Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-DEV.

Expand Up @@ -1027,7 +1027,7 @@ static GF\_Err mp4\_mux\_setup\_pid(GF\_Filter \*filter, GF\_FilterPid \*pid, Bool is\_tr gf\_filter\_pid\_set\_property(ctx\->opid, GF\_PROP\_PID\_STREAM\_TYPE, &PROP\_UINT(GF\_STREAM\_FILE) );  
mux\_assign\_mime\_file\_ext(pid, ctx\->opid, ISOM\_FILE\_EXT, ISOM\_FILE\_MIME, NULL);  
gf\_filter\_pid\_set\_property(ctx\->opid, GF\_PROP\_PID\_DASH\_MODE, NULL); //we dispatch timing in milliseconds gf\_filter\_pid\_set\_property(ctx\->opid, GF\_PROP\_PID\_TIMESCALE, &PROP\_UINT(1000)); Expand Down Expand Up @@ -1080,7 +1080,7 @@ static GF\_Err mp4\_mux\_setup\_pid(GF\_Filter \*filter, GF\_FilterPid \*pid, Bool is\_tr GF\_FilterEvent evt; GF\_SAFEALLOC(tkw, TrackWriter); if (!tkw) return GF\_OUT\_OF\_MEM;  
gf\_list\_add(ctx\->tracks, tkw); tkw\->ipid \= pid; tkw\->fake\_track \= !is\_true\_pid; Expand Down Expand Up @@ -2615,7 +2615,7 @@ static GF\_Err mp4\_mux\_setup\_pid(GF\_Filter \*filter, GF\_FilterPid \*pid, Bool is\_tr return e; } }  
if (xps\_inband) { //this will cleanup all PS in avcC / svcC gf\_isom\_avc\_set\_inband\_config(ctx\->file, tkw\->track\_num, tkw\->stsd\_idx, (xps\_inband\==XPS\_IB\_BOTH) ? GF\_TRUE : GF\_FALSE); Expand Down Expand Up @@ -3213,7 +3213,7 @@ static GF\_Err mp4\_mux\_setup\_pid(GF\_Filter \*filter, GF\_FilterPid \*pid, Bool is\_tr GF\_LOG(GF\_LOG\_WARNING, GF\_LOG\_CONTAINER, ("\[MP4Mux\] muxing unknown codec ID %s, using generic sample entry with 4CC \\"%s\\"\\n", gf\_codecid\_name(codec\_id), gf\_4cc\_to\_str(m\_subtype) )); } }  
e \= gf\_isom\_new\_generic\_sample\_description(ctx\->file, tkw\->track\_num, (char \*)src\_url, NULL, &udesc, &tkw\->stsd\_idx); if (gpac\_meta\_dsi) gf\_free(gpac\_meta\_dsi);  
Expand Down Expand Up @@ -3762,7 +3762,7 @@ static GF\_Err mp4\_mux\_setup\_pid(GF\_Filter \*filter, GF\_FilterPid \*pid, Bool is\_tr if (add\_chap) { gf\_isom\_add\_chapter(ctx\->file, 0, start\_time, p2\->value.string\_list.vals\[j\]); } if (add\_tk) { if (add\_tk && p2\->value.string\_list.vals\[j\]) { GF\_TextSample tx; memset(&tx, 0, sizeof(tx)); tx.text \= p2\->value.string\_list.vals\[j\]; Expand Down Expand Up @@ -4363,7 +4363,7 @@ static GF\_Err mp4\_mux\_cenc\_update(GF\_MP4MuxCtx \*ctx, TrackWriter \*tkw, GF\_Filter tkw\->has\_seig \= GF\_TRUE; } } else {  
e \= GF\_OK; //multikey ALWAYS uses seig if (tkw\->cenc\_ki\->value.data.ptr\[0\]) Expand Down Expand Up @@ -5014,7 +5014,7 @@ static GF\_Err mp4\_mux\_process\_sample(GF\_MP4MuxCtx \*ctx, TrackWriter \*tkw, GF\_Fil tkw\->gdr\_type \= sap\_type; } }  
subs \= gf\_filter\_pck\_get\_property(pck, GF\_PROP\_PCK\_SUBS); if (subs) { //if no AUDelim nal and inband header injection, push new subsample Expand Down Expand Up @@ -7107,7 +7107,7 @@ static void mp4\_mux\_config\_timing(GF\_MP4MuxCtx \*ctx) if (blocking\_refs && has\_ready) { GF\_LOG(GF\_LOG\_WARNING, GF\_LOG\_CONTAINER, ("\[MP4Mux\] Blocking input packets present, aborting initial timing sync\\n")); } //this may be quite long until we have a packet in case input pid is video encoding //this may be quite long until we have a packet in case input pid is video encoding else if (ctx\->config\_retry\_start && (gf\_sys\_clock() \- ctx\->config\_retry\_start \> 10000)) { GF\_LOG(GF\_LOG\_WARNING, GF\_LOG\_CONTAINER, ("\[MP4Mux\] No input packets present on one or more inputs for more than 10s, aborting initial timing sync\\n")); } else { Expand Down Expand Up @@ -7908,7 +7908,7 @@ static GF\_Err mp4\_mux\_done(GF\_MP4MuxCtx \*ctx, Bool is\_final) }  
gf\_isom\_purge\_track\_reference(ctx\->file, tkw\->track\_num);  
if (ctx\->importer && ctx\->dur.num && ctx\->dur.den) { u64 mdur \= gf\_isom\_get\_media\_duration(ctx\->file, tkw\->track\_num); u64 pdur \= gf\_isom\_get\_track\_duration(ctx\->file, tkw\->track\_num); Expand Down Expand Up @@ -8392,4 +8392,3 @@ const GF\_FilterRegister \*mp4mx\_register(GF\_FilterSession \*session) return NULL; } #endif // GPAC\_DISABLE\_ISOM\_WRITE

CVE-2023-5595: fixes #2633 - 3 segv + memleak · gpac/gpac@7a6f636

IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation.  IBM X-Force ID:  259382.

  

**Summary**

IBM Security Verify Governance - Identity Manager (Virtual Appliance) is vulnerable to arbitrary file upload, escalation of privileges, and sensitive information leak. These issues have been addressed in this update.

**Vulnerability Details**

**CVEID:**   CVE-2023-35903  
**DESCRIPTION:**   IBM Security Verify Governance could allow a privileged use to upload arbitrary files due to improper file validation.  
CVSS Base score: 3.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259382 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L)

**CVEID:**   CVE-2023-35018  
**DESCRIPTION:**   IBM Security Verify Governance, Identity Manager could allow a local user to escalate their privileges due to improper access controls.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257779 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-35013  
**DESCRIPTION:**   IBM Security Verify Governance, Identity Manager could allow a local privileged user to obtain sensitive information from source code.  
CVSS Base score: 2.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257769 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

**IBM X-Force ID:**   220945  
**DESCRIPTION:**   Node.js utile module could allow a remote attacker to obtain sensitive information, caused by an uninitialized buffer allocation issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information from uninitialized memory or to cause a denial of service condition.  
CVSS Base score: 9.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220945 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Verify Governance  -  
Identity Manager virtual appliance component

All prior to 10.0.2 Fixpack 0

**Remediation/Fixes**

**IBM recommends customers update their systems promptly by downloading the following release:**

**Affected Product(s)**

**Version(s)**

**Fix Availability**

IBM Security Verify Governance -  
Identity Manager virtual appliance component

10.0.2

10.0.2.0-ISS-ISVG-IMVA-FP0000

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, Ben Goodspeed, Dawid Bak, and Marcin Bortkiewicz from the IBM Security Ethical Hacking Team.

**Change History**

11 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBM27","label":"IBM Security Verify Governance"},"Component":"","Platform":\[{"code":"PF004","label":"Appliance"}\],"Version":"10.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-35018: Security Bulletin: IBM Security Verify Governance

IBM QRadar SIEM 7.5.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  IBM X-Force ID:  254138

**CVEID:**   CVE-2023-34981  
**DESCRIPTION:**   Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by a flaw when a response did not have any HTTP headers set. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258638 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-25147  
**DESCRIPTION:**   Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr\_base64 functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246064 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2020-13956  
**DESCRIPTION:**   Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21830  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the Serialization component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245038 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21843  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the Sound component could allow a remote attacker to cause a denial of service resulting in a low integrity impact using unknown attack vectors.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245037 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2022-3564  
**DESCRIPTION:**   A use-after-free in the function l2cap\_reassemble\_sdu of the file net/bluetooth/l2cap\_core.c of the component Bluetooth in Linux Kernel could allow a remote authenticated attacker from within the local network to cause an unknown impact.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238741 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-32067  
**DESCRIPTION:**   c-ares is vulnerable to a denial of service. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255936 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-33201  
**DESCRIPTION:**   The Bouncy Castle Crypto Package For Java (bc-java) could allow a remote attacker to obtain sensitive information, caused by not validating the X.500 name of any certificate in the implementation of the X509LDAPCertStoreSpi.java class. By using blind LDAP injection attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258653 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

**CVEID:**   CVE-2023-28709  
**DESCRIPTION:**   Apache Tomcat is vulnerable to a denial of service, caused by an incomplete fix for CVE-2023-24998 related to the failure to limit the number of request parts to be processed in the file upload function. By sending a specially crafted request using query string parameters, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255893 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-30441  
**DESCRIPTION:**   IBM Runtime Environment, Java Technology Edition IBMJCEPlus and JSSE 8.0.7.0 through 8.0.7.11 components could expose sensitive information using a combination of flaws and configurations. IBM X-Force ID: 253188.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253188 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-40367  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263376 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2016-1000027  
**DESCRIPTION:**   Pivota Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw in the library. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/174367 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-34455  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by the use of an unchecked chunk length in the hasNextChunk function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258190 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34454  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by an integer overflow in the compress function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258188 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34453  
**DESCRIPTION:**   snappy-java is vulnerable to a denial of service, caused by an integer overflow in the shuffle function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258186 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-40609  
**DESCRIPTION:**   IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-48339  
**DESCRIPTION:**   GNU Emacs could allow a local attacker to execute arbitrary commands on the system, caused by a flaw in the hfy-istext-command function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.  
CVSS Base score: 8.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248054 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-35116  
**DESCRIPTION:**   Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258157 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20867  
**DESCRIPTION:**   VMware Tools could allow a local authenticated attacker to bypass security restrictions, caused by the failure to authenticate host-to-guest operations in the vgauth module. An attacker could exploit this vulnerability using a fully compromised ESXi host to bypass authentication and obtain access to the guest virtual machine.  
CVSS Base score: 3.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257845 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2022-21426  
**DESCRIPTION:**   An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224714 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26048  
**DESCRIPTION:**   Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253356 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:**   CVE-2023-26049  
**DESCRIPTION:**   Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.  
CVSS Base score: 4.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-30994  
**DESCRIPTION:**   IBM QRadar SIEM uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/254138 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-38408  
**DESCRIPTION:**   OpenSSH could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the forwarded ssh-agent. By sending specially crafted requests, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261022 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-2828  
**DESCRIPTION:**   ISC BIND is vulnerable to a denial of service, caused by a flaw that allows the named's configured cache size limit to be significantly exceeded. By querying the resolver for specific RRsets in a certain order, a remote attacker could exploit this vulnerability to exhaust all memory on the host.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258607 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-34149  
**DESCRIPTION:**   Apache Struts is vulnerable to a denial of service, caused by a flaw with only handling setProperty() but not getProperty(). By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257947 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-25652  
**DESCRIPTION:**   Git could allow a remote attacker to bypass security restrictions. By feeding specially crafted input to \`git apply --reject, an attacker could exploit this vulnerability to overwrite a path outside the working tree.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253693 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-29007  
**DESCRIPTION:**   Git could provide weaker than expected security, caused by a configuration injection flaw. A remote attacker could exploit this vulnerability to launch further attacks on the system.  
CVSS Base score: 7.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253700 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:**   CVE-2023-32697  
**DESCRIPTION:**   SQLite JDBC could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw when JDBC url is attacker controlled. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256159 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-21930  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.  
CVSS Base score: 7.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253115 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID:**   CVE-2023-21967  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253156 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-21954  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Hotspot component could allow a remote attacker to cause high confidentiality impact.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253166 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-21939  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253168 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21968  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE and GraalVM Enterprise Edition related to the Libraries component could allow an unauthenticated attacker to cause low integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253083 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21937  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Networking component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253167 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-21938  
**DESCRIPTION:**   An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253155 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:**   CVE-2023-2597  
**DESCRIPTION:**   Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system.  
CVSS Base score: 7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255906 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-2976  
**DESCRIPTION:**   Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with using Java's default temporary directory for file creation in FileBackedOutputStream. By sending a specially crafted request, an attacker could exploit this vulnerability to access the files in the default Java temporary directory, and use this information to launch further attacks against the affected system.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258199 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2023-34396  
**DESCRIPTION:**   Apache Struts is vulnerable to a denial of service, caused by a flaw when processing Multipart request containing non-file normal form fields. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257946 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVE-2023-30994: Security Bulletin: IBM QRadar SIEM includes components with known vulnerabilities

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23, 12.0.1.0 through 12.0.10.0 and IBM Integration Bus 10.1 through 10.1.0.1 are vulnerable to a denial of service for integration nodes on Windows.  IBM X-Force ID:  247998.

CVE-2023-45176: IBM App Connect Enterprise and IBM Integration Bus denial of service CVE-2023-45176 Vulnerability Report

IBM Security Verify Access OIDC Provider could allow a remote user to cause a denial of service due to uncontrolled resource consumption.  IBM X-Force ID:  238921.

CVE-2022-43740: IBM Security Verify Access denial of service CVE-2022-43740 Vulnerability Report

IBM Security Directory Server 6.4.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.  IBM X-Force ID:  228582.

**Security Bulletin**

  

**Summary**

Several vulnerabilities have been addressed in IBM Security Directory Server, IBM Security Directory Suite, and IBM Security Verify Directory products.

**Vulnerability Details**

**CVEID:**   CVE-2022-33164  
**DESCRIPTION:**   IBM Security Directory Server 7.2.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view or write to arbitrary files on the system. IBM X-Force ID: 228579.  
CVSS Base score: 8.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228579 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H)

**CVEID:**   CVE-2022-33161  
**DESCRIPTION:**   IBM Security Directory Server could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228569 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-32755  
**DESCRIPTION:**   IBM Security Directory Server is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228505 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)

**CVEID:**   CVE-2022-33168  
**DESCRIPTION:**   IBM Security Directory Suite VA 8.0.1 could allow an attacker to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 228588.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228588 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Security Directory Server

6.4.0

IBM Security Directory Suite

8.0.1

IBM Security Verify Directory

10.0.0

**Remediation/Fixes**

**IBM encourages customers to update their systems promptly.**

For IBM Security Verify Directory 10.0 containers refer to the download links listed in the Images link.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

John Zuccato, Rodney Ryan, Chris Shepherd, Nathan Roane, Vince Dragnea, Troy Fisher, Gabor Minyo, Geoffrey Owden, and Ben Goodspeed from the IBM Security Ethical Hacking Team.

**Change History**

05 Oct 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SS3Q78","label":"IBM Security Directory Suite"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEP7NB","label":"IBM Security Verify Directory"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"10.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"6.4.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2022-33165: IBM Security Verify Directory products have multiple security vulnerabilities (CVE-2022-33164, CVE-2022-33168, CVE-2022-33161, CVE-2022-32755)

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.

**Summary**

I spotted two instances of user input with unchecked length at the following locations in the Zephyr WiFi shell module source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi\_shell.c#L334-L335  
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/net/l2/wifi/wifi\_shell.c#L355-L356

**Details**

Unchecked user input length in /subsys/net/l2/wifi/wifi\_shell.c:

static int \_\_wifi\_args\_to\_params(size\_t argc, char \*argv\[\],
				struct wifi\_connect\_req\_params \*params)
{
	char \*endptr;
	int idx \= 1;

	if (argc < 1) {
		return \-EINVAL;
	}

	/\* SSID \*/
	params\->ssid \= argv\[0\]; /\* VULN: unchecked length (should be max 32) \*/
	params\->ssid\_length \= strlen(params\->ssid);

	/\* Channel (optional) \*/
	if ((idx < argc) && (strlen(argv\[idx\]) <= 3)) {
...

	/\* PSK (optional) \*/
	if (idx < argc) {
		params\->psk \= argv\[idx\]; /\* VULN: unchecked length (should be min 8, max 64) \*/
		params\->psk\_length \= strlen(argv\[idx\]);
		/\* Defaults \*/
		params\->security \= WIFI\_SECURITY\_TYPE\_PSK;
		params\->mfp \= WIFI\_MFP\_OPTIONAL;
		idx++;

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

The unchecked inputs may cause buffer overflows in other locations, the impact of which could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main (v3.5 development cycle) #60537
*   3.4 #61383

CVE-2023-4257: Unchecked user input length in the Zephyr WiFi shell module

Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver

**Summary**

I spotted a potential buffer overflow vulnerability at the following location in the Zephyr IEEE 802.15.4 driver source code:  
https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/ieee802154/ieee802154\_nrf5.c#L583

**Details**

Potential buffer overflow in drivers/ieee802154/ieee802154\_nrf5.c:

static int nrf5\_tx(const struct device \*dev,
		   enum ieee802154\_tx\_mode mode,
		   struct net\_pkt \*pkt,
		   struct net\_buf \*frag)
{
	struct nrf5\_802154\_data \*nrf5\_radio \= NRF5\_802154\_DATA(dev);
	uint8\_t payload\_len \= frag\->len;
	uint8\_t \*payload \= frag\->data;
	bool ret \= true;

	LOG\_DBG("%p (%u)", payload, payload\_len);

	nrf5\_radio\->tx\_psdu\[0\] \= payload\_len + NRF5\_FCS\_LENGTH;
	memcpy(nrf5\_radio\->tx\_psdu + 1, payload, payload\_len); /\* VULN: stack-based buffer overflow due to unchecked payload\_len \*/

	/\* Reset semaphore in case ACK was received after timeout \*/
	k\_sem\_reset(&nrf5\_radio\->tx\_wait);
...

**PoC**

I haven't tried to reproduce these potential vulnerabilities against a live install of the Zephyr OS.

**Impact**

If the unchecked input above is attacker-controlled and cross a security boundary, the impact of the buffer overflow vulnerability could range from denial of service to arbitrary code execution.

**Patches**

This has been fixed in:

*   main (v3.5 development cycle) #60528
*   3.4 #61384
*   2.7 #61216

CVE-2023-4263: Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 driver

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.

We have already fixed the vulnerability in the following versions:
QTS 5.0.1.2425 build 20230609 and later
QTS 5.1.0.2444 build 20230629 and later
QTS 4.5.4.2467 build 20230718 and later
QuTS hero h5.0.1.2515 build 20230907 and later
QuTS hero h5.1.0.2424 build 20230609 and later
QuTS hero h4.5.4.2476 build 20230728 and later
QuTScloud c5.1.0.2498 and later


Security ID : QSA-23-41

*   Release date : October 14, 2023
    
*   CVE identifier : CVE-2023-32970 | CVE-2023-32973
    
*   Affected products: QTS 5.1.x, 5.0.x, 4.5.x; QuTS hero h5.1.x, h5.0.x, h4.5.x; QuTScloud c5.x
    

**Summary**

Two vulnerabilities have been reported to affect several QNAP operating system versions:

*   CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network.
*   CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network.

We have already fixed the vulnerabilities in the following versions:

Affected Product

Fixed Version

QTS 5.1.x

QTS 5.1.0.2444 build 20230629 and later

QTS 5.0.x

QTS 5.0.1.2425 build 20230609 and later

QTS 4.5.x

QTS 4.5.4.2467 build 20230718 and later

QuTS hero h5.1.x

QuTS hero h5.1.0.2424 build 20230609 and later

QuTS hero h5.0.x

QuTS hero h5.0.1.2515 build 20230907 and later

QuTS hero h4.5.x

QuTS hero h4.5.4.2476 build 20230728 and later

QuTScloud c5.x

QuTScloud c5.1.0.2498 and later

**Recommendation**

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. In addition, for online activities, it's recommended to access the web through secure and trusted networks.

**Updating QTS, QuTS hero, or QuTScloud**

1.  Log in to QTS, QuTS hero, or QuTScloud as an administrator.
2.  Go to **Control Panel** > **System** > **Firmware Update**.
3.  Under **Live Update**, click **Check for Update**.  
    The system downloads and installs the latest available update.

**Tip:** You can also download the update from the QNAP website. Go to **Support** > **Download Center** and then perform a manual update for your specific device.

**Attachment**

*   CVE-2023-32970.json
*   CVE-2023-32973.json

**Acknowledgements:** Jiaxu Zhao && Bingwei Peng

**Revision History:**  
V1.0 (October 14, 2023) - Published

CVE-2023-32973: Vulnerabilities in QTS, QuTS hero, and QuTScloud - Security Advisory

The botnet — built for DDoS, backdooring, and dropping malware — is evading standard URL signature detections with a novel approach involving Hex IP addresses.

Cyberattackers are targeting Linux SSH servers with the ShellBot malware, and they have a new method for hiding their activity: using hexadecimal IP (Hex IP) addresses to evade behavior-based detection.

According to researchers at the AhnLab Security Emergency Response Center (ASEC), the threat actors are translating the familiar "dot-decimal" command-and-control URL formation (i.e., hxxp://39.99.218\[.\]78,) into a Hex IP address format (such as hxxp://0x2763da4e/), which most URL-based detection signatures won't parse or flag.

"IP addresses can be expressed in formats other than the dot-decimal notation, including decimal and hexadecimal notations, and are generally compatible with widely used Web browsers," according to the ASEC advisory on the Hex IP attacks. "Due to the usage of curl for the download and its ability to support hexadecimal just like Web browsers, ShellBot can be downloaded successfully on a Linux system environment and executed through Perl."

ShellBot, aka PerlBot, is a well-known botnet that uses dictionary attacks to compromise servers that have weak SSH credentials. From there, the server endpoint is marshalled into action to deliver distributed denial-of-service (DDoS) attacks or drop payloads like cryptominers on infected machines.

"If ShellBot is installed, Linux servers can be used ... for DDoS attacks against specific targets after receiving a command from the threat actor," ASEC explained. "Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server."

To protect their organizations from ShellBot attacks, administrators should simply up their password hygiene game, using strong passwords and making sure to rotate their hardened credentials on a regular basis.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#dos