Red Hat Security Advisory 2023-0758-01 - This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include code execution, denial of service, deserialization, and information leakage vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Quarkus 2.13.7 release and security update  
Advisory ID:       RHSA-2023:0758-01  
Product:           Red Hat build of Quarkus  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0758  
Issue date:        2023-02-14  
CVE Names:         CVE-2022-1471 CVE-2022-41881 CVE-2022-41946   
                   CVE-2022-45047 CVE-2023-0044   
=====================================================================

1. Summary:

An update is now available for Red Hat build of Quarkus.

Red Hat Product Security has rated this update as having a security impact  
of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a  
detailed severity rating, is available for each vulnerability. For more  
information, see the CVE links in the References section.

2. Description:

This release of Red Hat build of Quarkus 2.13.7 includes security updates,  
bug  
fixes, and enhancements. For more information, see the release notes page  
listed in the References section.

Security Fix(es):

* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code  
Execution [quarkus-2.13]

* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
[quarkus-2.13]

* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization  
vulnerability [quarkus-2.13]

* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated  
which might lead to the Information Disclosure [quarkus-2.13]

* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc:  
PreparedStatement.setText(int, InputStream) will create a temporary file if  
the InputStream is larger than 2k [quarkus-2.13]

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability  
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution  
2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS  
2153399 - CVE-2022-41946 postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k  
2158081 - CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure

5. References:

https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-41881  
https://access.redhat.com/security/cve/CVE-2022-41946  
https://access.redhat.com/security/cve/CVE-2022-45047  
https://access.redhat.com/security/cve/CVE-2023-0044  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.13.7  
https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/  
https://access.redhat.com/articles/4966181

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+vS5tzjgjWX9erEAQi0OQ/+Mgak6d18DR8wCQDeY7f0vj2o3dOhxsE0  
wgo5LZhoghb0R9pXnEKL5cYgJlXr0XiDDNxJPUzplK9+v3gLLdIr3TtNDge56/+p  
hdCjru2lHe5q8I2KBjVKZr2gNX+xIcavSNf9R2zD0LnG8CEslrSYS/6nBycWnp9A  
aWikyfve5zKCgoNrcBdaRM3LNnzCNAfEHe7pRuMjSjzY4E1FQUlO+FctDH0ICI/C  
0SGZdRos1gM1sPET7eZX9thButpUBSBBNLAgrtbtBHji4eiZtA5TPCDK+TP7SnVb  
QvKFXF10BZpG6f2rknahUcvnsqnFaQMj6a5wSYwoNqtbaJbnbW+FdM29OSjNYorN  
5wO2IUDiS3XfbuAeqCA1CF9G+XAmIBtest7ZDRRKqn4lZHz0+s0/qkbI+5tfQ9fm  
elYU8OBxDC2FCDjsjc3GbXm1skMHFXIZQIBXaN4E6FOjWJQXh++23yD0JoVMTB1h  
iPtPbWdlH5li99Myvkiz6V0u5ejbVCjNEQXNsl6Cf5b05h84qfxizfPqHS0Cyn6f  
idpzGqE7LxWBlSgbiImVLKHD1RnlAlrblspQizTZYK6z1BApExgzJX2d8fwbphTX  
/ZiPZqsVKyLobj8MRpFLpf0evRYhEcSdk0VbiLL+/yQ5oFfH2SYmy1N/kbGfTUcS  
OMvJd4+JZOY=  
=EubT  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0758-01

Red Hat Security Advisory 2023-0759-01 - PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Virtualization security and bug fix update  
Advisory ID:       RHSA-2023:0759-01  
Product:           Red Hat Virtualization  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0759  
Issue date:        2023-02-14  
CVE Names:         CVE-2022-41946   
=====================================================================

1. Summary:

An update for ovirt-ansible-collection, ovirt-engine, and postgresql-jdbc  
is now available for Red Hat Virtualization 4 Tools for Red Hat Enterprise  
Linux 8, Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, and Red  
Hat Virtualization Engine 4.4.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4 - noarch  
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts - noarch  
Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8 - noarch

3. Description:

PostgreSQL is an advanced object-relational database management system. The  
postgresql-jdbc package includes the .jar files needed for Java programs to  
access a PostgreSQL database.

Security Fix(es):

* postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create  
a temporary file if the InputStream is larger than 2k (CVE-2022-41946)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* With this release, the upgrade function of the ovirt_host module waits  
long enough for the upgraded host to reach the desired state after upgrade.  
(BZ#2161703)

* Previously,the ovirt-enghine ansible-runner artifacts were only cleaned  
once, and the machine could run out of free disk space on the /var  
partition. In this release, the artifacts are cleaned periodically  
according to values defined in the  
AnsibleRunnerArtifactsCleanupCheckTimeInHours and  
AnsibleRunnerArtifactsLifetimeInDays engine-config options. (BZ#2151549)

* Code change for BZ2089299 introduced a regression, which didn't allow to  
set options in the engine-config which restricted the allowable values  
using the validValues field (for example ClientModeVncDefault or  
UserSessionTimeOutInterval).  
In this release, setting values for those fields works the same way as in  
RHV versions earlier than RHV 4.4 SP1 batch 3 (ovirt-engine-4.5.3).  
(BZ#2159768)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/2974891

If the postgresql service is running, it will be automatically restarted  
after installing this update.

5. Bugs fixed (https://bugzilla.redhat.com/):

2151549 - Artifacts of ansible-runner (executed from ovirt-engine) did not clean up as expected  
2153399 - CVE-2022-41946 postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k  
2159768 - Regression in ClientModeVncDefault  
2161703 - [RHEVM] Two nodes cluster upgrade failed, tries to put a node into maintenance while the updated is rebooting

6. Package List:

Red Hat Virtualization 4 Tools for Red Hat Enterprise Linux 8:

Source:  
ovirt-ansible-collection-2.4.2-1.el8ev.src.rpm

noarch:  
ovirt-ansible-collection-2.4.2-1.el8ev.noarch.rpm

Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts:

Source:  
ovirt-ansible-collection-2.4.2-1.el8ev.src.rpm

noarch:  
ovirt-ansible-collection-2.4.2-1.el8ev.noarch.rpm

RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4:

Source:  
ovirt-ansible-collection-2.4.2-1.el8ev.src.rpm  
ovirt-engine-4.5.3.7-1.el8ev.src.rpm  
postgresql-jdbc-42.2.14-2.el8ev.src.rpm

noarch:  
ovirt-ansible-collection-2.4.2-1.el8ev.noarch.rpm  
ovirt-engine-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-backend-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-dbscripts-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-health-check-bundler-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-restapi-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-base-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-cinderlib-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-imageio-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-ovirt-engine-common-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-vmconsole-proxy-helper-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-setup-plugin-websocket-proxy-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-tools-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-tools-backup-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-vmconsole-proxy-helper-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-webadmin-portal-4.5.3.7-1.el8ev.noarch.rpm  
ovirt-engine-websocket-proxy-4.5.3.7-1.el8ev.noarch.rpm  
postgresql-jdbc-42.2.14-2.el8ev.noarch.rpm  
postgresql-jdbc-javadoc-42.2.14-2.el8ev.noarch.rpm  
python3-ovirt-engine-lib-4.5.3.7-1.el8ev.noarch.rpm  
rhvm-4.5.3.7-1.el8ev.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-41946  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+vS49zjgjWX9erEAQhjjhAApzZIpZYF+1xWecL2Ui75tOcKQIzGw6ld  
F3izXJ3z275BSIxG4/cVHurn41iRBv8HtdEUsOJUop3mBCGudAKBWHK+fiL18RDK  
kPR+rpzMLuoh+qrEbDj0tY9BT7kHroPxLffZHwTBtjPUw0gxvkQ95kEOcA04KFbT  
xFNZ2JcvTmGS+sKx++ca1+ZmjcWBvpNGYum+KbaU8OnbOMy/tOArJa+yf43nZeCP  
SSqIpDOD8ssPUBrqt1i3CjHL/uG8PVTyzP3q7NgXpK3GLnBQSR2OPoi0X2yum3Cj  
reyQSyvjqTg7Cz5B84GUCyyIsxrMp3CxnNXR2sKKvtDFFYNyJhOeDe+BkynSiIw7  
JQtPlO6wIl6rkTo5Q7OSA+bBtBkCkGq/8N/CiaDRb23b+02kerbQ/oiMB0CcyNPw  
RFWLgD6BBEjCGXAY4Rb42S+Jnmz6WYiux4DHChIaqxfCOlYNL5pCjIXxI7xyMB6m  
I7e2i5JUdJRobByvcEZ7piWFvqhx4FV17zFRfE8CEg0+HrXO32xg3hyh1kyRxarv  
7s8Ll3eMpb/IxwVaSyA0CrA3f6Us4C5zdRYAFfUDGqgW8fXKtXR5iu/W4MYzvADm  
XiHW0rOsBj3RQuit4bYrF4k3rQjQlD4MT5cKP4CmZ2wB04j5hVdmQVsqbb9Ayr87  
2D/UH7xkQuw=  
=BAYA  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0759-01

BMC Control M versions prior to 9.0.20.214 suffer from SQL injection, denial of service, and information leaks.

BMC Control M SQL Injection / Denial Of Service

Possible RCE and denial-of-service issue discovered in Kafka Connect

Charlie Osborne 15 February 2023 at 14:01 UTC  
Updated: 15 February 2023 at 16:14 UTC

Possible RCE and denial-of-service issue discovered in Kafka Connect

  

Apache has resolved a vulnerability potentially exploitable to launch remote code execution (RCE) attacks using Kafka Connect.

Announced on February 8, the critical vulnerability is tracked as CVE-2023-25194. It was discovered in Apache Kafka Connect, a free, open source component of Apache Kafka that operates as a central hub for data integration between systems, databases, and key-value stores.

Apache claims that more than 80% of Fortune 100 organizations use the Kafka platform, including approximately seven out of every 10 banks.

Read more of the latest web security vulnerability news

According to Apache’s mailing list note, the security flaw was discovered by bug bounty hunter Jari Jääskelä, who reported the issue via Aiven’s HackerOne bug bounty program.

The vulnerability can only be triggered when there is access to a Kafka Connect worker – a logical work unit component – and the user must also be able to create or modify worker connectors with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol.

**Log4Shell connection**

The vulnerability involves the Lightweight Directory Access Protocol (LDAP) and Java Naming and Directory Interface (JNDI) endpoints, as was the case with ‘Log4Shell’, the landmark vulnerability discovered in ubiquitous Java logging library Apache Log4j in 2021. JNDI is also involved in another, newly disclosed critical vulnerability in Apache Sling JCR Base.

With the Kafka bug, an authenticated attacker could configure a specific connector property via either the Aiven API or the Kafka Connect REST API, forcing a worker to connect to an attacker-controlled LDAP server.

“The server will connect to the attacker’s LDAP server and it deserializes the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka Connect server,” the advisory reads. “Attacker\[s\] can execute commands on the server and access other resources on the network.”

When each prerequisite exists, Apache says it would be possible to perform JNDI requests, potentially leading to the execution of remote code or denial-of-service attacks.

**Disclosure**

The report was first submitted to Aiven via the organization’s bug bounty program on April 4, 2022. Triage took place in May and Jääskelä was awarded a $5,000 reward for their efforts before the issue was fixed and publicly disclosed.

Apache Kafka versions 2.3.0-3.3.2 were impacted, and the vulnerability was fixed in version 3.4.0.

The organization notes that since Kafka 3.0.0, users have been able to specify the connector configuration properties used in the attack chain. A new property has been added that disables problematic login module usage in the SASL JAAS configuration in version 3.4.0, alongside additional security measures.

Apache said: “We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also, examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation.”

Jääskelä also submitted a second critical vulnerability report concerning Apache Kafka in the same month.

The Aiven JDBC sink, including the SQLite JDBC driver, could be abused with an unprotected Jolokia bridge to execute RCE on Kafka Connect servers. The bug bounty hunter was awarded $5,000 for this report, and the security issue has since been resolved.

The Daily Swig has reached out to the Apache project and we will update this story as and when we hear back.

YOU MAY ALSO LIKE OAuth ‘masterclass’ crowned top web hacking technique of 2022

Remote code execution flaw patched in Apache Kafka

Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild.
The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month.
Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are

Patch Tuesday / Software Updates

Microsoft on Tuesday released security updates to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild.

The updates are in addition to 22 flaws the Windows maker patched in its Chromium-based Edge browser over the past month.

Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows -

*   **CVE-2023-21715** (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability
*   **CVE-2023-21823** (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability
*   **CVE-2023-23376** (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability

"The attack itself is carried out locally by a user with authentication to the targeted system," Microsoft said in advisory for CVE-2023-21715.

"An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer."

Successful exploitation of the above flaws could enable an adversary to bypass Office macro policies used to block untrusted or malicious files or gain SYSTEM privileges.

CVE-2023-23376 is also the third actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 and CVE-2022-37969 (CVSS scores: 7.8), which were addressed by Microsoft in April and September 2022.

"The Windows Common Log File System Driver is a component of the Windows operating system that manages and maintains a high-performance, transaction-based log file system," Immersive Labs' Nikolas Cemerikic said.

"It is an essential component of the Windows operating system, and any vulnerabilities in this driver could have significant implications for the security and reliability of the system."

It's worth noting that Microsoft OneNote for Android is vulnerable to CVE-2023-21823, and with the note-taking service increasingly emerging as a conduit for delivering malware, it's crucial that users apply the fixes.

Also addressed by Microsoft are multiple RCE defects in Exchange Server, ODBC Driver, PostScript Printer Driver, and SQL Server as well as denial-of-service (DoS) issues impacting Windows iSCSI Service and Windows Secure Channel.

Three of the Exchange Server flaws are classified by the company as "Exploitation More Likely," although successful exploitation requires the attacker to be already authenticated.

Exchange servers have proven to be high-value targets in recent years as they can enable unauthorized access to sensitive information, or facilitate Business Email Compromise (BEC) attacks.

**Software Patches from Other Vendors**

Besides Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apple
*   Atlassian
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Synology
*   Trend Micro
*   VMware
*   Zoho, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Update Now: Microsoft Releases Patches for 3 Actively Exploited Windows Vulnerabilities

Microsoft SQL Server Integration Service (VS extension) Remote Code Execution Vulnerability

CVE-2023-21568

Microsoft SQL Server Remote Code Execution Vulnerability

CVE-2023-21528

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-21704

CVE-2023-21705

Microsoft SQL ODBC Driver Remote Code Execution Vulnerability

Tag

#sql