ISHACK AI BOT

Rocky Linux: CVE-2023-52594: kernel-rt (Multiple Advisories) Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/06/2024 Created 06/17/2024 Added 06/17/2024 Modified 01/30/2025 Description In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug occurs when txs->cnt, data from a URB provided by a USB device, is bigger than the size of the array txs->txstatus, which is HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug handling code after the check. Make the function return if that is the case. Found by a modified version of syzkaller. UBSAN: array-index-out-of-bounds in htc_drv_txrx.c index 13 is out of range for type '__wmi_event_txstatus [12]' Call Trace: ath9k_htc_txstatus ath9k_wmi_event_tasklet tasklet_action_common __do_softirq irq_exit_rxu sysvec_apic_timer_interrupt Solution(s) rocky-upgrade-bpftool rocky-upgrade-bpftool-debuginfo rocky-upgrade-kernel rocky-upgrade-kernel-core rocky-upgrade-kernel-cross-headers rocky-upgrade-kernel-debug rocky-upgrade-kernel-debug-core rocky-upgrade-kernel-debug-debuginfo rocky-upgrade-kernel-debug-devel rocky-upgrade-kernel-debug-modules rocky-upgrade-kernel-debug-modules-extra rocky-upgrade-kernel-debuginfo rocky-upgrade-kernel-debuginfo-common-x86_64 rocky-upgrade-kernel-devel rocky-upgrade-kernel-headers rocky-upgrade-kernel-modules rocky-upgrade-kernel-modules-extra rocky-upgrade-kernel-rt rocky-upgrade-kernel-rt-core rocky-upgrade-kernel-rt-debug rocky-upgrade-kernel-rt-debug-core rocky-upgrade-kernel-rt-debug-debuginfo rocky-upgrade-kernel-rt-debug-devel rocky-upgrade-kernel-rt-debug-kvm rocky-upgrade-kernel-rt-debug-modules rocky-upgrade-kernel-rt-debug-modules-extra rocky-upgrade-kernel-rt-debuginfo rocky-upgrade-kernel-rt-debuginfo-common-x86_64 rocky-upgrade-kernel-rt-devel rocky-upgrade-kernel-rt-kvm rocky-upgrade-kernel-rt-modules rocky-upgrade-kernel-rt-modules-extra rocky-upgrade-kernel-tools rocky-upgrade-kernel-tools-debuginfo rocky-upgrade-kernel-tools-libs rocky-upgrade-kernel-tools-libs-devel rocky-upgrade-perf rocky-upgrade-perf-debuginfo rocky-upgrade-python3-perf rocky-upgrade-python3-perf-debuginfo References https://attackerkb.com/topics/cve-2023-52594 CVE - 2023-52594 https://errata.rockylinux.org/RLSA-2024:3618 https://errata.rockylinux.org/RLSA-2024:3627

Rocky Linux: CVE-2023-52605: kernel-rt (RLSA-2024-7001) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/06/2024 Created 10/03/2024 Added 10/02/2024 Modified 11/18/2024 Description Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. Solution(s) rocky-upgrade-kernel-rt rocky-upgrade-kernel-rt-core rocky-upgrade-kernel-rt-debug rocky-upgrade-kernel-rt-debug-core rocky-upgrade-kernel-rt-debug-debuginfo rocky-upgrade-kernel-rt-debug-devel rocky-upgrade-kernel-rt-debug-kvm rocky-upgrade-kernel-rt-debug-modules rocky-upgrade-kernel-rt-debug-modules-extra rocky-upgrade-kernel-rt-debuginfo rocky-upgrade-kernel-rt-debuginfo-common-x86_64 rocky-upgrade-kernel-rt-devel rocky-upgrade-kernel-rt-kvm rocky-upgrade-kernel-rt-modules rocky-upgrade-kernel-rt-modules-extra References https://attackerkb.com/topics/cve-2023-52605 CVE - 2023-52605 https://errata.rockylinux.org/RLSA-2024:7001

VMware Photon OS: CVE-2023-52602 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/06/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: jfs: fix slab-out-of-bounds Read in dtSearch Currently while searching for current page in the sorted entry table of the page there is a out of bound access. Added a bound check to fix the error. Dave: Set return code to -EIO Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-52602 CVE - 2023-52602

VMware Photon OS: CVE-2023-52585 Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 03/06/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() Return invalid error code -EINVAL for invalid block id. Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c:1183 amdgpu_ras_query_error_status_helper() error: we previously assumed 'info' could be null (see line 1176) Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-52585 CVE - 2023-52585

Huawei EulerOS: CVE-2023-52587: kernel security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/06/2024 Created 07/17/2024 Added 07/17/2024 Modified 01/13/2025 Description In the Linux kernel, the following vulnerability has been resolved: IB/ipoib: Fix mcast list locking Releasing the `priv->lock` while iterating the `priv->multicast_list` in `ipoib_mcast_join_task()` opens a window for `ipoib_mcast_dev_flush()` to remove the items while in the middle of iteration. If the mcast is removed while the lock was dropped, the for loop spins forever resulting in a hard lockup (as was reported on RHEL 4.18.0-372.75.1.el8_6 kernel): Task A (kworker/u72:2 below) | Task B (kworker/u72:0 below) -----------------------------------+----------------------------------- ipoib_mcast_join_task(work)| ipoib_ib_dev_flush_light(work) spin_lock_irq(&priv->lock) | __ipoib_ib_dev_flush(priv, ...) list_for_each_entry(mcast, | ipoib_mcast_dev_flush(dev = priv->dev) &priv->multicast_list, list) | ipoib_mcast_join(dev, mcast) | spin_unlock_irq(&priv->lock) | | spin_lock_irqsave(&priv->lock, flags) | list_for_each_entry_safe(mcast, tmcast, |&priv->multicast_list, list) | list_del(&mcast->list); | list_add_tail(&mcast->list, &remove_list) | spin_unlock_irqrestore(&priv->lock, flags) spin_lock_irq(&priv->lock) | | ipoib_mcast_remove_list(&remove_list) (Here, `mcast` is no longer on the| list_for_each_entry_safe(mcast, tmcast, `priv->multicast_list` and we keep |remove_list, list) spinning on the `remove_list` of |>>>wait_for_completion(&mcast->done) the other thread which is blocked| and the list is still valid on | it's stack.) Fix this by keeping the lock held and changing to GFP_ATOMIC to prevent eventual sleeps. Unfortunately we could not reproduce the lockup and confirm this fix but based on the code review I think this fix should address such lockups. crash> bc 31 PID: 747TASK: ff1c6a1a007e8000CPU: 31 COMMAND: "kworker/u72:2" -- [exception RIP: ipoib_mcast_join_task+0x1b1] RIP: ffffffffc0944ac1RSP: ff646f199a8c7e00RFLAGS: 00000002 RAX: 0000000000000000RBX: ff1c6a1a04dc82f8RCX: 0000000000000000 work (&priv->mcast_task{,.work}) RDX: ff1c6a192d60ac68RSI: 0000000000000286RDI: ff1c6a1a04dc8000 &mcast->list RBP: ff646f199a8c7e90 R8: ff1c699980019420 R9: ff1c6a1920c9a000 R10: ff646f199a8c7e00R11: ff1c6a191a7d9800R12: ff1c6a192d60ac00 mcast R13: ff1c6a1d82200000R14: ff1c6a1a04dc8000R15: ff1c6a1a04dc82d8 devpriv (&priv->lock) &priv->multicast_list (aka head) ORIG_RAX: ffffffffffffffffCS: 0010SS: 0018 --- <NMI exception stack> --- #5 [ff646f199a8c7e00] ipoib_mcast_join_task+0x1b1 at ffffffffc0944ac1 [ib_ipoib] #6 [ff646f199a8c7e98] process_one_work+0x1a7 at ffffffff9bf10967 crash> rx ff646f199a8c7e68 ff646f199a8c7e68:ff1c6a1a04dc82f8 <<< work = &priv->mcast_task.work crash> list -hO ipoib_dev_priv.multicast_list ff1c6a1a04dc8000 (empty) crash> ipoib_dev_priv.mcast_task.work.func,mcast_mutex.owner.counter ff1c6a1a04dc8000 mcast_task.work.func = 0xffffffffc0944910 <ipoib_mcast_join_task>, mcast_mutex.owner.counter = 0xff1c69998efec000 crash> b 8 PID: 8TASK: ff1c69998efec000CPU: 33 COMMAND: "kworker/u72:0" -- #3 [ff646f1980153d50] wait_for_completion+0x96 at ffffffff9c7d7646 #4 [ff646f1980153d90] ipoib_mcast_remove_list+0x56 at ffffffffc0944dc6 [ib_ipoib] #5 [ff646f1980153de8] ipoib_mcast_dev_flush+0x1a7 at ffffffffc09455a7 [ib_ipoib] #6 [ff646f1980153e58] __ipoib_ib_dev_flush+0x1a4 at ffffffffc09431a4 [ib_ipoib] #7 [ff ---truncated--- Solution(s) huawei-euleros-2_0_sp9-upgrade-kernel huawei-euleros-2_0_sp9-upgrade-kernel-tools huawei-euleros-2_0_sp9-upgrade-kernel-tools-libs huawei-euleros-2_0_sp9-upgrade-python3-perf References https://attackerkb.com/topics/cve-2023-52587 CVE - 2023-52587 EulerOS-SA-2024-1964

VMware Photon OS: CVE-2023-52604 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/06/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: FS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2867:6 index 196694 is out of range for type 's8[1365]' (aka 'signed char[1365]') CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0x11c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> ================================================================================ Kernel panic - not syncing: UBSAN: panic_on_warn set ... CPU: 1 PID: 109 Comm: jfsCommit Not tainted 6.6.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106 panic+0x30f/0x770 kernel/panic.c:340 check_panic_on_warn+0x82/0xa0 kernel/panic.c:236 ubsan_epilogue lib/ubsan.c:223 [inline] __ubsan_handle_out_of_bounds+0x13c/0x150 lib/ubsan.c:348 dbAdjTree+0x474/0x4f0 fs/jfs/jfs_dmap.c:2867 dbJoin+0x210/0x2d0 fs/jfs/jfs_dmap.c:2834 dbFreeBits+0x4eb/0xda0 fs/jfs/jfs_dmap.c:2331 dbFreeDmap fs/jfs/jfs_dmap.c:2080 [inline] dbFree+0x343/0x650 fs/jfs/jfs_dmap.c:402 txFreeMap+0x798/0xd50 fs/jfs/jfs_txnmgr.c:2534 txUpdateMap+0x342/0x9e0 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline] jfs_lazycommit+0x47a/0xb70 fs/jfs/jfs_txnmgr.c:2732 kthread+0x2d3/0x370 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 </TASK> Kernel Offset: disabled Rebooting in 86400 seconds.. The issue is caused when the value of lp becomes greater than CTLTREESIZE which is the max size of stree. Adding a simple check solves this issue. Dave: As the function returns a void, good error handling would require a more intrusive code reorganization, so I modified Osama's patch at use WARN_ON_ONCE for lack of a cleaner option. The patch is tested via syzbot. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-52604 CVE - 2023-52604

VMware Photon OS: CVE-2023-52600 Severity 7 CVSS (AV:L/AC:L/Au:S/C:C/I:C/A:C) Published 03/06/2024 Created 01/21/2025 Added 01/20/2025 Modified 02/04/2025 Description In the Linux kernel, the following vulnerability has been resolved: jfs: fix uaf in jfs_evict_inode When the execution of diMount(ipimap) fails, the object ipimap that has been released may be accessed in diFreeSpecial(). Asynchronous ipimap release occurs when rcu_core() calls jfs_free_node(). Therefore, when diMount(ipimap) fails, sbi->ipimap should not be initialized as ipimap. Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-52600 CVE - 2023-52600

VMware Photon OS: CVE-2023-52598 Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/06/2024 Created 01/21/2025 Added 01/20/2025 Modified 01/20/2025 Description In the Linux kernel, the following vulnerability has been resolved: s390/ptrace: handle setting of fpc register correctly If the content of the floating point control (fpc) register of a traced process is modified with the ptrace interface the new value is tested for validity by temporarily loading it into the fpc register. This may lead to corruption of the fpc register of the tracing process: if an interrupt happens while the value is temporarily loaded into the fpc register, and within interrupt context floating point or vector registers are used, the current fp/vx registers are saved with save_fpu_regs() assuming they belong to user space and will be loaded into fp/vx registers when returning to user space. test_fp_ctl() restores the original user space fpc register value, however it will be discarded, when returning to user space. In result the tracer will incorrectly continue to run with the value that was supposed to be used for the traced process. Fix this by saving fpu register contents with save_fpu_regs() before using test_fp_ctl(). Solution(s) vmware-photon_os_update_tdnf References https://attackerkb.com/topics/cve-2023-52598 CVE - 2023-52598

SUSE: CVE-2022-48629: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 08/16/2024 Added 08/09/2024 Modified 08/09/2024 Description In the Linux kernel, the following vulnerability has been resolved: crypto: qcom-rng - ensure buffer for generate is completely filled The generate function in struct rng_alg expects that the destination buffer is completely filled if the function returns 0. qcom_rng_read() can run into a situation where the buffer is partially filled with randomness and the remaining part of the buffer is zeroed since qcom_rng_generate() doesn't check the return value. This issue can be reproduced by running the following from libkcapi: kcapi-rng -b 9000000 > OUTFILE The generated OUTFILE will have three huge sections that contain all zeros, and this is caused by the code where the test 'val & PRNG_STATUS_DATA_AVAIL' fails. Let's fix this issue by ensuring that qcom_rng_read() always returns with a full buffer if the function returns success. Let's also have qcom_rng_generate() return the correct value. Here's some statistics from the ent project (https://www.fourmilab.ch/random/) that shows information about the quality of the generated numbers: $ ent -c qcom-random-before Value Char Occurrences Fraction 0 606748 0.067416 133104 0.003678 233001 0.003667 ... 253 ?32883 0.003654 254 ?33035 0.003671 255 ?33239 0.003693 Total: 9000000 1.000000 Entropy = 7.811590 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 2 percent. Chi square distribution for 9000000 samples is 9329962.81, and randomly would exceed this value less than 0.01 percent of the times. Arithmetic mean value of data bytes is 119.3731 (127.5 = random). Monte Carlo value for Pi is 3.197293333 (error 1.77 percent). Serial correlation coefficient is 0.159130 (totally uncorrelated = 0.0). Without this patch, the results of the chi-square test is 0.01%, and the numbers are certainly not random according to ent's project page. The results improve with this patch: $ ent -c qcom-random-after Value Char Occurrences Fraction 035432 0.003937 135127 0.003903 235424 0.003936 ... 253 ?35201 0.003911 254 ?34835 0.003871 255 ?35368 0.003930 Total: 9000000 1.000000 Entropy = 7.999979 bits per byte. Optimum compression would reduce the size of this 9000000 byte file by 0 percent. Chi square distribution for 9000000 samples is 258.77, and randomly would exceed this value 42.24 percent of the times. Arithmetic mean value of data bytes is 127.5006 (127.5 = random). Monte Carlo value for Pi is 3.141277333 (error 0.01 percent). Serial correlation coefficient is 0.000468 (totally uncorrelated = 0.0). This change was tested on a Nexus 5 phone (msm8974 SoC). Solution(s) suse-upgrade-cluster-md-kmp-64kb suse-upgrade-cluster-md-kmp-azure suse-upgrade-cluster-md-kmp-default suse-upgrade-cluster-md-kmp-rt suse-upgrade-dlm-kmp-64kb suse-upgrade-dlm-kmp-azure suse-upgrade-dlm-kmp-default suse-upgrade-dlm-kmp-rt suse-upgrade-dtb-allwinner suse-upgrade-dtb-altera suse-upgrade-dtb-amazon suse-upgrade-dtb-amd suse-upgrade-dtb-amlogic suse-upgrade-dtb-apm suse-upgrade-dtb-apple suse-upgrade-dtb-arm suse-upgrade-dtb-broadcom suse-upgrade-dtb-cavium suse-upgrade-dtb-exynos suse-upgrade-dtb-freescale suse-upgrade-dtb-hisilicon suse-upgrade-dtb-lg suse-upgrade-dtb-marvell suse-upgrade-dtb-mediatek suse-upgrade-dtb-nvidia suse-upgrade-dtb-qcom suse-upgrade-dtb-renesas suse-upgrade-dtb-rockchip suse-upgrade-dtb-socionext suse-upgrade-dtb-sprd suse-upgrade-dtb-xilinx suse-upgrade-gfs2-kmp-64kb suse-upgrade-gfs2-kmp-azure suse-upgrade-gfs2-kmp-default suse-upgrade-gfs2-kmp-rt suse-upgrade-kernel-64kb suse-upgrade-kernel-64kb-devel suse-upgrade-kernel-64kb-extra suse-upgrade-kernel-64kb-livepatch-devel suse-upgrade-kernel-64kb-optional suse-upgrade-kernel-azure suse-upgrade-kernel-azure-devel suse-upgrade-kernel-azure-extra suse-upgrade-kernel-azure-livepatch-devel suse-upgrade-kernel-azure-optional suse-upgrade-kernel-azure-vdso suse-upgrade-kernel-debug suse-upgrade-kernel-debug-devel suse-upgrade-kernel-debug-livepatch-devel suse-upgrade-kernel-debug-vdso suse-upgrade-kernel-default suse-upgrade-kernel-default-base suse-upgrade-kernel-default-base-rebuild suse-upgrade-kernel-default-devel suse-upgrade-kernel-default-extra suse-upgrade-kernel-default-livepatch suse-upgrade-kernel-default-livepatch-devel suse-upgrade-kernel-default-optional suse-upgrade-kernel-default-vdso suse-upgrade-kernel-devel suse-upgrade-kernel-devel-azure suse-upgrade-kernel-devel-rt suse-upgrade-kernel-docs suse-upgrade-kernel-docs-html suse-upgrade-kernel-kvmsmall suse-upgrade-kernel-kvmsmall-devel suse-upgrade-kernel-kvmsmall-livepatch-devel suse-upgrade-kernel-kvmsmall-vdso suse-upgrade-kernel-macros suse-upgrade-kernel-obs-build suse-upgrade-kernel-obs-qa suse-upgrade-kernel-rt suse-upgrade-kernel-rt-devel suse-upgrade-kernel-rt-extra suse-upgrade-kernel-rt-livepatch suse-upgrade-kernel-rt-livepatch-devel suse-upgrade-kernel-rt-optional suse-upgrade-kernel-rt-vdso suse-upgrade-kernel-rt_debug suse-upgrade-kernel-rt_debug-devel suse-upgrade-kernel-rt_debug-livepatch-devel suse-upgrade-kernel-rt_debug-vdso suse-upgrade-kernel-source suse-upgrade-kernel-source-azure suse-upgrade-kernel-source-rt suse-upgrade-kernel-source-vanilla suse-upgrade-kernel-syms suse-upgrade-kernel-syms-azure suse-upgrade-kernel-syms-rt suse-upgrade-kernel-zfcpdump suse-upgrade-kselftests-kmp-64kb suse-upgrade-kselftests-kmp-azure suse-upgrade-kselftests-kmp-default suse-upgrade-kselftests-kmp-rt suse-upgrade-ocfs2-kmp-64kb suse-upgrade-ocfs2-kmp-azure suse-upgrade-ocfs2-kmp-default suse-upgrade-ocfs2-kmp-rt suse-upgrade-reiserfs-kmp-64kb suse-upgrade-reiserfs-kmp-azure suse-upgrade-reiserfs-kmp-default suse-upgrade-reiserfs-kmp-rt References https://attackerkb.com/topics/cve-2022-48629 CVE - 2022-48629

VMSA-2024-0006: ESXi Out-of-bounds write vulnerability (CVE-2024-22254) Severity 6 CVSS (AV:L/AC:L/Au:M/C:C/I:C/A:N) Published 03/05/2024 Created 03/08/2024 Added 03/07/2024 Modified 02/11/2025 Description VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox. Solution(s) vmware-esxi700-upgrade-23307199 vmware-esxi701-upgrade-23307199 vmware-esxi702-upgrade-23307199 vmware-esxi703-upgrade-23307199 vmware-esxi800-upgrade-23299997 vmware-esxi801-upgrade-23299997 vmware-esxi802-upgrade-23305545 References https://attackerkb.com/topics/cve-2024-22254 CVE - 2024-22254 http://www.vmware.com/security/advisories/VMSA-2024-0006.html

VMSA-2024-0006: Use-after-free vulnerability in XHCI USB controller (CVE-2024-22252) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 03/05/2024 Created 03/08/2024 Added 03/07/2024 Modified 02/11/2025 Description VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. Solution(s) vmware-esxi700-upgrade-23307199 vmware-esxi701-upgrade-23307199 vmware-esxi702-upgrade-23307199 vmware-esxi703-upgrade-23307199 vmware-esxi800-upgrade-23299997 vmware-esxi801-upgrade-23299997 vmware-esxi802-upgrade-23305545 References https://attackerkb.com/topics/cve-2024-22252 CVE - 2024-22252 http://www.vmware.com/security/advisories/VMSA-2024-0006.html

SUSE: CVE-2023-45290: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 03/09/2024 Added 03/08/2024 Modified 03/20/2024 Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-race suse-upgrade-go1-22 suse-upgrade-go1-22-doc suse-upgrade-go1-22-race References https://attackerkb.com/topics/cve-2023-45290 CVE - 2023-45290

VMSA-2024-0006: Information disclosure vulnerability in UHCI USB controller (CVE-2024-22255) Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 03/05/2024 Created 03/08/2024 Added 03/07/2024 Modified 02/11/2025 Description VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process. Solution(s) vmware-esxi700-upgrade-23307199 vmware-esxi701-upgrade-23307199 vmware-esxi702-upgrade-23307199 vmware-esxi703-upgrade-23307199 vmware-esxi800-upgrade-23299997 vmware-esxi801-upgrade-23299997 vmware-esxi802-upgrade-23305545 References https://attackerkb.com/topics/cve-2024-22255 CVE - 2024-22255 http://www.vmware.com/security/advisories/VMSA-2024-0006.html

Amazon Linux AMI 2: CVE-2023-45289: Security patch for docker, golang (Multiple Advisories) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 06/01/2024 Added 05/31/2024 Modified 09/05/2024 Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Solution(s) amazon-linux-ami-2-upgrade-docker amazon-linux-ami-2-upgrade-docker-debuginfo amazon-linux-ami-2-upgrade-golang amazon-linux-ami-2-upgrade-golang-bin amazon-linux-ami-2-upgrade-golang-docs amazon-linux-ami-2-upgrade-golang-misc amazon-linux-ami-2-upgrade-golang-shared amazon-linux-ami-2-upgrade-golang-src amazon-linux-ami-2-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-45289 AL2/ALAS-2024-2554 AL2/ALASDOCKER-2024-045 AL2/ALASECS-2024-042 AL2/ALASNITRO-ENCLAVES-2024-046 CVE - 2023-45289

SUSE: CVE-2024-24783: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 03/09/2024 Added 03/08/2024 Modified 03/20/2024 Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-race suse-upgrade-go1-22 suse-upgrade-go1-22-doc suse-upgrade-go1-22-race References https://attackerkb.com/topics/cve-2024-24783 CVE - 2024-24783

SUSE: CVE-2024-24784: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 03/09/2024 Added 03/08/2024 Modified 03/20/2024 Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-race suse-upgrade-go1-22 suse-upgrade-go1-22-doc suse-upgrade-go1-22-race References https://attackerkb.com/topics/cve-2024-24784 CVE - 2024-24784

SUSE: CVE-2024-24785: SUSE Linux Security Advisory Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 03/09/2024 Added 03/08/2024 Modified 03/20/2024 Description If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. Solution(s) suse-upgrade-go1-21 suse-upgrade-go1-21-doc suse-upgrade-go1-21-race suse-upgrade-go1-22 suse-upgrade-go1-22-doc suse-upgrade-go1-22-race References https://attackerkb.com/topics/cve-2024-24785 CVE - 2024-24785

Red Hat OpenShift: CVE-2023-45289: golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 06/28/2024 Added 06/28/2024 Modified 11/14/2024 Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Solution(s) linuxrpm-upgrade-openshift linuxrpm-upgrade-ose-azure-acr-image-credential-provider References https://attackerkb.com/topics/cve-2023-45289 CVE - 2023-45289 RHSA-2024:0041 RHSA-2024:0045 RHSA-2024:2096 RHSA-2024:2562 RHSA-2024:2724 RHSA-2024:2901 RHSA-2024:2941 RHSA-2024:3259 RHSA-2024:3346 RHSA-2024:3621 RHSA-2024:3790 RHSA-2024:3868 RHSA-2024:4023 RHSA-2024:4028 RHSA-2024:7164 RHSA-2024:9485 View more

Red Hat: CVE-2024-24783: golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:C/A:N) Published 03/05/2024 Created 05/01/2024 Added 05/01/2024 Modified 09/25/2024 Description Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. Solution(s) redhat-upgrade-aardvark-dns redhat-upgrade-buildah redhat-upgrade-buildah-debuginfo redhat-upgrade-buildah-debugsource redhat-upgrade-buildah-tests redhat-upgrade-buildah-tests-debuginfo redhat-upgrade-cockpit-podman redhat-upgrade-conmon redhat-upgrade-conmon-debuginfo redhat-upgrade-conmon-debugsource redhat-upgrade-container-selinux redhat-upgrade-containernetworking-plugins redhat-upgrade-containernetworking-plugins-debuginfo redhat-upgrade-containernetworking-plugins-debugsource redhat-upgrade-containers-common redhat-upgrade-crit redhat-upgrade-criu redhat-upgrade-criu-debuginfo redhat-upgrade-criu-debugsource redhat-upgrade-criu-devel redhat-upgrade-criu-libs redhat-upgrade-criu-libs-debuginfo redhat-upgrade-crun redhat-upgrade-crun-debuginfo redhat-upgrade-crun-debugsource redhat-upgrade-delve redhat-upgrade-delve-debuginfo redhat-upgrade-delve-debugsource redhat-upgrade-fuse-overlayfs redhat-upgrade-fuse-overlayfs-debuginfo redhat-upgrade-fuse-overlayfs-debugsource redhat-upgrade-git-lfs redhat-upgrade-git-lfs-debuginfo redhat-upgrade-git-lfs-debugsource redhat-upgrade-go-toolset redhat-upgrade-golang redhat-upgrade-golang-bin redhat-upgrade-golang-docs redhat-upgrade-golang-misc redhat-upgrade-golang-src redhat-upgrade-golang-tests redhat-upgrade-gvisor-tap-vsock redhat-upgrade-gvisor-tap-vsock-debuginfo redhat-upgrade-gvisor-tap-vsock-debugsource redhat-upgrade-libslirp redhat-upgrade-libslirp-debuginfo redhat-upgrade-libslirp-debugsource redhat-upgrade-libslirp-devel redhat-upgrade-netavark redhat-upgrade-oci-seccomp-bpf-hook redhat-upgrade-oci-seccomp-bpf-hook-debuginfo redhat-upgrade-oci-seccomp-bpf-hook-debugsource redhat-upgrade-podman redhat-upgrade-podman-catatonit redhat-upgrade-podman-catatonit-debuginfo redhat-upgrade-podman-debuginfo redhat-upgrade-podman-debugsource redhat-upgrade-podman-docker redhat-upgrade-podman-gvproxy redhat-upgrade-podman-gvproxy-debuginfo redhat-upgrade-podman-plugins redhat-upgrade-podman-plugins-debuginfo redhat-upgrade-podman-remote redhat-upgrade-podman-remote-debuginfo redhat-upgrade-podman-tests redhat-upgrade-python3-criu redhat-upgrade-python3-podman redhat-upgrade-runc redhat-upgrade-runc-debuginfo redhat-upgrade-runc-debugsource redhat-upgrade-skopeo redhat-upgrade-skopeo-debuginfo redhat-upgrade-skopeo-debugsource redhat-upgrade-skopeo-tests redhat-upgrade-slirp4netns redhat-upgrade-slirp4netns-debuginfo redhat-upgrade-slirp4netns-debugsource redhat-upgrade-toolbox redhat-upgrade-toolbox-debuginfo redhat-upgrade-toolbox-debugsource redhat-upgrade-toolbox-tests redhat-upgrade-udica References CVE-2024-24783 RHSA-2024:2562 RHSA-2024:2724 RHSA-2024:3259 RHSA-2024:3346 RHSA-2024:5258 RHSA-2024:6186 RHSA-2024:6187 RHSA-2024:6188 RHSA-2024:6189 RHSA-2024:6194 RHSA-2024:6195 RHSA-2024:6969 View more

Aruba AOS-8: CVE-2024-25612: Authenticated Remote Command Execution in the ArubaOS Command Line Interface Severity 8 CVSS (AV:N/AC:L/Au:M/C:C/I:C/A:C) Published 03/05/2024 Created 01/16/2025 Added 01/14/2025 Modified 02/04/2025 Description Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Solution(s) aruba-aos-8-cve-2024-25612 References https://attackerkb.com/topics/cve-2024-25612 CVE - 2024-25612 https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_2024-002.json

Amazon Linux 2023: CVE-2024-24786: Medium priority package update for amazon-cloudwatch-agent (Multiple Advisories) Severity 5 CVSS (AV:N/AC:H/Au:N/C:N/I:N/A:C) Published 03/05/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. A flaw was found in Golang&apos;s protobuf module, where the unmarshal function can enter an infinite loop when processing certain invalid inputs. This issue occurs during unmarshaling into a message that includes a google.protobuf.Any or when the UnmarshalOptions.DiscardUnknown option is enabled. This flaw allows an attacker to craft malicious input tailored to trigger the identified flaw in the unmarshal function. By providing carefully constructed invalid inputs, they could potentially cause the function to enter an infinite loop, resulting in a denial of service condition or other unintended behaviors in the affected system. Solution(s) amazon-linux-2023-upgrade-amazon-cloudwatch-agent amazon-linux-2023-upgrade-containerd amazon-linux-2023-upgrade-containerd-debuginfo amazon-linux-2023-upgrade-containerd-debugsource amazon-linux-2023-upgrade-containerd-stress amazon-linux-2023-upgrade-containerd-stress-debuginfo amazon-linux-2023-upgrade-docker amazon-linux-2023-upgrade-docker-debuginfo amazon-linux-2023-upgrade-docker-debugsource amazon-linux-2023-upgrade-nerdctl References https://attackerkb.com/topics/cve-2024-24786 CVE - 2024-24786 https://alas.aws.amazon.com/AL2023/ALAS-2024-625.html https://alas.aws.amazon.com/AL2023/ALAS-2024-674.html https://alas.aws.amazon.com/AL2023/ALAS-2024-697.html https://alas.aws.amazon.com/AL2023/ALAS-2024-700.html

Amazon Linux AMI 2: CVE-2023-45290: Security patch for golang (ALAS-2024-2554) Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 03/05/2024 Created 06/01/2024 Added 05/31/2024 Modified 05/31/2024 Description When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. Solution(s) amazon-linux-ami-2-upgrade-golang amazon-linux-ami-2-upgrade-golang-bin amazon-linux-ami-2-upgrade-golang-docs amazon-linux-ami-2-upgrade-golang-misc amazon-linux-ami-2-upgrade-golang-shared amazon-linux-ami-2-upgrade-golang-src amazon-linux-ami-2-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-45290 AL2/ALAS-2024-2554 CVE - 2023-45290

Amazon Linux 2023: CVE-2024-24784: Medium priority package update for golang Severity 5 CVSS (AV:N/AC:L/Au:S/C:P/I:P/A:N) Published 03/05/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. A flaw was found in Go&apos;s net/mail standard library package. The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions made by programs using different parsers. Solution(s) amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2024-24784 CVE - 2024-24784 https://alas.aws.amazon.com/AL2023/ALAS-2024-629.html

Amazon Linux 2023: CVE-2023-45289: Important priority package update for docker (Multiple Advisories) Severity 5 CVSS (AV:N/AC:L/Au:N/C:P/I:N/A:N) Published 03/05/2024 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as &quot;Authorization&quot; or &quot;Cookie&quot;. For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. A flaw was found in Go&apos;s net/http/cookiejar standard library package. When following an HTTP redirect to a domain that is not a subdomain match or an exact match of the initial domain, an http.Client does not forward sensitive headers such as &quot;Authorization&quot; or &quot;Cookie&quot;. For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. Solution(s) amazon-linux-2023-upgrade-docker amazon-linux-2023-upgrade-docker-debuginfo amazon-linux-2023-upgrade-docker-debugsource amazon-linux-2023-upgrade-golang amazon-linux-2023-upgrade-golang-bin amazon-linux-2023-upgrade-golang-docs amazon-linux-2023-upgrade-golang-misc amazon-linux-2023-upgrade-golang-shared amazon-linux-2023-upgrade-golang-src amazon-linux-2023-upgrade-golang-tests References https://attackerkb.com/topics/cve-2023-45289 CVE - 2023-45289 https://alas.aws.amazon.com/AL2023/ALAS-2024-542.html https://alas.aws.amazon.com/AL2023/ALAS-2024-629.html

Aruba AOS-10: CVE-2024-1356: Authenticated Remote Command Execution in the ArubaOS Command Line Interface Severity 8 CVSS (AV:N/AC:L/Au:M/C:C/I:C/A:C) Published 03/05/2024 Created 01/16/2025 Added 01/14/2025 Modified 02/04/2025 Description Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Solution(s) aruba-aos-10-cve-2024-1356 References https://attackerkb.com/topics/cve-2024-1356 CVE - 2024-1356 https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_2024-002.json