The Conversios.io WordPress plugin before 4.6.2 does not sanitise, validate and escape the sync_progressive_data parameter for the tvcajax_product_sync_bantch_wise AJAX action before using it in a SQL statement, allowing any authenticated user to perform SQL injection attacks.

CVE-2021-24952

CyberArk Identity versions up to and including 22.1 in the 'StartAuthentication' resource, exposes the response header 'X-CFY-TX-TM'. In certain configurations, that response header contains different, predictable value ranges which can be used to determine whether a user exists in the tenant.

Release 22.2 (available February 25, 2022) introduces the following changes.

Refer to CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

**New features**

The following new features are available starting in 22.2.

 

Feature

Description

**Workforce Password Management**

Inline Password Generator for change password flow

The CyberArk Identity Browser Extension is enhanced to automatically detect if the user is on a websites’ change password screen, autofill in the existing password field and with a click of the icon (displayed in the image below) generate a strong password inline to fill in the New Password and Confirm Password fields. Upon save, the browser extension captures and offers to save the updated password in cloud or self-hosted vault. This feature allows for seamless user experience of changing their business account passwords and avoid any potential password related security vulnerabilities.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/GeneratePassword_RNimage_364x349.png)

Refer to Update passwords with the Password Generator for more information.

**Improvements and behavior changes**

This release includes the following product improvement.

 

Improvement

Description

**CyberArk Identity mobile apps**

Android CyberArk Identity mobile app support changes

The policy setting to Encrypt internal onboard storage (Endpoint policies > Common settings > mobile settings > common > Encrypt internal onboard storage) is removed. CyberArk removed this policy setting because encrypting internal storage is the default behavior starting with Android 5. You cannot enroll Android 4.4.4 and older devices as the policy setting is removed.

**Early access features**

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

  

Feature

Description

Initial release version

**Authentication**

New Authentication Widget Builder

This feature enables you to create a widget and visualize the preview of the widget before using it.

22.1

Progressive migration of passwords using code plugin

This feature enables you to progressively migrate hashed passwords from their legacy stores to CyberArk Identity by providing an inline legacy authentication hook into the CyberArk Identity authentication process.

21.12

**User interface**

Updated design in Application tile

The design is updated for the app tiles. A new Shared icon has been introduced in the app tile. You can view this icon on the bottom right of the app tile. You can view all other icons on the bottom right of the tile except the New and Error icon.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/New_apptile_UI_446x390.png)

22.2

Enhanced interface in Applications

This enhancement allows you to customize tabs in Applications based on your requirements. You can perform the following actions in the User Portal:

*   Add tabs
    
*   Delete tabs
    
*   Re-order tabs
    
*   Drag and drop apps from one tab to another tab
    

A new drop-down has been introduced, which allows you to sort all applications.

![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/Allappstabs_RNimage_618x314.png)

22.2

**Android mobile application**

Support for push notifications on the Android mobile app for users in China

This feature enables users who don't have access to Google services, like users in China, to explicitly fetch the push notifications and policy updates sent by CyberArk Identity.

Contact your CyberArk account representative to enable this feature if you have users without access to Google services.

Refer to Download the CyberArk Identity mobile app for Android and CyberArk Identity-SDK for-Android for more information.

21.11

**Endpoints**

Windows and Mac Device Trust

The CyberArk IdentityWindows Device Trust and Mac Device Trust prevent untrusted computers from accessing the CyberArk Identity portals or web applications using authentication certificates as a conditional access mechanism. This provides additional device trust to identity and access policies.

The Windows Device Trust is available for AD-joined devices and users must first be validated using IWA authentication. The Windows Device Trust is available in the Admin Portal > Downloads.

The CyberArk IdentityMac Device Trust is available for AD-joined devices and non AD-joined devices, and is deployed with Jamf Pro.

Additional enhancements include:

*   New functionality (Revoke, Issue, Renew, and Lifetime ) has been added for certificate management for Windows Cloud Agent and Windows Device Trust. This is available in the Admin Portal > Settings > Endpoints, select an endpoint then go to the Certificates tab.
    
*   Integrations in the Admin Portal > Settings > Endpoints has been renamed to Device Trust.
    

Refer to CyberArk Identity Mac Device Trust and CyberArk Identity Windows Device Trust for more information.

Mac - 21.9

Windows - 21.5

**New Single Sign-On templates**

New Single Sign-On (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

Refer to Recent SSO application templates for a list of recently added templates.

**Component versions**

Refer to the following table for a list of component versions in the latest release:

 

Component

Version

CyberArk Identity

22.2.196

Windows Cloud Agent

22.1.289

Windows Device Trust

22.2.196

Mac Cloud Agent

22.2.196

Mac Device Trust

22.2.196

Android CyberArk Identity mobile app

22.2.106

iOS CyberArk Identity mobile app

22.2.105

Windows CyberArk Authenticator

22.2.196

Mac CyberArk Authenticator

22.2.196

Browser Extensions

22.2.3

Connector

22.2.196

**Browser support**

This version of CyberArk Identity has been tested with the following browsers:

 

Browser

Version

Internet Explorer

Version 11 on Windows 2008 server, Windows 2012 server, Windows 7, and Windows 8

Microsoft Edge

latest version available at release

Mozilla Firefox

latest version available at release

Google Chrome

latest version available at release

Apple Safari

11

For silent authentication to work correctly, some web browsers need additional configuration (see Configure browsers for silent authentication) or a browser extension (see Manage credentials with Workforce Password Management).

On devices, the CyberArk Identity mobile app opens the web applications in the native browser unless that application requires a browser extension to provide single sign-on. For these applications only, the CyberArk Identity mobile app opens the application in its built-in browser.

**CyberArk Identity Browser Extension support**

The Browser Extension for Internet Explorer and Safari is deprecated. If your users use those browsers with a previous version of the Browser Extension and you want them to continue to do so, you should restrict updates to the Browser Extension.

Users restricted to old versions of the Browser Extension will not benefit from updates and new features. Refer to Restrict CyberArk Identity Browser Extension updates for more information.

Computers must meet the following requirements to install the Browser Extension.

*   Microsoft .NET Framework 4.6.2 or later
*   Microsoft Installer 3.1 or later

In addition, browser support for the Browser Extension features is indicated in the following table.

   

Chrome  
(latest available at release)

Firefox  
(latest available at release)

Edge

Form filling

Yes

Yes

Yes

App capture

Not supported

Yes

Not supported

Land and Catch

Yes

Yes

Yes

App Launch

Yes

Yes

Yes

**Device support**

If you are using CyberArk Identity for mobile device management and authentication, it supports enrolling the following devices and computers using the cloud agents.

The purpose of the cloud agent is to enforce authentication profiles; it’s only active during authentication. Unlike Anti-Virus and Endpoint Detection and Response agents, the CyberArk cloud agents are not listening to system events or otherwise consuming endpoint resources after the user logs in.

 

Operating System

Versions supported

Windows

10, Server 2016, Server 2019

Desktop Experience is required for Windows servers.

macOS

10.13, 10.14, 10.15, 11, 12

iOS

11.x and later

iPadOS

13.x and later

watchOS

5.x and later

Android

8.x and later

**Language support**

Foreign language support is provided for the following components:

*   CyberArk Identity User Portal help -- Japanese only
*   User Portal text strings.
*   Admin Portal text strings

Not all of the languages listed below are available for the Admin Portal text strings.

Administrators can select the language in which the user portal texts and CyberArk Identity system messages are displayed. The default setting, (--), is equivalent to not setting a language. In this case, the user's browser language selection will be used. However, if users configure their own language selection, then that language takes precedence. For example, if you set the language to French in the Admin Portal and a user sets the language to Vietnamese in the User Portal, then Vietnamese is used for that user. Users can specify their language selection in User Portal > Account \> Personal Profile > Language drop-down list.

To configure the language option in the Admin Portal

1.  Log-in to the Admin Portal.
2.  Click Access \> Policies \> Select the relevant policy.
3.  Click User Security Policies > User Account Settings.
4.  Select the default language in the Default Language drop-down list.
5.  Click Save.

In this release, translations are provided for the following languages:

*   Arabic
*   Brazilian Portuguese
*   Chinese—Simplified and Traditional
*   Dutch
*   French
*   German
*   Italian
*   Japanese
*   Korean
*   Portuguese
*   Russian
*   Serbian
*   Spanish
*   Swedish
*   Thai
*   Vietnamese

Additional languages are being added over time—see the Release Notes for the most recent additions.

**Known issues**

 

Issue

Workaround

**General platform**

When users click Reload Rights in the CyberArk Identity User Portal, they receive the error You are not authorized to perform this operation. Please contact your IT helpdesk.

Users can ignore this error. It's an error with the UI; Administrative Rights reload as expected.

The UI issue will be addressed in an upcoming hotfix.

When you create a Role and add members before saving the Role, the members are not saved.

Create and save the Role, then add members to the Role and save it again.

**Windows Cloud Agent**

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directoryuser. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

https://docs.microsoft.com/en-au/troubleshoot/windows-server/remote/remote-desktop-connection-6-prompts-credentials

**Mac Cloud Agent**

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

1.  Go to System Preferences > Security & Privacy > General, then click Open Anyway.
    
    ![](https://docs.cyberark.com/Product-Doc/OnlineHelp/Idaptive/Latest/en/Content/ReleaseNotes/images/GatekeeperBypass.png)
    
2.  Click Open on the warning screen that appears.
    
    After making these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.
    

The MFA login screen shows “Phone Call” more than once if user has multiple phone numbers configured.

None

The Mac Cloud Agent cannot be updated from the UI.

WorkAround: Go to the User Portal or the Admin Portal to download the latest agent.

Reopen the Mac Cloud Agent and note the agent is updated to the latest version.

Self-service account unlock is not currently supported.

None

User may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location select Force for Permit administrator to see device location.Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The local account can get out of sync with the matching account in the directory source after the password change, resulting in a denied login.

Log in to a local admin account and set the local password of the impacted user to the same password as the directory source through System Preferences > Users or through the dscl command line.

When creating an authentication profile for Mac MFA, password must be the first factor (Challenge 1).

None

A user might get removed from the FileVault boot screen if they changed their password without entering their previous password in the Keychain Sync dialog on 10.14.3+ macOS devices.

To avoid this issue, users should log out after changing their password in the User Portal. When they log back in, click Yes at the Keychain Sync prompt and enter their previous password to sync their keychain and FileVault password.

Apple Watch unlock is not compatible with the MFA lock screen policy

Disable the MFA lock screen policy for Apple Watch users in the Admin Portal.

The CyberArk Menu Item is not removed from the UI after unenrolling until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Please contact support if you plan to use DEP.

None

**Mobile applications**

If the iPhone app (or the push authenticator) is locked using biometric or pin, then Apple Watch approval shows an error message.

None

Users can sign in to the Apple watch only after the first notification is delivered to the watch.

None

CVE-2022-22700: CyberArk Identity Release Notes

The biometric lock in Devolutions Password Hub for iOS before 2021.3.4 allows attackers to access the application because of authentication bypass. An attacker must rapidly make failed biometric authentication attempts.

*   Call me
*   Live Chat

*   Log in

Security & Compliance Advisories

**Affected Products**

Devolutions Password Hub for iOS 2021.3.3 and older

**Change Log**

Initial Publication - 2022-02-17

**Product**

Devolutions Password Hub for iOS

**Summary**

A vulnerability was fixed in Devolutions Password Hub for iOS where the FaceID application lock could be bypassed.

**Bypassable biometric application lock (CVE-2022-23849)**

**Description**

The biometric application lock can be bypassed by failing the authentication process in rapid succession.

**Remediation and Workarounds**

Users are advised to update to 2021.3.4.

**Severity**

Medium - CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Affected Products**

Devolutions Password Hub on iOS versions 2021.3.3 and older

**Credits**

Thanks to Sven Halm for reporting this issue.

CVE-2022-23849: DEVO-2022-0001

A stored cross-site scripting (XSS) vulnerability in the admin interface in Element-IT HTTP Commander 7.0.0 allows unauthenticated users to get admin access by injecting a malicious script in the User-Agent field.

CVE-2022-24573: Element-IT software products news

A remote code execution (RCE) vulnerability in the Avatar parameter under /admin/?page=user/manage_user of Home Owners Collection Management System v1.0 allows attackers to execute arbitrary code via a crafted PNG file.

**Home Owners Collection Management****Vendor**

![](https://github.com/nu11secur1ty/CVE-nu11secur1ty/raw/main/vendors/oretnom23/2022/Home-Owners-Collection-Management/Docs/Screenshot%202022-02-12%20135214.png)

**Description:**

The system Home Owners Collection Management System 1.0 is vulnerable to RCE The employee or user who requests an administrative or another type of account can upload dangerous RCE code and he can use it to manipulate the system. It depends on the malicious scenarios. This is CRITICAL for the owner of this system! Not correctly sanitizing, of extension for upload the picture, when the user wants to upload and change his profile picture!

Status: CRITICAL

**Reproduce:**

href

**Proof and Exploit:**

href

CVE-2022-25115: CVE-nu11secur1ty/vendors/oretnom23/2022/Home-Owners-Collection-Management at main · nu11secur1ty/CVE-nu11secur1ty

Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service.

Potential vulnerabilities have been identified in the BIOS for some HP PC products which may allow denial of service. HP is releasing mitigation for the potential vulnerabilities.

Severity

High

HP Reference

HPSBHF03775 Rev. 1

Release date

February 28, 2022

Last updated

February 28, 2022

Category

PC

Potential Security Impact

Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

Reported by Assaf Carlsbad and Itai Liba of SentinelOne

List of CVE IDs    

CVE ID

Base Score

Base Vector

Vendor ID

CVE-2022-23956

8.2

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

HP

CVE-2022-23953

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23954

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23955

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23957

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

CVE-2022-23958

7.9

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

HP

Learn more about CVSS 3.1 base metrics, which range from 0 to 10.

PSR-2021-0130

**Resolution**

HP has identified affected platforms and corresponding SoftPaqs with minimum versions that mitigate the potential vulnerabilities. See the affected platforms listed below.

Newer versions may become available, and the minimum versions listed below may become obsolete.  If a SoftPaq Link becomes invalid, check the HP Customer Support - Software and Driver Downloads site to obtain the latest update for your product model.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin might be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

*   Product support eAlerts
    
*   Driver updates
    
*   Security Bulletin updates
    

**SoftPaqs and affected products**

Find the SoftPaqs that resolve the vulnerabilities of your system.

SoftPaq Status

*   **Pending**: SoftPaq is in progress.
    
*   **Under investigation**: System under investigation for impact, or the SoftPaq is under investigation for feasibility/availability.
    
*   **Not available**: SoftPaq not available due to technical or logistical constraints.
    
*   **Check Support Page**: The listed SoftPaq has been removed from the download site. SoftPaqs with newer versions may be available on the HP Customer Support - Software and Driver Downloads site.
    

**Affected products**

Identify the affected products by category of PC.

**Business Notebook PCs**

Pending

**Business Desktop PCs**

Pending

**Retail Point-of-Sale Systems**

Pending

**Workstations**

Under Investigation

**Thin Client PCs**

Under Investigation

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

February 28, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-23956: HP PC BIOS February 2022 Security Update

VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. Due to insufficient sanitization and validation, in VMware Workspace ONE Boxer calendar event descriptions, a malicious actor can inject script tags to execute arbitrary script within a user's window.

Advisory ID: VMSA-2022-0006

CVSSv3 Range: 6.6

Issue Date: 2022-02-23

Updated On: 2022-02-23 (Initial Advisory)

CVE(s): CVE-2022-22944

Synopsis: VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability (CVE-2022-22944)

Share this page on social media

Sign up for Security Advisories

****1\. Impacted Products****

*   VMware Workspace ONE Boxer

****2\. Introduction****

A stored cross-site scripting (XSS) vulnerability affecting VMware Workspace ONE Boxer was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

****3a. VMware Workspace ONE Boxer update addresses a stored cross-site scripting (XSS) vulnerability (CVE-2022-22944)****

VMware Workspace ONE Boxer contains a stored cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.6.

Due to insufficient sanitization and validation, in VMware Workspace ONE Boxer calendar event descriptions, a malicious actor can inject script tags to execute arbitrary script within a user's window.

To remediate CVE-2022-22944 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank Eugene Lim for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

Workspace ONE Boxer

Any

iOS

CVE-2022-22944

6.6

moderate

22.02

None

None

Workspace ONE Boxer

Any

Android

CVE-2022-22944

N/A

N/A

Unaffected

N/A

N/A

****4\. References****

****5\. Change Log****

**2022-02-23: VMSA-2022-0006  
**Initial security advisory.

****6\. Contact****

CVE-2022-22944: VMSA-2022-0006

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in CAA to cause a denial of service. IBM X-Force ID: 220394.

CVE-2022-22350: IBM X-Force Exchange

IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the AIX kernel to cause a denial of service. IBM X-Force ID: 213076.

**Security Bulletin**

  

**Summary**

There are multiple vulnerabilities in AIX CAA.

**Vulnerability Details**

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.1

AIX

7.2

AIX

7.3

VIOS

3.1

The vulnerabilities in the following filesets are being addressed:

Fileset

Lower Level

Upper Level

bos.cluster.rte

7.1.5.0

7.1.5.38

bos.cluster.rte

7.2.4.0

7.2.4.4

bos.cluster.rte

7.2.5.0

7.2.5.1

bos.cluster.rte

7.2.5.100

7.2.5.101

bos.cluster.rte

7.3.0.0

7.3.0.0

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example:  lslpp -L | grep -i bos.cluster.rte

  

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

AIX Level

APAR

SP

7.1.5

IJ37355

SP10

7.2.4

IJ37496

SP06

7.2.5

IJ36682

SP04

7.3.0

IJ36596

SP02

 

VIOS Level

APAR

SP

3.1.1

IJ37496

3.1.1.60

3.1.2

IJ37512

3.1.2.40

3.1.3

IJ36682

3.1.3.20

Subscribe to the APARs here:

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

AIX and VIOS fixes are available.

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

The AIX and VIOS fixes can be downloaded via ftp or http from:

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

AIX Level

Interim Fix

7.1.5.7

IJ37355s7a.220228.epkg.Z

7.1.5.8

IJ37355s8a.220228.epkg.Z

7.1.5.9

IJ37355s9a.220228.epkg.Z

7.1.5.9

IJ37355s9b.220228.epkg.Z

7.2.4.3

IJ37496s3a.220228.epkg.Z

7.2.4.4

IJ37496s4a.220228.epkg.Z

7.2.4.5

IJ37496s5a.220228.epkg.Z

7.2.5.1

IJ37512s1a.220228.epkg.Z

7.2.5.2

IJ37512s2a.220228.epkg.Z

7.2.5.3

IJ36682s3a.220228.epkg.Z

7.2.5.3

IJ36682s3b.220228.epkg.Z

7.3.0.1

IJ36596s1a.220228.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.2 is AIX 7200-05-02.

NOTE:  Multiple iFixes are provided for AIX 7100-05-09 and 7200-05-03.

IJ37355s9a is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.38.

IJ37355s9b is for AIX 7100-05-09 with bos.cluster.rte fileset level 7.1.5.37.

IJ36682s3a is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.101.

IJ36682s3b is for AIX 7200-05-03 with bos.cluster.rte fileset level 7.2.5.100.

Please reference the Affected Products and Version section above for help with checking installed fileset levels.

VIOS Level

Interim Fix

3.1.1.30

IJ37496s3a.220228.epkg.Z

3.1.1.40

IJ37496s4a.220228.epkg.Z

3.1.1.50

IJ37496s5a.220228.epkg.Z

3.1.2.10

IJ37512s1a.220228.epkg.Z

3.1.2.21

IJ37512s2a.220228.epkg.Z

3.1.3.10

IJ36682s3b.220228.epkg.Z

3.1.3.14

IJ36682s3a.220228.epkg.Z

To extract the fixes from the tar file:

tar xvf caa\_fix2.tar

cd caa\_fix2

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

6e45651c382f9915771c9714b994d26a783a8caecb8e3c8b3350d981aee7349b

IJ36596s1a.220228.epkg.Z

88a2f0bcc4b7676eab0db362fd885d360ad3a38104edbe7bed1e4c79a56be30d

IJ36682s3a.220228.epkg.Z

a81847ca47786818db8dce79f4a982c285815f561e2c9e8630840c229a27d381

IJ36682s3b.220228.epkg.Z

b4efa8234dc00c91148c75ec25e1c5fd3cd96ec691131ece6e458e5c33591335

IJ37355s7a.220228.epkg.Z

e141352471d842585e176bfb3ccc27289620b63de96478cca7688f4851841023

IJ37355s8a.220228.epkg.Z

9440584798abfa576e4e90287847f22cc9019281a213f1d289df330e75e77b56

IJ37355s9a.220228.epkg.Z

4d77a4e7fd8cd356deda29d6ff9a5996912ebd22e0898ede34725220d8df2577

IJ37355s9b.220228.epkg.Z

991ac1e17a4dd3b20feb44162b3f04a9dcda8cb2acce398e09c520b5871ccff3

IJ37496s3a.220228.epkg.Z

a0a24034a8a2fc3f2fa4ed8e5b05da045587300708812fe5c796a41b87b8e855

IJ37496s4a.220228.epkg.Z

2f74bee159291cec6944f8b522dbbf086f01b65a30da76595773b5851008c0ba

IJ37496s5a.220228.epkg.Z

95086a37dbf91e218f145c172cf2ca39029dfbecb00f072d4a36887f91536551

IJ37512s1a.220228.epkg.Z

9e2ecbbe30354bdd275679ac9e22ec7ca0dfb8a87cbe73f46767422b90206afd

IJ37512s2a.220228.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.         

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

**C. FIX AND INTERIM FIX INSTALLATION**

An LPAR system reboot is required to complete the iFix installation, or Live Update may be used on AIX 7.2 and 7.3 to avoid a reboot.

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all  # where fix\_name is the name of the

                                            # fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all  # where fix\_name is the name of the

                                            # fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

To preview an interim fix installation:

emgr -e ipkg\_name -p         # where ipkg\_name is the name of the

                                         # interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X         # where ipkg\_name is the name of the

                                         # interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

01 Mar 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU048","label":"Systems w\\/TPS"},"Product":{"code":"SSSMHJ","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":""},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"7.1,7.2,7.3","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}\]

CVE-2021-38996: Security Bulletin: Vulnerabilities in AIX CAA (CVE-2022-22350, CVE-2021-38996)

A improper input validation in Fortinet FortiGate version 6.4.3 and below, version 6.2.5 and below, version 6.0.11 and below, version 5.6.13 and below allows attacker to disclose sensitive information via SNI Client Hello TLS packets.

**![](https://fortiguard.com/static/images/icons/psirt.svg?v=5463) PSIRT Advisories**

**FortiOS - Bypassing FortiGate security profiles via SNI in Client Hello**

**Summary**

An exposure of sensitive information to an unauthorized actor vulnerability \[CWE-200\] in FortiOS may allow a privileged attacker to disclose sensitive information via SNI Client Hello TLS packets.

**Affected Products**

Forti​OS version 6.4.3 and below  
Forti​OS version 6.2.5 and below  
Forti​OS version 6.0.11 and below  
 

**Solutions**

Given that there is no systematic way to detect **all** exfiltration attempts and to exhaustively enumerate all possibilities offered by exfiltration channels, Fortinet has addressed the issue by releasing a set of signatures:

1.  Python/SNICat.A!exploit  
    https://www.fortiguard.com/encyclopedia/virus/10069638
    
2.  SNIcat.Data.Exfiltration.Tool  
    https://www.fortiguard.com/encyclopedia/ips/50952
    

**References**

*   https://community.fortinet.com/t5/FortiGate/Technical-Tip-Bypassing-FortiGate-web-filter-profile-by-using/ta-p/200212

Tag

#ios