Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24433: Jenkins Security Advisory 2023-01-24

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.

Skip to content

GitLab

Next

*   *   GitLab: the DevOps platform
    *   Explore GitLab
    *   Install GitLab
    *   How GitLab compares
    *   Get started
    *   GitLab docs
    *   GitLab Learn
    
*   Pricing
*   Talk to an expert

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    *   Contribute to GitLab
    
*   *   
    
    Projects Groups Snippets
    
*   Sign up now
*   Login
*   Sign in / Register
    

*   GitLab.org
*   cves
*   Repository

Switch branch/tag

*   cves
*   2022
*   **CVE-2022-3572.json**

Find file BlameHistoryPermalink

*   Publishing 0 updated advisories and 2 new advisories · 8e57563a
    
    🤖 GitLab Bot 🤖 authored Jan 20, 2023
    
    8e57563a

CVE-2022-3572: 2022/CVE-2022-3572.json · master · GitLab.org / cves · GitLab

Red Hat Security Advisory 2023-0237-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.8.57 security update  
Advisory ID:       RHSA-2023:0237-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0237  
Issue date:        2023-01-25  
CVE Names:         CVE-2022-41912 CVE-2023-21835 CVE-2023-21843  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.8.57 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.  
Security Fix(es):

* crewjam/saml: Authentication bypass when processing SAML responses  
containing multiple Assertion elements (CVE-2022-41912)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

See the following documentation, which will be updated shortly for this  
release, for important instructions on how to upgrade your cluster and  
fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.8/release_notes/ocp-4-8-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, and ppc64le architectures.

The image digests may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:c9dfdaa23f71c5faf6cc88a3cc504f7458840b8c860372a8106584739a15b1f2

(For s390x architecture)  
The image digest is  
sha256:ff2557359193568edf71a6160b0d431c01625578fc29ca6c8894f2e46719b475

(For ppc64le architecture)  
The image digest is  
sha256:cfbc2bf134d9a7754a920164bd8189f2f5b5d802c25c0774ab3b4e9c1998ff51

All OpenShift Container Platform 4.8 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.8/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2149181 - CVE-2022-41912 crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-5964 - Placeholder bug for OCP 4.8.0 metadata release  
OCPBUGS-5965 - Placeholder bug for OCP 4.8.0 rpm release

6. References:

https://access.redhat.com/security/cve/CVE-2022-41912  
https://access.redhat.com/security/cve/CVE-2023-21835  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9FaPdzjgjWX9erEAQg0vw//QzuA21utuuPcMS2hskt1IACyRPrP2e1r  
iWod7sJFac91fcGCq43e4dyc0IUeurEHAh7syX5g9UBaDt1IReTUsF5Fwolbi8js  
Q2xTi8TyYuCqYKpl8yzXXKRu/vd32HfsOhe1W8pyzT77PcPf5QlX329GnMUUsyrr  
l/3eNwRn/eIRWqGXPBFzRM+NVBbLAZ5J17Wpdqu7Ghu+11xSU7cAhrk1BjFaNxHy  
u/s5PLDtz1tCjf8pU8MdkBe/DVWUDCkR1QvPqj5GDRHK/Vq0gyvhX2+m3nDi1VlF  
2XNMy+PVlmnlAoLtRWcaazTvE8VR0aaxyB6iOZQMcDrUMJS+wJD5Oo/zcGjvVNpM  
oXhuSpnkLSEAzb1Z4a0NIdx9hJGP4j252RJYzx4GumwpiNaU4xMr4DoFB/cRE11H  
b2c45+iX1n/Dnj8LaJLUdCSKAHqrFB4gGSjKTlV3KO/xGIYTPn30MSOAGYWR9oDf  
zaPX1AdgNBoQ43gbKP2Uj7/S7iHN575P7t1B1Bfi+Bdgxo6U0sRlgC51LEVCqTtD  
49NkFFzmFQr3KCFIDuHIQaNRyyPU3skAf7mKqUJGblkrbAolZ3Gc+a0RK9kmlx0j  
cdOK6ev73xCs/Ad5SmynJRXTrZB3dmOzh5Gk6QpOAFzPbJr30Qt1dfqAsq7hsVxb  
wNvLA5dg5i8=WVbV  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0237-01

Red Hat Security Advisory 2023-0241-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.50.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: OpenShift Container Platform 4.10.50 bug and security update  
Advisory ID:       RHSA-2023:0241-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0241  
Issue date:        2023-01-24  
CVE Names:         CVE-2023-0296  
====================================================================  
1. Summary:

Red Hat OpenShift Container Platform release 4.10.50 is now available with  
updates to packages and images that fix several bugs.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.10.50. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2023:0240

Security Fix(es):

* openshift: etcd grpc-proxy vulnerable to The Birthday attack against  
64-bit block cipher (CVE-2023-0296)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

3. Solution:

For OpenShift Container Platform 4.10 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:9301ca818d705bda5981db961904f2b6e3f9adcc51e3c8e258c05950236dfc3d

(For s390x architecture)  
The image digest is  
sha256:88dd6c214ba12eb626301d40fadbf5d6d95eeaebae11f0c0fedfbfcecd1df739

(For ppc64le architecture)  
The image digest is  
sha256:baa7fe33ac04eca046892820342c19b6df02f6998f3f5e4f9471c737f6eeb301

(For aarch64 architecture)  
The image digest is  
sha256:7ac01bfe3554059f81fb573fa04cf41ca8a150b93b54d4209f4c987687e40d81

All OpenShift Container Platform 4.10 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2161287 - CVE-2023-0296 openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-4467 - [4.10] Improve ironic logging configuration in metal3  
OCPBUGS-4717 - Unable to use application credentials for Cinder CSI after OpenStack credentials update  
OCPBUGS-4810 - MCO does not sync kubeAPIServerServingCAData to controllerconfig if there are not ready nodes  
OCPBUGS-5294 - Backport fix for OCPBUGSM-36848 to 4.10  
OCPBUGS-5299 - [4.10] [OVN]Sometimes after reboot egress node, egress IP cannot be applied anymore.  
OCPBUGS-5415 - [OCP 4.10] ironic container images have old packages  
OCPBUGS-5419 - [release-4.10] Azure: unable to configure EgressIP if an ASG is set  
OCPBUGS-5507 - [vsphere-CSI-Driver-Operator] The storageclass "thin-csi" could not be re-created after deleting  
OCPBUGS-5788 - ClusterResourceQuota values are not reflecting.

6. References:

https://access.redhat.com/security/cve/CVE-2023-0296  
https://access.redhat.com/security/updates/classification/#low

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY8+0QtzjgjWX9erEAQjtJw//Ts6EzkhU5+hsaIaT0j7Yq18Dai3sC7p6  
jCiHlRWPuoAcyzrvZbVv+62G9WaXWhQ9HuXOYjx/cPTCZe92ixeSrE8FQGDh9bgw  
fLVMtqH7F8zOQHRVspIgH8SzooS5A/ZGSCBG5wVSvVbJUCQViXmoz2xOH4DXjOmd  
RT42+aBT0KeTG6Dbj21g3VB/5faLxxrC8u55lVAlBGNyroVmLqKzPKKnlvpibjFV  
WJATXcV0885PXR8FVmF0CSZbkX+u1++7XVHhoqgQ/D8STZCvmIw/W21pcW8owYEc  
u0kBO8eTH8LKqiSbze88ENVogOaX+0HIgKmJ/3aMjyejSVPpIlmz3RA/gOG2Eguc  
vdrRJXwjFCY2kkFgcw0SqeZM/SGHj1VlWNHTjxG9Sj7XnVw6QHpT9cVFByCvFp72  
eL96I3Qb3qnhCBrLdtsIUoA3B/uDkjGFwMysRdNBUFl76HvTEQUQhxWbLAy6q/XC  
VlOnE+e2Kj9pfyWHbSbHHdeD/qXFoUenHWBL+Xow5Hvf8L5oGYo3tFahDrlip+6R  
btZwOF56IEXH5Q4Cy9UaAONPb+6TntvOLsjaTpYqeTToIsHRAOE4NbghIeJBUHM3  
P6i4Iy9vR0DyJRFvpCVRXqw1h1Wlo0Ru4Xo9rQpKyX0TVDHppKrpa1HD+GZgEETk  
aT/bFo7O4rg=aJSj  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0241-01

Orca Security is one of the companies integrating conversational AI technology into its products.

While there are some concerns about how generative AI chatbots such as ChatGPT can be used maliciously — to craft phishing campaigns or write malware — several companies are harnessing the power of conversational AI technology to enhance their product capabilities, including for security.

ChatGPT, a large language model (LLM) developed by OpenAI, uses GPT 3 LLM and relies on large test data sets culled from multiple sources. ChatGPT, which can understand human language, provides detailed answers to simple questions and can handle complex tasks such as creating documents and writing code in response to user queries. It's an example of how conversational AI can be used to organize large volumes of information and enhance user experience and communications.

For instance, a conversational AI tool — whether that's ChatGPT or something else — could serve as the back end of an information concierge that automates the use of threat intelligence in enterprise support, according to IT research and advisory firm Into-Tech Research.

That's the approach Orca Security appears to be taking with Orca Security Platform. The company incorporated OpenAI's GPT3 API, specifically the "Da-Vinci-03" series, to enhance the platform's ability to generate contextual and accurate remediation plans for security alerts, Lior Drihem, Orca's director of innovation, and Itamar Golan, head of data science, wrote in the announcement. 

The new pipeline takes a security alert and preprocesses the data, such as basic information about the risk and its contextual environment — such as affected assets, attack vectors, and potential impact — before feeding the pieces as input to GPT3. The AI then generates a detailed explanation of the best and most practical ways to remediate the issue, Golan and Drihem wrote. These remediation steps can also be embedded in tickets, such as Jira tickets, for teams to reference and implement.

While the AI model can provide inaccurate information (or vague results), "the benefits of utilizing GPT3's natural language generation capabilities outweigh any potential risks, and have seen significant improvements in the efficiency and effectiveness of our remediation efforts," according to Drihem and Golan.

This isn't the first time Orca Security has been working with language models. The company recently integrated GPT3 into its cloud security platform to enhance the remediation information customers receive regarding infosec risks. 

"By fine-tuning these powerful language models with our own security data sets, we have been able to improve the detail and accuracy of our remediation steps — giving you a much better remediation plan and assisting you to optimally solve the issue as fast as possible," Golan and Drihem wrote.

**Harnessing AI & LLM for Applications**

Orca Security joins other companies incorporating language models into its product portfolio. Earlier this week, Gupshup launched Auto Bot Builder, which harnesses GPT-3 to help enterprises build their own advanced conversational chatbots. Auto Bot Builder builds chatbots tailed to the enterprise's specific requirements by using content from the enterprise website, documents, message logs, product catalogs, databases, and other corporate systems, processing the information using GPT-3 LLM (Large Language Model), and fine-tuning it with proprietary industry-specific models. Enterprises can use Auto Bot Builder to build chatbots for marketing lead generation activities, product discovery, product recommendations, shopping advice, troubleshooting, and customer support.

These chatbots differ from ChatGPT, a general-purpose chatbot, but like ChatGPT, they have an "exceptionally high degree of language capability" to engage with end users, according to Gupshup.

The cryptocurrency community is also using ChatGPT to create applications such as trading bots and crypto blogs, Jerrod Piker, a competitive intelligence analyst at Deep Instinct, wrote in an email. Examples include using ChatGPT to write a sample smart contract, and a trading bot that identifies entry and exit points to help automate the process of buying and selling cryptocurrencies.

A generative AI chatbot that can answer questions is not a new concept, but ChatGPT stands out from the others because of the breadth of topics it can handle and its ease of use, says Casey Ellis, founder and CTO of Bugcrowd.

GPT Emerges as Key AI Tech for Security Vendors

Red Hat Security Advisory 2023-0069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.24.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Low: OpenShift Container Platform 4.11.24 bug and security update  
Advisory ID:       RHSA-2023:0069-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0069  
Issue date:        2023-01-19  
CVE Names:         CVE-2022-32189 CVE-2023-0296   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.24 is now available with  
updates to packages and images that fix several bugs.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container  
Platform 4.11.24. See the following advisory for the RPM packages for this  
release:

https://access.redhat.com/errata/RHBA-2022:0068

Security Fix(es):

* openshift: etcd grpc-proxy vulnerable to The Birthday attack against  
64-bit block cipher (CVE-2023-0296)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Space precludes documenting all of the container images in this advisory.  
See the following Release Notes documentation, which will be updated  
shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:  
https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You may download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
may be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags

The SHA values for the release are:

  (For x86_64 architecture)  
The image digest is  
sha256:24a273f879d6eed8d6cce1426798a623ebbe095e01a881e58aa78c4e9eff0c8b

  (For s390x architecture)  
The image digest is  
sha256:620f3b21d5157c3223c0a45aae2fc3aac0d11f1d561f025e3d5730f628c95e05

  (For ppc64le architecture)  
The image digest is  
sha256:96eebd99bc9ba668447ffce90eb887012d000edfeca3994a4726fb72ef314b88

  (For aarch64 architecture)  
The image digest is  
sha256:a57a6844a0d6506309b3bb7bc3883384c907ffa331008423b32f4f3633795494

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift Console  
or the CLI oc command. Instructions for upgrading a cluster are available  
at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2161287 - CVE-2023-0296 openshift: etcd grpc-proxy vulnerable to The Birthday attack against 64-bit block cipher

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-1567 - Automation Offline CPUs Test cases  
OCPBUGS-3290 - WriteRequestBodies audit profile records routes/status events at RequestResponse level  
OCPBUGS-4761 - [4.11] Bump OVS control plane to get "ovsdb/transaction.c: Refactor assess_weak_refs."  
OCPBUGS-4908 - [OCP 4.11] ironic container images have old packages  
OCPBUGS-5075 - [4.11] SNO not able to bring up Provisioning resource in 4.11.17  
OCPBUGS-5099 - [4.11] coreos-installer output not available in the logs  
OCPBUGS-5145 - virtual media provisioning fails when iLO Ironic driver is used  
OCPBUGS-5258 - Add support for API version v1beta1 for knativeServing and knativeEventing  
OCPBUGS-5290 - PTP 4.12 Regression - CLOCK REALTIME status is locked when physical interface is down  
OCPBUGS-5341 - Placeholder bug for OCP 4.11.0 rpm release  
OCPBUGS-5359 - [release-4.11] Azure: unable to configure EgressIP if an ASG is set  
OCPBUGS-5404 - [4.11] provisioning on ilo4-virtualmedia BMC driver fails with error: "Creating vfat image failed: Unexpected error while running command"  
OCPBUGS-5418 - Dev Sandbox clusters uses clusterType OSD and there is no way to enforce DEVSANDBOX  
OCPBUGS-5450 - events.events.k8s.io is forbidden: User "system:serviceaccount:openshift-kube-descheduler-operator:openshift-descheduler-operand" cannot create resource "events" in API group "events.k8s.io" in the namespace "e2e-test-default-b6y9atnu-jxz6p"

6. References:

https://access.redhat.com/security/cve/CVE-2022-32189  
https://access.redhat.com/security/cve/CVE-2023-0296  
https://access.redhat.com/security/updates/classification/#low

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY8lxFNzjgjWX9erEAQiQrQ//cp/jXovEN1RtpHOw/jW4usDnDCZGhb8X  
QWN9P9uRy1gdYnVAb0p1A7v4mU6EHRpbX/2mdS/fv09mZO5ZIO1qxurMfzW/vGkS  
CariMuZWzFaH308c3ffVK1iUJaurOiMuNcWTmP+2JCnbQFjGnByOIP03MC7HPvfI  
M1Vs7Smtt5occLpv4Yp1/szia0XCQ85PmyVdCnnRiYaRvQi9E7WRREoov/7GZ0ht  
Qt/CjX8jBL4bGu9p4mHe8J4j2khDWYlg0XdkpxPRjCd6eivvH5MNjAFlvj5Kx2KI  
EHENtxffRIPWynZSCG8f1VF9SNk+bw4dJHESx9ej6hWUixL3ftQV9+qfmPH2erx5  
nYsQri4MvLWdYKGZf6LS4GIsuGasObLm5MThtvt0IEDOD8tp9gDKfCleBWYtyh5m  
XSe2EM8u+GAPXuMmocxBsCTVK/7fmbVeFXysRfSVcf9DnA1Ty0VcqcT3MF+DHSjE  
W5zpXWRJBRnW0iow/K9iVgpLQLe8xLqvDdj2loXgJI+r8yl3PjWzRqjkJXIhekvn  
SL+U9JYHD6Zu4RyH0/Eu/9WKDSU3WPLK4f/5smeWMqO+/kOmXd6u2YNnW8OnKxcv  
LKVpdBRoI5qkE0Wmj0iwDEonXu+fM0JRM1SjFlmA8gySBxwzAfnBYaLCGS2mRi9B  
1ekB3eHLkZ8=  
=MvIu  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0069-01

Red Hat Security Advisory 2023-0264-01 - An update for Logging Subsystem (5.6.0) is now available for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift (Logging Subsystem) security update  
Advisory ID:       RHSA-2023:0264-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0264  
Issue date:        2023-01-19  
CVE Names:         CVE-2020-36518 CVE-2022-2879 CVE-2022-2880   
                   CVE-2022-27664 CVE-2022-32190 CVE-2022-37601   
                   CVE-2022-41715 CVE-2022-42003 CVE-2022-42004   
=====================================================================

1. Summary:

An update for Logging Subsystem (5.6.0) is now available for Red Hat  
OpenShift Container Platform.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.6.0 - Red Hat OpenShift

* logging-view-plugin-container: loader-utils: prototype pollution in  
function parseQuery in parseQuery.js (CVE-2022-37601)  
* logging-elasticsearch6-container: jackson-databind: denial of service via  
a large depth of nested objects (CVE-2020-36518)  
* logging-loki-container: various flaws (CVE-2022-2879 CVE-2022-2880  
CVE-2022-41715)  
* logging-loki-container: golang: net/http: handle server errors after  
sending GOAWAY (CVE-2022-27664)  
* golang: net/url: JoinPath does not strip relative path components in all  
circumstances (CVE-2022-32190)  
* org.elasticsearch-elasticsearch: jackson-databind: deep wrapper array  
nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)  
* org.elasticsearch-elasticsearch: jackson-databind: use of deeply nested  
arrays (CVE-2022-42004)

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances  
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY  
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers  
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters  
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps  
2134876 - CVE-2022-37601 loader-utils: prototype pollution in function parseQuery in parseQuery.js  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-2217 - [Vector] Loss of logs when using Vector as collector.   
LOG-2620 - containers violate PodSecurity -- Core  
LOG-2819 - the `.level` field they are getting the "ERROR" but in `.structure.level` field they are getting "INFO"  
LOG-2822 - Evaluating rule failure in LokiRuler pods for Alerting and recording rules  
LOG-2843 - tls.key and tls.cert not in fluentd real configuration when forwarding logs using syslog tls  
LOG-2919 - CLO is constantly failing to create already existing logging objects (HTTP 409)  
LOG-2962 - Add the `version` file to Must-Gather archive  
LOG-2993 - consoleexternalloglinks.console.openshift.io/kibana should be removed once Kibana is deleted  
LOG-3072 - Non-admin user with 'view' role can't see any logs in 'Logs' view  
LOG-3090 - Custom outputs defined in ClusterLogForwarder overwritten when using LokiStack as default log storage  
LOG-3129 - Kibana Authentication Exception cookie issue  
LOG-3157 - Resources associated with collector / fluentd keep on getting recreated  
LOG-3161 - the content of secret elasticsearch-metrics-token is recreated continually  
LOG-3168 - Ruler pod throwing 'failed loading deletes for user' error after alerting/recording rules are created  
LOG-3169 - Unable to install Loki operator from upstream repo on OCP 4.12  
LOG-3180 - fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs  
LOG-3186 - [Loki] unable to determine tls profile settings when creating a LokiStack instance with custom global tlsSecurityProfile config  
LOG-3194 - Collector pod violates PodSecurity "restricted:v1.24" when using lokistack as the default log store in OCP 4.12.  
LOG-3195 - [Vector] logs parsed into structured when json is set without structured types.  
LOG-3208 - must-gather is empty for logging with CLO image  
LOG-3224 - Can't forward logs to non-clusterlogging managed ES using vector.  
LOG-3235 - cluster-logging.5.5.3 failing to deploy on ROSA  
LOG-3286 - LokiStack doesn't reconcile to use the changed tlsSecurityProfile set in the global config.  
LOG-3292 - Loki Controller manager in CrashLoop due to failure to list *v1.Proxy  
LOG-3296 - Cannot use default Replication Factor for shirt size  
LOG-3309 - Can't choose correct CA ConfigMap Key when creating lokistack in Console  
LOG-3324 - [vector] the key_pass should be text in vector.toml when forward log to splunk  
LOG-3331 - [release-5.6] Reconcile error on controller when creating LokiStack with tls config  
LOG-3446 - [must-gather] oc adm must-gather execution hangs indefinitely when collecting information for Cluster Logging.

6. References:

https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2022-2879  
https://access.redhat.com/security/cve/CVE-2022-2880  
https://access.redhat.com/security/cve/CVE-2022-27664  
https://access.redhat.com/security/cve/CVE-2022-32190  
https://access.redhat.com/security/cve/CVE-2022-37601  
https://access.redhat.com/security/cve/CVE-2022-41715  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY8lxEdzjgjWX9erEAQhoGg/+OiJ2IFsII+q6Wfgq/ydTYUEsXtJ/Nn8V  
GZrM9nVfOSa4HIwWytNHtPyuKqEUy2sZ8WIlXXZNfB/0Nxavpj/F0Dv0TESn4DT9  
Og+Dhb/ix4vFsWWy15E8yUNJQREpJb55Ita1tqTfVMZryZ8jbp2FPuUSzt3RSmnM  
ymNnacKEsDUBrEP3PPRCoXmRSZf8XgLAD4NyJCXmebdEjhT21C/m0jpnElHoCs2i  
jlzzW7UhWc7ENVly5RoEKPP4rvSOX+0Hay4mQNYOLaNkBkaBz4bod+feI8ros2iy  
UZ5ln4kBhNJ6XSqOValOU9+OkTGbEmRqymUW/x2GLucwD6ATsRjoM6YdE8aZuavW  
h3fMIREQ+VM693fKahVwQjc3dnK5dtICi0kaPKTaSbhnwa2iXQTu/6JXssSwZWEj  
hBpmQpda58v6nBb3ykaEd1JshXIzueuNUG1gH1xsAhoKb/KAPZpl9rMQrJejHBKl  
wYS8MlO2aDIJ8zjLKqrVXndgJJEy6KHJLCeGhaWV6W8YAvcYv3zQbjSTwTMeftbu  
eIMMqnhhfxj56qgaYqmVU4sL3pnApS8ZfBRuz6tYh02w5/1OE7ad47mSSrsl36cH  
45oRaogk2F0sbbr/u3f74ffKXPUfdtTQGrrisodOxxnJQPKTThB8/y9Zr2UF2LPR  
UWAAu0JN5A0=  
=O7hQ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0264-01

Multiple misconfigurations in a service that underpins many Azure features could have allowed an attacker to remotely compromise a cloud user's system.

An attack chain exploiting misconfigurations and weak security controls in a common Azure service is highlighting how lack of visibility impacts the security of cloud platforms.

The "EmojiDeploy" attack chain could allow a threat actor to run arbitrary code with the permission of the Web server, steal or delete sensitive data, and compromise a targeted application, Ermetic stated in its Jan. 19 advisory. An attacker could use a trio of security issues affecting the common Source Code Management (SCM) service — a cloud service used by many Azure applications without an explicit indication to the user, according to Ermetic.

The issues demonstrate that the security of cloud platforms are undermined by the lack of visibility into what those platforms do under the hood, says Igal Gofman, head of research for Ermetic.

"Azure and cloud service consumers — enterprises — must be familiar with each service and its internals, and not trust \[that the\] default settings provided by cloud providers are always secure," he says. "Even though cloud providers spend millions of dollars on securing their cloud infrastructure, misconfigurations and security bugs will happen."

The EmojiDeploy research joins other attack chains recently discovered by security researchers that could have resulted in data breaches on cloud platforms or otherwise compromised cloud services. In October 2022, for example, researchers found two vulnerabilities in Atlassian's Jira Align, an agile project management application, that could have allowed threat groups to attack the Atlassian service. In January 2022, Amazon fixed two security issues in its Amazon Web Services (AWS) platform that could have allowed a user to take control of another customer's cloud infrastructure.

An attacker only needs to take an average of three steps — often starting, in 78% of cases, with a vulnerability — to compromise sensitive data on cloud services, one analysis found.

"Cloud systems are highly complex," Ermetic stated. "Understanding the complexity of the system and environment you are working in is crucial to defending it."

**Source Code Manager Exploit**

The attack found by Ermetic made use of the insecurity of a specific cookie configuration for the Source Code Manager (SCM). The Azure service set two controls — cross-site scripting (XSS) prevention and cross-site request forgery (XSRF) prevention — to a default of "Lax," according to Ermetic's advisory.

After further investigating the implications of those settings, Ermetic researchers found that those who use any of three common Azure services — Azure App Service, Azure Functions, and Azure Logic Apps — could be attacked through the vulnerability. The attack was made possible because these three major services all use the Source Code Management (SCM) panel to allow development and Web teams to manage their Azure application. Because SCM relies on the open source Kudu repository management project, which is a .NET framework similar to Git, a cross-site scripting vulnerability in the open source project also affects Azure SCM.

Unfortunately, the security setting is not obvious, Ermetic stated, adding that many Azure Web Services customers would not even know of the existence of the SCM panel.

A single vulnerability is not enough, however. The researchers paired the lax cookie security with a specially crafted URL that bypasses the cloud service's check that every component of the website came from the same origin. Combining the two components allows a full cross-origin attack, Ermetic stated in its advisory. A third weakness allowed specific actions or payloads to be incorporated into the attack as well.

**Shared Responsibility Means Configuration Transparency**

The attack chain underscores that cloud providers need to make their security controls more transparent and default to more secure configurations, says Ermetic's Gofman. While shared responsibility has long been the mantra of cloud security, cloud infrastructure services have not always offered easy access or integration to security controls.

"Awareness of default service settings and configurations is important since the cloud uses a shared responsibility model for security between the provider and the customer," he says. "Applying the principle of least privilege and being aware of the shared responsibility model is very important."

Emetic notified Microsoft of the attack chain in October, and the vendor issued a global fix for Azure by early December, according to the advisory.

"The impact of the vulnerability on the organization as a whole depends on the permissions of the applications managed identity," Ermetic stated in its advisory. "Effectively applying the principle of least privilege can significantly limit the blast radius."

Tag

#jira