Red Hat Security Advisory 2023-7711-03 - An update for apr is now available for Red Hat Enterprise Linux 9. Issues addressed include an integer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7711.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: apr security updateAdvisory ID:        RHSA-2023:7711-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7711Issue date:         2023-12-11Revision:           03CVE Names:          CVE-2022-24963====================================================================Summary: An update for apr is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and other projects. It provides a free library of C data structures and routines.Security Fix(es):* apr: integer overflow/wraparound in apr_encode (CVE-2022-24963)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2022-24963References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2169465

Red Hat Security Advisory 2023-7711-03

The next parameter in the /accounts/login endpoint of Seafile 9.0.6 allows attackers to redirect users to arbitrary sites.

CVE-2023-28874: Seafile Community Edition - Seafile Admin Manual

Red Hat Security Advisory 2023-7705-03 - Red Hat Build of Apache Camel for Quarkus 2.13.3 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7705.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Build of Apache Camel for Quarkus 2.13.3 security update (RHBQ 2.13.9.Final)  
Advisory ID:        RHSA-2023:7705-03  
Product:            Red Hat Integration  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7705  
Issue date:         2023-12-07  
Revision:           03  
CVE Names:            
====================================================================

Summary: 

Red Hat Build of Apache Camel for Quarkus 2.13.3 release and security update is now available (updates to RHBQ 2.13.9.Final).  The purpose of this text-only errata is to inform you about the security issues fixed.

 Red Hat Product Security has rated this update as having an impact of Important.  
 A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

A security update for Red Hat Build of Apache Camel for Quarkus 2.13.3 is now available (updates to RHBQ 2.13.9.Final).  The purpose of this text-only errata is to inform you about the security issues fixed.  
 Red Hat Product Security has rated this update as having an impact of Important.

 A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

 Security Fix(es):

  * CVE-2023-5072 JSON-java: parser confusion leads to OOM  
   * CVE-2023-39410 avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK  
   * CVE-2023-35887 sshd-common: apache-mina-sshd: information exposure in SFTP server implementations  
   * CVE-2023-34462 netty: SniHandler 16MB allocation leads to OOM  
   * CVE-2023-34455 snappy-java: Unchecked chunk length leads to DoS

Solution:

CVEs:

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/cve/CVE-2023-5072  
https://bugzilla.redhat.com/show_bug.cgi?id=2215445  
https://bugzilla.redhat.com/show_bug.cgi?id=2216888  
https://bugzilla.redhat.com/show_bug.cgi?id=2240036  
https://bugzilla.redhat.com/show_bug.cgi?id=2242521  
https://bugzilla.redhat.com/show_bug.cgi?id=2246417

Red Hat Security Advisory 2023-7705-03

Red Hat Security Advisory 2023-7626-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 is now available. Issues addressed include buffer overflow, denial of service, information leakage, and integer overflow vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7626.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP2 security updateAdvisory ID:        RHSA-2023:7626-03Product:            Red Hat JBoss Core ServicesAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7626Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 is now available.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 1, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section.Security Fix(es):* curl: a heap based buffer overflow in the SOCKS5 proxy handshake (CVE-2023-38545)* curl: out of heap memory issue due to missing limit on header quantity (CVE-2023-38039)* curl: cookie injection with none file (CVE-2023-38546)* jbcs-httpd24-mod_jk: httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure (CVE-2023-41081)* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)* libxml2: crafted xml can cause global buffer overflow (CVE-2023-39615)* mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487) (CVE-2023-45802)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)* openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)* openssl: Certificate policy check not enabled (CVE-2023-0466)* zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6 (CVE-2023-45853)A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235864https://bugzilla.redhat.com/show_bug.cgi?id=2238847https://bugzilla.redhat.com/show_bug.cgi?id=2239135https://bugzilla.redhat.com/show_bug.cgi?id=2241933https://bugzilla.redhat.com/show_bug.cgi?id=2241938https://bugzilla.redhat.com/show_bug.cgi?id=2243877https://bugzilla.redhat.com/show_bug.cgi?id=2244556

Red Hat Security Advisory 2023-7626-03

Red Hat Security Advisory 2023-7625-03 - An update is now available for Red Hat JBoss Core Services. Issues addressed include buffer overflow, denial of service, and information leakage vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7625.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP2 security updateAdvisory ID:        RHSA-2023:7625-03Product:            Red Hat JBoss Core ServicesAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7625Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: An update is now available for Red Hat JBoss Core Services.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update experience.This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 1, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References section.Security Fix(es):* curl: a heap based buffer overflow in the SOCKS5 proxy handshake (CVE-2023-38545)* curl: out of heap memory issue due to missing limit on header quantity (CVE-2023-38039)* curl: cookie injection with none file (CVE-2023-38546)* jbcs-httpd24-mod_jk: httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure (CVE-2023-41081)* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)* mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487) (CVE-2023-45802)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)* openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)* openssl: Certificate policy check not enabled (CVE-2023-0466)A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2238847https://bugzilla.redhat.com/show_bug.cgi?id=2239135https://bugzilla.redhat.com/show_bug.cgi?id=2241933https://bugzilla.redhat.com/show_bug.cgi?id=2241938https://bugzilla.redhat.com/show_bug.cgi?id=2243877

Red Hat Security Advisory 2023-7625-03

Red Hat Security Advisory 2023-7623-03 - Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7623.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7623-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7623Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: Red Hat JBoss Web Server 5.7.7 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parametervalue (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silentlyignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509policy constraints (CVE-2023-0464)* tomcat: FileUpload: DoS due to accumulation of temporary files on Windows(CVE-2023-42794)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7623-03

Red Hat Security Advisory 2023-7622-03 - An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9. Issues addressed include denial of service and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7622.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat JBoss Web Server 5.7.7 release and security updateAdvisory ID:        RHSA-2023:7622-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7622Issue date:         2023-12-07Revision:           03CVE Names:          CVE-2023-0464====================================================================Summary: An update is now available for Red Hat JBoss Web Server 5.7.7 on Red Hat Enterprise Linux versions 7, 8, and 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 5.7.7 serves as a replacement for Red Hat JBoss Web Server 5.7.6. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* jbcs-httpd24-openssl: OpenSSL: Excessive time spent checking DH q parameter value (CVE-2023-3817)* openssl: Excessive time spent checking DH keys and parameters (CVE-2023-3446)* openssl: Certificate policy check not enabled (CVE-2023-0466)* openssl: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465)* openssl: Denial of service by excessive resource usage in verifying X509 policy constraints (CVE-2023-0464)* openssl: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-0464References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2181082https://bugzilla.redhat.com/show_bug.cgi?id=2182561https://bugzilla.redhat.com/show_bug.cgi?id=2182565https://bugzilla.redhat.com/show_bug.cgi?id=2207947https://bugzilla.redhat.com/show_bug.cgi?id=2224962https://bugzilla.redhat.com/show_bug.cgi?id=2227852https://bugzilla.redhat.com/show_bug.cgi?id=2235370

Red Hat Security Advisory 2023-7622-03

By Deeba Ahmed
Discovered by the cybersecurity researchers at Group-IB; the new Linux RAT, dubbed Krasue, is targeting telecom firms in Thailand.
This is a post from HackRead.com Read the original post: New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms

The Krasue Linux RAT is quite sophisticated, and equipped with the capability to evade detection through Rootkit and RTSP communication.

Group-IB, a leading cybersecurity company, has uncovered a sophisticated new Linux RAT (Remote Access Trojan) they have dubbed “Krasue.” The malware is actively targeting organizations, mainly telecommunication firms, in Thailand and has been active since 2021.

GroupIB’s Threat Intelligence unit researchers found that Krause operates by gaining access to the targeted network and uses its rootkit capabilities to maintain persistence and ensure stealthy access.

The researchers are still investigating the initial infection vector and the full scale of the RAT’s usage. However, they believe that potential methods include vulnerability exploitation, deceptive downloads, and credential brute force attacks.

A notable feature of Krause is that it uses the Real Time Streaming Protocol (RTSP) for communication with its C2 server. This is an unusual tactic and is most likely used to evade detection by security software.

Profile of Krasue RAT (Credit: Group-IB)

Report author Sharmine Low, Group-IB’s Malware Analyst, wrote that Krause is named after a nocturnal spirit mentioned in Southeast Asian folklore. It lets cybercriminals remotely access and control compromised systems and remain undetected for a significant period.

Krasue uses multiple embedded rootkits to ensure compatibility with different Linux kernel versions. Interestingly, as with several other Linux rootkits, Krasue’s rootkit draws its functionalities from publicly available sources, specifically incorporating code from three open-source Linux Kernel Module rootkits.

This embedded rootkit can hook key system calls like kill(), network-related functions, and file listing operations to effectively mask its presence and evade detection. Researchers believe that this RAT was created by the same person who developed the XorDdos Linux Trojan or someone who has access to its source code.

Benyatip Hongto, Group-IB’s Business Development Manager in Thailand, highlighted the company’s commitment and proactive efforts to fighting cybercrime, including the planned opening of a Digital Crime Resistance Center in Thailand and their partnership with leading cybersecurity distributor nForce.

Upon discovering Krause, Group-IB researchers promptly notified their Threat Intelligence customers and published a report with YARA rules, which was shared with Thai authorities including ThaiCERT and TTC-CERT.

This revelation underscores the ever-looming threat of cyber risks and the need for strong cybersecurity measures. Organizations must be aware of threats like Krause and implement suitable security measures like strict access control, regular patching, and advanced threat detection solutions.

****_RELATED ARTICLES_****

1.  **New Cylance Ransomware Targets Linux and Windows**
2.  **Patched OpenSSH Exploited for IoT, Linux Cryptomining**
3.  **Free Download Manager Site Pushed Linux Password Stealer**
4.  **Kinsing Crypto Malware Hits Linux Systems via Apache Flaw**
5.  **Hamas Targeting Israelis with New BiBi-Linux Wiper Malware**

New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms

Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7678.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat AMQ Streams 2.6.0 release and security update  
Advisory ID:        RHSA-2023:7678-03  
Product:            Red Hat JBoss AMQ  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7678  
Issue date:         2023-12-07  
Revision:           03  
CVE Names:          CVE-2022-46751  
====================================================================

Summary: 

Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. 

This release of Red Hat AMQ Streams 2.6.0 serves as a replacement for Red Hat AMQ Streams 2.5.1, and includes security and bug fixes, and enhancements.

Security Fix(es):

* JSON-java: parser confusion leads to OOM (CVE-2023-5072)

* spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry (CVE-2023-20873)

* zookeeper: Authorization Bypass in Apache ZooKeeper (CVE-2023-44981)

* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)

* guava: insecure temporary directory creation (CVE-2023-2976)

* jose4j: Insecure iteration count setting (CVE-2023-31582)

* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)

* jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)

* gradle: Possible local text file exfiltration by XML External entity injection (CVE-2023-42445)

* gradle: Incorrect permission assignment for symlinked files used in copy or archiving operations (CVE-2023-44387)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

CVEs:

CVE-2022-46751

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.6.0  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2215465  
https://bugzilla.redhat.com/show_bug.cgi?id=2231491  
https://bugzilla.redhat.com/show_bug.cgi?id=2233112  
https://bugzilla.redhat.com/show_bug.cgi?id=2235370  
https://bugzilla.redhat.com/show_bug.cgi?id=2239634  
https://bugzilla.redhat.com/show_bug.cgi?id=2242485  
https://bugzilla.redhat.com/show_bug.cgi?id=2242538  
https://bugzilla.redhat.com/show_bug.cgi?id=2243436  
https://bugzilla.redhat.com/show_bug.cgi?id=2246370  
https://bugzilla.redhat.com/show_bug.cgi?id=2246417

Red Hat Security Advisory 2023-7678-03

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.


**Apache Struts vulnerable to path traversal**

Moderate severity GitHub Reviewed Published Dec 7, 2023 to the GitHub Advisory Database • Updated Dec 7, 2023

Tag

#apache