgrade-aspnetcore-targeting-pack-8.0 alma-upgrade-dotnet alma-upgrade-dotnet-apphost-pack-7.0 alma-upgrade-dotnet-apphost-pack-8.0 alma-upgrade-dotnet-host alma-upgrade-dotnet-hostfxr-7.0 alma-upgrade-dotnet-hostfxr-8.0 alma-upgrade-dotnet-runtime-7.0 alma-upgrade-dotnet-runtime-8.0 alma-upgrade-dotnet-runtime-dbg-8.0 alma-upgrade-dotnet-sdk-7.0 alma-upgrade-dotnet-sdk-7.0-source-built-artifacts alma-upgrade-dotnet-sdk-8.0 alma-upgrade-dotnet-sdk-8.0-source-built-artifacts alma-upgrade-dotnet-sdk-dbg-8.0 alma-upgrade-dotnet-targeting-pack-7.0 alma-upgrade-dotnet-targeting-pack-8.0 alma-upgrade-dotnet-templates-7.0 alma-upgrade-dotnet-templates-8.0 alma-upgrade-netstandard-targeting-pack-2.1 References https://attackerkb.com/topics/cve-2024-30045 CVE - 2024-30045 https://errata.almalinux.org/8/ALSA-2024-3340.html https://errata.almalinux.org/8/ALSA-2024-3345.html https://errata.almalinux.org/9/ALSA-2024-2842.html https://errata.almalinux.org/9/ALSA-2024-2843.html

Alma Linux: CVE-2024-32004: Important: git security update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 06/27/2024 Added 06/26/2024 Modified 11/14/2024 Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. Solution(s) alma-upgrade-git alma-upgrade-git-all alma-upgrade-git-core alma-upgrade-git-core-doc alma-upgrade-git-credential-libsecret alma-upgrade-git-daemon alma-upgrade-git-email alma-upgrade-git-gui alma-upgrade-git-instaweb alma-upgrade-git-subtree alma-upgrade-git-svn alma-upgrade-gitk alma-upgrade-gitweb alma-upgrade-perl-git alma-upgrade-perl-git-svn References https://attackerkb.com/topics/cve-2024-32004 CVE - 2024-32004 https://errata.almalinux.org/8/ALSA-2024-4084.html https://errata.almalinux.org/9/ALSA-2024-4083.html

Alpine Linux: CVE-2024-30045: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/14/2024 Description .NET and Visual Studio Remote Code Execution Vulnerability Solution(s) alpine-linux-upgrade-dotnet7-runtime alpine-linux-upgrade-dotnet8-runtime References https://attackerkb.com/topics/cve-2024-30045 CVE - 2024-30045 https://security.alpinelinux.org/vuln/CVE-2024-30045

Alma Linux: CVE-2024-32002: Important: git security update (Multiple Advisories) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 05/14/2024 Created 06/27/2024 Added 06/26/2024 Modified 01/30/2025 Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. Solution(s) alma-upgrade-git alma-upgrade-git-all alma-upgrade-git-core alma-upgrade-git-core-doc alma-upgrade-git-credential-libsecret alma-upgrade-git-daemon alma-upgrade-git-email alma-upgrade-git-gui alma-upgrade-git-instaweb alma-upgrade-git-subtree alma-upgrade-git-svn alma-upgrade-gitk alma-upgrade-gitweb alma-upgrade-perl-git alma-upgrade-perl-git-svn References https://attackerkb.com/topics/cve-2024-32002 CVE - 2024-32002 https://errata.almalinux.org/8/ALSA-2024-4084.html https://errata.almalinux.org/9/ALSA-2024-4083.html

Alma Linux: CVE-2024-27393: Moderate: kernel security and bug fix update (ALSA-2024-4349) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 11/05/2024 Added 11/04/2024 Modified 11/04/2024 Description In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Add missing skb_mark_for_recycle Notice that skb_mark_for_recycle() is introduced later than fixes tag in commit 6a5bcd84e886 ("page_pool: Allow drivers to hint on SKB recycling"). It is believed that fixes tag were missing a call to page_pool_release_page() between v5.9 to v5.14, after which is should have used skb_mark_for_recycle(). Since v6.6 the call page_pool_release_page() were removed (in commit 535b9c61bdef ("net: page_pool: hide page_pool_release_page()") and remaining callers converted (in commit 6bfef2ec0172 ("Merge branch 'net-page_pool-remove-page_pool_release_page'")). This leak became visible in v6.8 via commit dba1b8a7ab68 ("mm/page_pool: catch page_pool memory leaks"). Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-64k alma-upgrade-kernel-64k-core alma-upgrade-kernel-64k-debug alma-upgrade-kernel-64k-debug-core alma-upgrade-kernel-64k-debug-devel alma-upgrade-kernel-64k-debug-devel-matched alma-upgrade-kernel-64k-debug-modules alma-upgrade-kernel-64k-debug-modules-core alma-upgrade-kernel-64k-debug-modules-extra alma-upgrade-kernel-64k-devel alma-upgrade-kernel-64k-devel-matched alma-upgrade-kernel-64k-modules alma-upgrade-kernel-64k-modules-core alma-upgrade-kernel-64k-modules-extra alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-devel-matched alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-core alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-debug-uki-virt alma-upgrade-kernel-devel alma-upgrade-kernel-devel-matched alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-core alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-core alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-core alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-uki-virt alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-devel-matched alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-core alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-libperf alma-upgrade-perf alma-upgrade-python3-perf alma-upgrade-rtla alma-upgrade-rv References https://attackerkb.com/topics/cve-2024-27393 CVE - 2024-27393 https://errata.almalinux.org/9/ALSA-2024-4349.html

Alpine Linux: CVE-2024-32021: Vulnerability in Multiple Components Severity 2 CVSS (AV:L/AC:H/Au:S/C:N/I:P/A:P) Published 05/14/2024 Created 06/11/2024 Added 06/06/2024 Modified 10/02/2024 Description Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. Solution(s) alpine-linux-upgrade-git References https://attackerkb.com/topics/cve-2024-32021 CVE - 2024-32021 https://security.alpinelinux.org/vuln/CVE-2024-32021

Alma Linux: CVE-2024-27397: Important: kernel security and bug fix update (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/14/2024 Created 07/03/2024 Added 07/03/2024 Modified 11/04/2024 Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use timestamp to check for set element timeout Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Solution(s) alma-upgrade-bpftool alma-upgrade-kernel alma-upgrade-kernel-64k alma-upgrade-kernel-64k-core alma-upgrade-kernel-64k-debug alma-upgrade-kernel-64k-debug-core alma-upgrade-kernel-64k-debug-devel alma-upgrade-kernel-64k-debug-devel-matched alma-upgrade-kernel-64k-debug-modules alma-upgrade-kernel-64k-debug-modules-core alma-upgrade-kernel-64k-debug-modules-extra alma-upgrade-kernel-64k-devel alma-upgrade-kernel-64k-devel-matched alma-upgrade-kernel-64k-modules alma-upgrade-kernel-64k-modules-core alma-upgrade-kernel-64k-modules-extra alma-upgrade-kernel-abi-stablelists alma-upgrade-kernel-core alma-upgrade-kernel-cross-headers alma-upgrade-kernel-debug alma-upgrade-kernel-debug-core alma-upgrade-kernel-debug-devel alma-upgrade-kernel-debug-devel-matched alma-upgrade-kernel-debug-modules alma-upgrade-kernel-debug-modules-core alma-upgrade-kernel-debug-modules-extra alma-upgrade-kernel-debug-uki-virt alma-upgrade-kernel-devel alma-upgrade-kernel-devel-matched alma-upgrade-kernel-doc alma-upgrade-kernel-headers alma-upgrade-kernel-modules alma-upgrade-kernel-modules-core alma-upgrade-kernel-modules-extra alma-upgrade-kernel-rt alma-upgrade-kernel-rt-core alma-upgrade-kernel-rt-debug alma-upgrade-kernel-rt-debug-core alma-upgrade-kernel-rt-debug-devel alma-upgrade-kernel-rt-debug-kvm alma-upgrade-kernel-rt-debug-modules alma-upgrade-kernel-rt-debug-modules-core alma-upgrade-kernel-rt-debug-modules-extra alma-upgrade-kernel-rt-devel alma-upgrade-kernel-rt-kvm alma-upgrade-kernel-rt-modules alma-upgrade-kernel-rt-modules-core alma-upgrade-kernel-rt-modules-extra alma-upgrade-kernel-tools alma-upgrade-kernel-tools-libs alma-upgrade-kernel-tools-libs-devel alma-upgrade-kernel-uki-virt alma-upgrade-kernel-zfcpdump alma-upgrade-kernel-zfcpdump-core alma-upgrade-kernel-zfcpdump-devel alma-upgrade-kernel-zfcpdump-devel-matched alma-upgrade-kernel-zfcpdump-modules alma-upgrade-kernel-zfcpdump-modules-core alma-upgrade-kernel-zfcpdump-modules-extra alma-upgrade-libperf alma-upgrade-perf alma-upgrade-python3-perf alma-upgrade-rtla alma-upgrade-rv References https://attackerkb.com/topics/cve-2024-27397 CVE - 2024-27397 https://errata.almalinux.org/8/ALSA-2024-4211.html https://errata.almalinux.org/8/ALSA-2024-4352.html https://errata.almalinux.org/9/ALSA-2024-4583.html

Alpine Linux: CVE-2024-31443: Vulnerability in Multiple Components Severity 6 CVSS (AV:N/AC:M/Au:S/C:N/I:N/A:C) Published 05/13/2024 Created 08/23/2024 Added 08/22/2024 Modified 12/20/2024 Description Cacti provides an operational monitoring and fault management framework. Prior to 1.2.27, some of the data stored in `form_save()` function in `data_queries.php` is not thoroughly checked and is used to concatenate the HTML statement in `grow_right_pane_tree()` function from `lib/html.php` , finally resulting in cross-site scripting. Version 1.2.27 contains a patch for the issue. Solution(s) alpine-linux-upgrade-cacti References https://attackerkb.com/topics/cve-2024-31443 CVE - 2024-31443 https://security.alpinelinux.org/vuln/CVE-2024-31443

VMware Photon OS: CVE-2024-27398 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/13/2024 Created 01/21/2025 Added 01/20/2025 Modified 01/20/2025 Description In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout When the sco connection is established and then, the sco socket is releasing, timeout_work will be scheduled to judge whether the sco disconnection is timeout. The sock will be deallocated later, but it is dereferenced again in sco_sock_timeout. As a result, the use-after-free bugs will happen. The root cause is shown below: Cleanup Thread |Worker Thread sco_sock_release | sco_sock_close | __sco_sock_close | sco_sock_set_timer | schedule_delayed_work| sco_sock_kill|(wait a time) sock_put(sk) //FREE|sco_sock_timeout |sock_hold(sk) //USE The KASAN report triggered by POC is shown below: [ 95.890016] ================================================================== [ 95.890496] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x5e/0x1c0 [ 95.890755] Write of size 4 at addr ffff88800c388080 by task kworker/0:0/7 ... [ 95.890755] Workqueue: events sco_sock_timeout [ 95.890755] Call Trace: [ 95.890755]<TASK> [ 95.890755]dump_stack_lvl+0x45/0x110 [ 95.890755]print_address_description+0x78/0x390 [ 95.890755]print_report+0x11b/0x250 [ 95.890755]? __virt_addr_valid+0xbe/0xf0 [ 95.890755]? sco_sock_timeout+0x5e/0x1c0 [ 95.890755]kasan_report+0x139/0x170 [ 95.890755]? update_load_avg+0xe5/0x9f0 [ 95.890755]? sco_sock_timeout+0x5e/0x1c0 [ 95.890755]kasan_check_range+0x2c3/0x2e0 [ 95.890755]sco_sock_timeout+0x5e/0x1c0 [ 95.890755]process_one_work+0x561/0xc50 [ 95.890755]worker_thread+0xab2/0x13c0 [ 95.890755]? pr_cont_work+0x490/0x490 [ 95.890755]kthread+0x279/0x300 [ 95.890755]? pr_cont_work+0x490/0x490 [ 95.890755]? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork+0x34/0x60 [ 95.890755]? kthread_blkcg+0xa0/0xa0 [ 95.890755]ret_from_fork_asm+0x11/0x20 [ 95.890755]</TASK> [ 95.890755] [ 95.890755] Allocated by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755]__kasan_kmalloc+0x86/0x90 [ 95.890755]__kmalloc+0x17f/0x360 [ 95.890755]sk_prot_alloc+0xe1/0x1a0 [ 95.890755]sk_alloc+0x31/0x4e0 [ 95.890755]bt_sock_alloc+0x2b/0x2a0 [ 95.890755]sco_sock_create+0xad/0x320 [ 95.890755]bt_sock_create+0x145/0x320 [ 95.890755]__sock_create+0x2e1/0x650 [ 95.890755]__sys_socket+0xd0/0x280 [ 95.890755]__x64_sys_socket+0x75/0x80 [ 95.890755]do_syscall_64+0xc4/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] Freed by task 506: [ 95.890755]kasan_save_track+0x3f/0x70 [ 95.890755]kasan_save_free_info+0x40/0x50 [ 95.890755]poison_slab_object+0x118/0x180 [ 95.890755]__kasan_slab_free+0x12/0x30 [ 95.890755]kfree+0xb2/0x240 [ 95.890755]__sk_destruct+0x317/0x410 [ 95.890755]sco_sock_release+0x232/0x280 [ 95.890755]sock_close+0xb2/0x210 [ 95.890755]__fput+0x37f/0x770 [ 95.890755]task_work_run+0x1ae/0x210 [ 95.890755]get_signal+0xe17/0xf70 [ 95.890755]arch_do_signal_or_restart+0x3f/0x520 [ 95.890755]syscall_exit_to_user_mode+0x55/0x120 [ 95.890755]do_syscall_64+0xd1/0x1b0 [ 95.890755]entry_SYSCALL_64_after_hwframe+0x67/0x6f [ 95.890755] [ 95.890755] The buggy address belongs to the object at ffff88800c388000 [ 95.890755]which belongs to the cache kmalloc-1k of size 1024 [ 95.890755] The buggy address is located 128 bytes inside of [ 95.890755]freed 1024-byte region [ffff88800c388000, ffff88800c388400) [ 95.890755] [ 95.890755] The buggy address belongs to the physical page: [ 95.890755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800c38a800 pfn:0xc388 [ 95.890755] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 95.890755] ano ---truncated--- Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-27398 CVE - 2024-27398

VMware Photon OS: CVE-2024-27401 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/13/2024 Created 01/21/2025 Added 01/20/2025 Modified 01/20/2025 Description In the Linux kernel, the following vulnerability has been resolved: firewire: nosy: ensure user_length is taken into account when fetching packet contents Ensure that packet_buffer_get respects the user_length provided. If the length of the head packet exceeds the user_length, packet_buffer_get will now return 0 to signify to the user that no data were read and a larger buffer size is required. Helps prevent user space overflows. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2024-27401 CVE - 2024-27401

FreeBSD: VID-F2D8342F-1134-11EF-8791-6805CA2FA271 (CVE-2024-25581): dnsdist -- Transfer requests received over DoH can lead to a denial of service Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/13/2024 Created 05/22/2024 Added 05/15/2024 Modified 05/15/2024 Description When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default. Solution(s) freebsd-upgrade-package-dnsdist References CVE-2024-25581

Debian: CVE-2024-4671: chromium -- security update Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 05/13/2024 Created 05/13/2024 Added 05/13/2024 Modified 01/28/2025 Description Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) Solution(s) debian-upgrade-chromium References https://attackerkb.com/topics/cve-2024-4671 CVE - 2024-4671 DSA-5687-1

PostgreSQL: CVE-2024-4317: Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/13/2024 Created 05/10/2024 Added 05/13/2024 Modified 02/14/2025 Description Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected. Solution(s) postgres-upgrade-14_12 postgres-upgrade-15_7 postgres-upgrade-16_3 References https://attackerkb.com/topics/cve-2024-4317 CVE - 2024-4317

VMware Photon OS: CVE-2023-52655 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/13/2024 Created 01/21/2025 Added 01/20/2025 Modified 01/20/2025 Description In the Linux kernel, the following vulnerability has been resolved: usb: aqc111: check packet for fixup for true limit If a device sends a packet that is inbetween 0 and sizeof(u64) the value passed to skb_trim() as length will wrap around ending up as some very large value. The driver will then proceed to parse the header located at that position, which will either oops or process some random value. The fix is to check against sizeof(u64) rather than 0, which the driver currently does. The issue exists since the introduction of the driver. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-52655 CVE - 2023-52655

Microsoft Edge Chromium: CVE-2024-4671 Use after free in Visuals Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 05/13/2024 Created 05/13/2024 Added 05/13/2024 Modified 01/28/2025 Description Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) Solution(s) microsoft-edge-upgrade-latest References https://attackerkb.com/topics/cve-2024-4671 CVE - 2024-4671 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-4671

Alpine Linux: CVE-2024-34459: Vulnerability in Multiple Components Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 05/13/2024 Created 06/11/2024 Added 06/06/2024 Modified 10/10/2024 Description An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. Solution(s) alpine-linux-upgrade-libxml2 References https://attackerkb.com/topics/cve-2024-34459 CVE - 2024-34459 https://security.alpinelinux.org/vuln/CVE-2024-34459

Alpine Linux: CVE-2024-34340: Vulnerability in Multiple Components Severity 9 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:N) Published 05/13/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, Cacti calls `compat_password_hash` when users set their password. `compat_password_hash` use `password_hash` if there is it, else use `md5`. When verifying password, it calls `compat_password_verify`. In `compat_password_verify`, `password_verify` is called if there is it, else use `md5`. `password_verify` and `password_hash` are supported on PHP < 5.5.0, following PHP manual. The vulnerability is in `compat_password_verify`. Md5-hashed user input is compared with correct password in database by `$md5 == $hash`. It is a loose comparison, not `===`. It is a type juggling vulnerability. Version 1.2.27 contains a patch for the issue. Solution(s) alpine-linux-upgrade-cacti References https://attackerkb.com/topics/cve-2024-34340 CVE - 2024-34340 https://security.alpinelinux.org/vuln/CVE-2024-34340

Alpine Linux: CVE-2024-31460: Vulnerability in Multiple Components Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 05/13/2024 Created 08/23/2024 Added 08/22/2024 Modified 12/20/2024 Description Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, some of the data stored in `automation_tree_rules.php` is not thoroughly checked and is used to concatenate the SQL statement in `create_all_header_nodes()`function from `lib/api_automation.php` , finally resulting in SQL injection. Using SQL based secondary injection technology, attackers can modify the contents of the Cacti database, and based on the modified content, it may be possible to achieve further impact, such as arbitrary file reading, and even remote code execution through arbitrary file writing. Version 1.2.27 contains a patch for the issue. Solution(s) alpine-linux-upgrade-cacti References https://attackerkb.com/topics/cve-2024-31460 CVE - 2024-31460 https://security.alpinelinux.org/vuln/CVE-2024-31460

Alpine Linux: CVE-2024-25581: Vulnerability in Multiple Components Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 05/13/2024 Created 08/23/2024 Added 08/22/2024 Modified 10/02/2024 Description When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default. Solution(s) alpine-linux-upgrade-dnsdist References https://attackerkb.com/topics/cve-2024-25581 CVE - 2024-25581 https://security.alpinelinux.org/vuln/CVE-2024-25581