ISHACK AI BOT

OpenSSL vulnerability (CVE-2023-5363) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 06/06/2024 Added 06/05/2024 Modified 01/30/2025 Description Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths.This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established.Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values.The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality.For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception.However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. Solution(s) http-openssl-3_0_12-upgrade-3_0_12 http-openssl-3_1_4-upgrade-3_1_4 References https://attackerkb.com/topics/cve-2023-5363 CVE - 2023-5363

IBM WebSphere Application Server: CVE-2023-46158: IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2023-46158) Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 11/15/2023 Added 11/14/2023 Modified 01/28/2025 Description IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling.IBM X-Force ID:268775. Solution(s) ibm-was-install-8-5-ph57579-liberty ibm-was-upgrade-8-5-23-0-0-11-liberty References https://attackerkb.com/topics/cve-2023-46158 CVE - 2023-46158 https://exchange.xforce.ibmcloud.com/vulnerabilities/268775 https://www.ibm.com/support/pages/node/7058356

Ubuntu: (Multiple Advisories) (CVE-2023-5730): Firefox vulnerabilities Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) ubuntu-upgrade-firefox ubuntu-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5730 CVE - 2023-5730 USN-6456-1 USN-6456-2 USN-6468-1

OS X update for AppleGraphicsControl (CVE-2023-42842) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for CoreMedia (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Alma Linux: CVE-2023-5574: Important: tigervnc security update (ALSA-2024-2298) Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 10/25/2023 Created 05/08/2024 Added 05/08/2024 Modified 01/28/2025 Description A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb server, allowing for possible escalation of privileges or denial of service. Solution(s) alma-upgrade-tigervnc alma-upgrade-tigervnc-icons alma-upgrade-tigervnc-license alma-upgrade-tigervnc-selinux alma-upgrade-tigervnc-server alma-upgrade-tigervnc-server-minimal alma-upgrade-tigervnc-server-module References https://attackerkb.com/topics/cve-2023-5574 CVE - 2023-5574 https://errata.almalinux.org/9/ALSA-2024-2298.html

OS X update for System Settings (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Google Chrome Vulnerability: CVE-2023-5472 Use after free in Profiles Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 10/26/2023 Added 10/25/2023 Modified 01/28/2025 Description Use after free in Profiles in Google Chrome prior to 118.0.5993.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) Solution(s) google-chrome-upgrade-latest References https://attackerkb.com/topics/cve-2023-5472 CVE - 2023-5472 https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_24.html

OS X update for DiskArbitration (CVE-2023-42842) Severity 5 CVSS (AV:L/AC:M/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Messages (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Debian: CVE-2023-5730: firefox-esr, thunderbird -- security update Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 10/27/2023 Added 10/27/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5730 CVE - 2023-5730 DSA-5535-1

Debian: CVE-2023-5732: firefox-esr, thunderbird -- security update Severity 7 CVSS (AV:N/AC:M/Au:N/C:N/I:C/A:N) Published 10/25/2023 Created 10/27/2023 Added 10/27/2023 Modified 01/28/2025 Description An attacker could have created a malicious link using bidirectional characters to spoof the location in the address bar when visited. This vulnerability affects Firefox < 117, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) debian-upgrade-firefox-esr debian-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5732 CVE - 2023-5732 DSA-5535-1

OS X update for Login Window (CVE-2023-42861) Severity 7 CVSS (AV:N/AC:L/Au:S/C:N/I:C/A:N) Published 10/25/2023 Created 11/01/2023 Added 10/31/2023 Modified 01/30/2025 Description A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac. Solution(s) apple-osx-upgrade-13_6_7 apple-osx-upgrade-14_1 References https://attackerkb.com/topics/cve-2023-42861 CVE - 2023-42861 https://support.apple.com/en-us/120900 https://support.apple.com/kb/HT213984

SUSE: CVE-2023-5731: SUSE Linux Security Advisory Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 10/27/2023 Added 10/27/2023 Modified 01/28/2025 Description Memory safety bugs present in Firefox 118. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 119. Solution(s) suse-upgrade-mozillafirefox suse-upgrade-mozillafirefox-branding-upstream suse-upgrade-mozillafirefox-devel suse-upgrade-mozillafirefox-translations-common suse-upgrade-mozillafirefox-translations-other References https://attackerkb.com/topics/cve-2023-5731 CVE - 2023-5731

OS X update for Sandbox (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Safari (CVE-2023-32359) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

OS X update for Dev Tools (CVE-2023-40401) Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 10/14/2024 Added 10/14/2024 Modified 01/28/2025 Description Deprecated Solution(s)

Oracle Linux: CVE-2023-5380: ELSA-2024-2169:xorg-x11-server security update (MODERATE) (Multiple Advisories) Severity 4 CVSS (AV:L/AC:H/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 11/25/2023 Added 11/23/2023 Modified 12/24/2024 Description A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. Solution(s) oracle-linux-upgrade-tigervnc oracle-linux-upgrade-tigervnc-icons oracle-linux-upgrade-tigervnc-license oracle-linux-upgrade-tigervnc-selinux oracle-linux-upgrade-tigervnc-server oracle-linux-upgrade-tigervnc-server-applet oracle-linux-upgrade-tigervnc-server-minimal oracle-linux-upgrade-tigervnc-server-module oracle-linux-upgrade-xorg-x11-server-common oracle-linux-upgrade-xorg-x11-server-devel oracle-linux-upgrade-xorg-x11-server-source oracle-linux-upgrade-xorg-x11-server-xdmx oracle-linux-upgrade-xorg-x11-server-xephyr oracle-linux-upgrade-xorg-x11-server-xnest oracle-linux-upgrade-xorg-x11-server-xorg oracle-linux-upgrade-xorg-x11-server-xvfb References https://attackerkb.com/topics/cve-2023-5380 CVE - 2023-5380 ELSA-2024-2169 ELSA-2024-2995 ELSA-2024-2298 ELSA-2024-3067 ELSA-2023-7428

Huawei EulerOS: CVE-2023-5380: xorg-x11-server security update Severity 4 CVSS (AV:L/AC:M/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 01/30/2024 Added 01/29/2024 Modified 01/28/2025 Description A use-after-free flaw was found in the xorg-x11-server. An X server crash may occur in a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode) if the pointer is warped from within a window on one screen to the root window of the other screen and if the original window is destroyed followed by another window being destroyed. Solution(s) huawei-euleros-2_0_sp11-upgrade-xorg-x11-server-help References https://attackerkb.com/topics/cve-2023-5380 CVE - 2023-5380 EulerOS-SA-2024-1131

SUSE: CVE-2023-32359: SUSE Linux Security Advisory Severity 8 CVSS (AV:N/AC:L/Au:N/C:C/I:N/A:N) Published 10/25/2023 Created 11/28/2023 Added 11/27/2023 Modified 01/28/2025 Description This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2. A user's password may be read aloud by VoiceOver. Solution(s) suse-upgrade-libjavascriptcoregtk-4_0-18 suse-upgrade-libjavascriptcoregtk-4_0-18-32bit suse-upgrade-libjavascriptcoregtk-4_0-18-64bit suse-upgrade-libjavascriptcoregtk-4_1-0 suse-upgrade-libjavascriptcoregtk-4_1-0-32bit suse-upgrade-libjavascriptcoregtk-4_1-0-64bit suse-upgrade-libjavascriptcoregtk-6_0-1 suse-upgrade-libwebkit2gtk-4_0-37 suse-upgrade-libwebkit2gtk-4_0-37-32bit suse-upgrade-libwebkit2gtk-4_0-37-64bit suse-upgrade-libwebkit2gtk-4_1-0 suse-upgrade-libwebkit2gtk-4_1-0-32bit suse-upgrade-libwebkit2gtk-4_1-0-64bit suse-upgrade-libwebkit2gtk3-lang suse-upgrade-libwebkitgtk-6_0-4 suse-upgrade-typelib-1_0-javascriptcore-4_0 suse-upgrade-typelib-1_0-javascriptcore-4_1 suse-upgrade-typelib-1_0-javascriptcore-6_0 suse-upgrade-typelib-1_0-webkit-6_0 suse-upgrade-typelib-1_0-webkit2-4_0 suse-upgrade-typelib-1_0-webkit2-4_1 suse-upgrade-typelib-1_0-webkit2webextension-4_0 suse-upgrade-typelib-1_0-webkit2webextension-4_1 suse-upgrade-typelib-1_0-webkitwebprocessextension-6_0 suse-upgrade-webkit-jsc-4 suse-upgrade-webkit-jsc-4-1 suse-upgrade-webkit-jsc-6-0 suse-upgrade-webkit2gtk-4_0-injected-bundles suse-upgrade-webkit2gtk-4_1-injected-bundles suse-upgrade-webkit2gtk3-devel suse-upgrade-webkit2gtk3-minibrowser suse-upgrade-webkit2gtk3-soup2-devel suse-upgrade-webkit2gtk3-soup2-minibrowser suse-upgrade-webkit2gtk4-devel suse-upgrade-webkit2gtk4-minibrowser suse-upgrade-webkitgtk-4-0-lang suse-upgrade-webkitgtk-4-1-lang suse-upgrade-webkitgtk-6-0-lang suse-upgrade-webkitgtk-6_0-injected-bundles References https://attackerkb.com/topics/cve-2023-32359 CVE - 2023-32359

Amazon Linux 2023: CVE-2023-46316: Low priority package update for traceroute Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 10/25/2023 Created 02/14/2025 Added 02/14/2025 Modified 02/14/2025 Description In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scripts do not properly parse command lines. A vulnerability was found in traceroute. This security issue is caused by wrapper scripts that do not properly parse command lines. Solution(s) amazon-linux-2023-upgrade-traceroute amazon-linux-2023-upgrade-traceroute-debuginfo amazon-linux-2023-upgrade-traceroute-debugsource References https://attackerkb.com/topics/cve-2023-46316 CVE - 2023-46316 https://alas.aws.amazon.com/AL2023/ALAS-2023-452.html

Gentoo Linux: CVE-2023-42852: WebKitGTK+: Multiple Vulnerabilities Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 02/02/2024 Added 02/01/2024 Modified 01/28/2025 Description A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, macOS Sonoma 14.1, Safari 17.1, tvOS 17.1. Processing web content may lead to arbitrary code execution. Solution(s) gentoo-linux-upgrade-net-libs-webkit-gtk References https://attackerkb.com/topics/cve-2023-42852 CVE - 2023-42852 202401-33

Alma Linux: CVE-2023-5728: Important: firefox security update (Multiple Advisories) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 11/07/2023 Added 11/06/2023 Modified 01/28/2025 Description During garbage collection extra operations were performed on a object that should not be. This could have led to a potentially exploitable crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) alma-upgrade-firefox alma-upgrade-firefox-x11 alma-upgrade-thunderbird References https://attackerkb.com/topics/cve-2023-5728 CVE - 2023-5728 https://errata.almalinux.org/8/ALSA-2023-6187.html https://errata.almalinux.org/8/ALSA-2023-6194.html https://errata.almalinux.org/9/ALSA-2023-6188.html https://errata.almalinux.org/9/ALSA-2023-6191.html

CentOS Linux: CVE-2023-5724: Important: firefox security update (CESA-2023:6162) Severity 8 CVSS (AV:N/AC:L/Au:N/C:N/I:N/A:C) Published 10/25/2023 Created 11/01/2023 Added 11/01/2023 Modified 01/28/2025 Description Drivers are not always robust to extremely large draw calls and in some cases this scenario could have led to a crash. This vulnerability affects Firefox < 119, Firefox ESR < 115.4, and Thunderbird < 115.4.1. Solution(s) centos-upgrade-firefox centos-upgrade-firefox-debuginfo References CVE-2023-5724

OS X update for WebKit (CVE-2023-40447) Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 10/25/2023 Created 11/01/2023 Added 10/31/2023 Modified 01/28/2025 Description The issue was addressed with improved memory handling. This issue is fixed in iOS 17.1 and iPadOS 17.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, macOS Sonoma 14.1, Safari 17.1, tvOS 17.1. Processing web content may lead to arbitrary code execution. Solution(s) apple-osx-upgrade-14_1 References https://attackerkb.com/topics/cve-2023-40447 CVE - 2023-40447 https://support.apple.com/kb/HT213984