By Uzair Amir
With the massive adoption of Microsoft 365, encountering complex environments involving multiple tenants is becoming increasingly common.
This is a post from HackRead.com Read the original post: Cross Tenant Microsoft 365 Migration

What is a Cross Tenant migration, and why and when do you need it? Cross-tenant migration refers to the process of moving data, applications, and services from one Microsoft 365 tenant (or organization) to another. Whether due to mergers, acquisitions, restructuring, or strategic decisions, businesses often find themselves in situations where they need to consolidate or reorganize their tenant structures.

****The different actors****

When it comes to tenant-to-tenant migration within Microsoft 365, several key actors play crucial roles in ensuring a successful transition. Let’s explore them:

**Microsoft Consulting Services (MCS)**: Organizations often collaborate with MCS to plan and execute tenant migrations. Their expertise ensures a smooth transition, addressing complexities and minimizing disruptions1.

**Microsoft Partners**: These skilled professionals specialize in tenant migrations. They work closely with organizations, offering tailored solutions and leveraging third-party tools for content migration1.

**IT Administrators**: Within the organization, IT administrators take charge of technical aspects. They oversee user accounts, data integrity, and configuration adjustments during the migration process.

**Identity Architects**: These architects design the identity framework for the new tenant. They handle user authentication, access permissions, and identity synchronization across tenants.

**Data Migration Specialists**: These experts focus on moving data—emails, files, SharePoint sites—from the source to the target tenant. They ensure data fidelity and minimal downtime.

**Change Management Teams**: Communication is key. Change management teams inform stakeholders about the migration, manage expectations, and guide users through the transition.

**The different solutions**: When it comes to cross-tenant Microsoft 365 migrations, several vendors and solutions can assist you in smoothly transitioning your users’ data. Here are some options:

**Microsoft 365 Native Tools:** Microsoft provides native tools and interfaces for cross-tenant mailbox and OneDrive migrations. 

**Third-Party Migration Solutions:** Several third-party vendors offer specialized migration tools for Microsoft 365 cross-tenant scenarios. These solutions provide additional features, flexibility, and support. 

Some popular vendors include:

****Cloudiway:****

Cloudiway specializes in cloud migration services, including Microsoft 365. Their platform is one of the most complete solutions and supports **Microsoft cross-tenant migrations** for mailboxes, OneDrive, Microsoft Teams, SharePoint, Intune and devices. Cloudiway emphasizes ease of use and efficient migration processes.

****AvePoint:****

**AvePoint** offers migration solutions for Microsoft 365, including cross-tenant scenarios. Their tools provide features like Mailbox, OneDrive, Microsoft Teams and SharePoint migrations. AvePoint’s solutions are known for their reliability and comprehensive support.

****BitTitan:** **

**BitTitan** is known for its MigrationWiz tool, which supports cross-tenant migrations for mailboxes, OneDrive, and Microsoft Teams.

****Quest:** **

Offers solutions like **Quest** On Demand Migration and Quest On Demand Migration for Email.

****SkyKick:** **

**SkyKick** provides automated migration tools for Microsoft 365, including cross-tenant scenarios.

****ShareGate:** **

Known for its **ShareGate Desktop** and ShareGate Migrate tools, which support SharePoint, Teams and OneDrive migrations. They have recently integrated mailbox migration.

****CodeTwo:****

**CodeTwo** offers migration solutions for Microsoft 365, including cross-tenant mailbox migrations.

****Table of comparison:****

**AvePoint**

**Cloudiway**

**Microsoft**

**BitTitan**

**Quest**

**Skykick**

**Avepoint**

**ShareGate**

**CodeTwo**

SAAS

Yes

Yes

Yes

Yes

Yes

Yes

No

No

MailsMaturity

Yes \* 2012

Yes 2022

Yes  \*2010

Yes 2012

Yes 2010

Yes 2021

Yes Beta

Yes 2012

Drives

Yes \*

Yes

Yes\*

Yes

No

Yes

Yes

No

Maturity

2012

2022

2015

2015

**AvePoint**

2020

SharePoint

Yes

Partial SPMT (On-premises)

No (librairies seulement)

Yes \*

No

Yes \*

Yes\*

No

Microsoft Teams

Yes\*2018 

No

Yes2020

Yes

No

Yes\*2018

Yes2021-22

No

Teams Private messages

Yes

No

No

No

No

No

No

No

Slack

Yes\*

No

No

No

No

Yes

No

No

Slack Direct Messages

Yes

No

No

No

No

No

No

No

Google Chat

Yes

No

No

No

No

No

No

No

Laptops

Yes

No

No

Yes

No

No

No

No

Intune

Yes

No

No

No

No

No

No

No

FreeBusy & Galsync

Yes

No

No

No

No

No

No

No

**\*** **leader**

****Conclusion:****

In the ever-evolving landscape of cloud collaboration, **cross-tenant migrations** have become a critical undertaking for organizations. Whether due to mergers, acquisitions, or strategic realignments, the need to seamlessly transition data between Microsoft 365 tenants is more prevalent than ever.

**Vendor Selection Matters:** Choosing the right migration solution is paramount. Evaluate vendors based on factors such as scope of migration, reliability, scalability, support, and ease of use. Consider both native Microsoft tools and third-party offerings.

**Preparation Is Key:** Properly prepare your source and target tenants. Establish trust relationships, configure identity mapping, and ensure that users are set up correctly in the destination tenant.

**Data Integrity and Security:** During migration, prioritize data integrity and security. Test thoroughly, monitor progress, and address any issues promptly.

**Communication and Change Management:** Keep stakeholders informed throughout the process. Effective communication minimizes disruption and ensures a smooth transition for end-users.

**Post-Migration Validation:** Validate data integrity, permissions, and functionality post-migration. Address any discrepancies promptly.

Remember, cross-tenant migrations are not just about moving data; they impact user productivity, collaboration, and overall business continuity. By following best practices and leveraging the right tools, organizations can navigate this complex journey successfully.

1.  Advantages of a Cloud VPS Server
2.  4 Benefits of Cloud VPN to your Business
3.  How To Safeguard Your Data With Cloud MRP System
4.  Managed Cloud Hosting vs. Unmanaged Cloud Hosting
5.  Insights on Google Cloud Backup, Disaster Recovery Service

Cross Tenant Microsoft 365 Migration

Privacy and security are an Apple selling point. But the DOJ’s new antitrust lawsuit argues that Apple selectively embraces privacy and security features in ways that hurt competition—and users.

For well over a decade, Apple has been praised by privacy advocates for its decision in 2011 to end-to-end encrypt iMessage, securing users' communications on the default texting app for all its devices so thoroughly that even Apple itself can't read their messages. This was years before WhatsApp switched on end-to-end encryption in 2016, and before Signal—now widely considered the most private end-to-end encrypted messaging platform—even existed, Apple quietly led the way with that security feature, baking it into a core piece of the Apple ecosystem.

So it's ironic that the US Department of Justice has now hit Apple with a landmark antitrust lawsuit, alleging that it has sought for years to monopolize the smartphone market and gravely harmed consumers in the process, iMessage's end-to-end encryption has become Exhibit A for an argument about Apple's privacy hypocrisy—that Apple's allegedly anticompetitive practices have denied users not only better prices, features, and innovation, but also better digital security.

In its sweeping antitrust lawsuit, the DOJ on Thursday laid out a broad set of allegations against Apple, accusing it of monopolistic practices in how it uses its walled-garden operating systems and app stores to deprive consumers of apps and services that might make it easier for them to wean themselves from their Apple addictions—keeping out of the App Store so-called super apps with cross-platform, broad functionality; limiting streaming and cloud-based applications; and handicapping the functionality of competitors' devices like smartwatches.

The DOJ's complaint also homes in on Apple's approach to security and privacy, arguing that it uses those principles as an excuse for its anticompetitive practices, yet jettisons them whenever they might hurt the bottom line. “In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests,” the complaint reads.

“I definitely think that Apple has strategically used privacy and security in ways that benefit its business,” says Caitlin Chin-Rothmann, a research fellow at the Center for Strategic & International Studies (CSIS) who focuses on technology policy. “Apple has taken some steps to improve end-to-end encryption in iMessage, for example, but it hasn’t extended that to iPhone users that text Android users or iPhone users that don’t use iMessage.”

In its privacy and security arguments, the DOJ faults Apple for decisions like its deal with Google to make Google's search engine the default on Apple products, rather than a more privacy-preserving alternative, or allowing data-harvesting apps into its App Store. But it repeatedly returns to iMessage as perhaps the clearest example of how Apple's anticompetitive practices directly harm users security. The DOJ argues that by refusing to allow users of other smartphone platforms like Android to use its end-to-end encryption iMessage protocol, it has significantly reduced the overall security of messaging worldwide, both for those Android users and for the Apple users who communicate with them.

“Text messages sent from iPhones to Android phones are unencrypted as a result of Apple’s conduct,” the complaint reads. “If Apple wanted to, Apple could allow iPhone users to send encrypted messages to Android users while still using iMessage on their iPhone, which would instantly improve the privacy and security of iPhone and other smartphone users.”

The argument is one that some Apple critics have made for years, as spelled out in an essay in January by Cory Doctorow, the science fiction writer, tech critic, and coauthor of _Chokepoint Capitalism_. “The instant an Android user is added to a chat or group chat, the entire conversation flips to SMS, an insecure, trivially hacked privacy nightmare that debuted 38 years ago—the year _Wayne's World_ had its first cinematic run,” Doctorow writes. “Apple's answer to this is grimly hilarious. The company's position is that if you want to have real security in your communications, you should buy your friends iPhones.”

In a statement to WIRED, Apple says it designs its products to “work seamlessly together, protect people’s privacy and security, and create a magical experience for our users,” and it adds that the DOJ lawsuit “threatens who we are and the principles that set Apple products apart” in the marketplace. The company also says it hasn't released an Android version of iMessage because it couldn't ensure that third parties would implement it in ways that met the company's standards.

“If successful, \[the lawsuit\] would hinder our ability to create the kind of technology people expect from Apple—where hardware, software, and services intersect,” the statement continues. “It would also set a dangerous precedent, empowering government to take a heavy hand in designing people’s technology. We believe this lawsuit is wrong on the facts and the law, and we will vigorously defend against it.”

Apple has, in fact, not only declined to build iMessage clients for Android or other non-Apple devices, but actively fought against those who have. Last year, a service called Beeper launched with the promise of bringing iMessage to Android users. Apple responded by tweaking its iMessage service to break Beeper's functionality, and the startup called it quits in December.

Apple argued in that case that Beeper had harmed users' security—in fact, it did compromise iMessage's end-to-end encryption by decrypting and then re-encrypting messages on a Beeper server, though Beeper had vowed to change that in future updates. Beeper cofounder Eric Migicovsky argued that Apple's heavyhanded move to reduce Apple-to-Android texts to traditional text messaging was hardly a more secure alternative.

“It’s kind of crazy that we’re now in 2024 and there still isn't an easy, encrypted, high-quality way for something as simple as a text between an iPhone and an Android,” Migicovsky told WIRED in January. “I think Apple reacted in a really awkward, weird way—arguing that Beeper Mini threatened the security and privacy of iMessage users, when in reality, the truth is the exact opposite.”

Even as Apple has faced accusations of hoarding iMessage's security properties to the detriment of smartphone owners worldwide, it's only continued to improve those features: In February it upgraded iMessage to use new cryptographic algorithms designed to be immune to quantum codebreaking, and last October it added Contact Key Verification, a feature designed to prevent man-in-the-middle attacks that spoof intended contacts to intercept messages. Perhaps more importantly, it's said it will adopt the RCS standard to allow for improvements in messaging with Android users—although the company did not say whether those improvements would include end-to-end encryption.

Even as it makes those advances in iMessage's security and privacy, Apple has rarely touted them in its public-facing marketing, points out Nadim Kobeissi, a cryptographer focused on secure messaging and the director of the cryptography consultancy Symbolic Software, and has actively contributed to public, nonproprietary security products. He argues that this deflates any argument the DOJ might make that Apple has intentionally hoarded security features as a competitive advantage.

Instead, Kobeissi says that the security gap is a byproduct of Apple's attempt to preserve the exclusivity of more visibly integrated and fun social features—reactions, FaceTime, coveted blue bubbles—while also conscientiously maintaining the product's security. “It’s not a security question, it's a societal question about the openness of communication platforms,” Kobeissi says. He points out that people who are aware of iMessage's security advantages are also aware of other end-to-end encrypted messaging options like WhatsApp and Signal.

Apple critics like Doctorow and Migicovsky both point out, however, that iMessage is deeply integrated in Apple devices as their default messaging app, and thus will always be used on those devices far more often than Signal or WhatsApp. “Defaults matter,” Doctorow says, pointing out that Google pays Apple a fortune for the right to make Google the default search engine on its devices. “Apple makes \[nearly\] $20 billion a year off the proposition that a click away is a click too far.”

Even if Apple's security features are good for its customers, “Apple’s size does matter” because it gives the company power over the broader market in ways that smaller technology companies cannot, regardless of whether they market their security and privacy features to beat out the competition, says CSIS's Chin-Rothmann. The question, ultimately, is whether people should be relying on technology giants like Apple to set the standards for privacy and security at all. She points out that comprehensive data privacy legislation that ensures minimum security requirements for software might well be a better approach than depending entirely on the private sector to decide who gets privacy—and who is denied it.

“If Congress or the US government really wants to increase privacy and security," Chin-Rothmann says, “we really should take these decisions out of the hands of massive technology companies like Apple.”

Apple's iMessage Encryption Puts Its Security Practices in the DOJ's Crosshairs

Ivanti has issued patches for two new vulnerabilities with a high CVSS score. Neither is known to have been explioted in the wild. Yet.

Ivanti has issued patches for two vulnerabilities. One was discovered in the Ivanti Standalone Sentry, which impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk. The other vulnerability impacts all supported versions of Ivanti Neurons for ITSM—2023.3, 2023.2 and 2023.1, as well as unsupported versions which will need an upgrade before patching.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

CVE-2023-41724 (CVSS score 9.6 out of 10), which allows an unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network.

This vulnerability was reported to Ivanti by the NATO Cyber Security Centre. Ivanti says it’s not aware of any customers being exploited by this vulnerability at the time of disclosure. The attack option is limited because an attacker without a valid Transport Layer Security (TLS) client certificate enrolled through Ivanti Endpoint Manager Mobile (EPMM) cannot directly exploit this issue on the internet.

Ivanti says its customers can access the patch (9.17.1, 9.18.1 and 9.19.1) via the standard download portal.

CVE-2023-46808 (CVSS score 9.9 out of 10) which allows an authenticated remote user to perform file writes to ITSM server. Successful exploitation can be used to write files to sensitive directories which may allow attackers to execute commands in the context of a web application’s user.

The patch has been applied to all Ivanti Neurons for ITSM Cloud landscapes. On-premise customers are advised to act immediately to ensure they are fully protected. Ivanti says it is not aware of any customers being exploited by this vulnerability prior to public disclosure.

The patch is available on the Ivanti Neurons for ITSM downloads page for each respective 2023.X version. This will require upgrading to 2023.X to apply the patch.

The vulnerabilities have a 2023 CVE because of a reservation made towards the end of 2023, when they were first found and reported. It is Ivanti’s policy that when a CVE is not under active exploitation to disclose the vulnerability when a fix is available, so that customers have the tools they need to protect their environment.

Get patching!

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Patch Ivanti Standalone Sentry and Ivanti Neurons for ITSM now 

Red Hat Security Advisory 2024-1462-03 - An update for golang is now available for Red Hat Enterprise Linux 9. Issues addressed include a memory leak vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1462.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: golang security updateAdvisory ID:        RHSA-2024:1462-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1462Issue date:         2024-03-21Revision:           03CVE Names:          CVE-2024-1394====================================================================Summary: An update for golang is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The golang packages provide the Go programming language compiler.Security Fix(es): * golang: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads (CVE-2024-1394)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1394References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-1462-03

Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads.

An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-1394

**Memory leaks in code encrypting and verifying RSA payloads**

**Package**

gomod github.com/golang-fips/go (Go)

**Affected versions**

<= 1.22.1

gomod github.com/golang-fips/openssl/openssl (Go)

gomod github.com/golang-fips/openssl/v2 (Go)

gomod github.com/microsoft/go-crypto-openssl (Go)

Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads.

An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

**References**

*   GHSA-78hx-gp6g-7mj6
*   golang-fips/openssl@85d31d0

Published to the GitHub Advisory Database

Mar 20, 2024

GHSA-78hx-gp6g-7mj6: Memory leaks in code encrypting and verifying RSA payloads

GnuTLS is a secure communications library implementing the SSL and TLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols, as well as APIs to parse and write X.509, PKCS #12, OpenPGP, and other required structures. It is intended to be portable and efficient with a focus on security and interoperability.

GNU Transport Layer Security Library 3.8.4

Red Hat Security Advisory 2024-1411-03 - An update for opencryptoki is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1411.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: opencryptoki security updateAdvisory ID:        RHSA-2024:1411-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1411Issue date:         2024-03-19Revision:           03CVE Names:          CVE-2024-0914====================================================================Summary: An update for opencryptoki is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The opencryptoki packages contain version 2.11 of the PKCS#11 API, implemented for IBM Cryptocards, such as IBM 4764 and 4765 crypto cards. These packages includes support for the IBM 4758 Cryptographic CoProcessor (with the PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist for Cryptographic Function (FC 3863 on IBM System z). The opencryptoki packages also bring a software token implementation that can be used without any cryptographic hardware. These packages contain the Slot Daemon (pkcsslotd) and general utilities.Security Fix(es):* opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin) (CVE-2024-0914)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0914References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2260407

Red Hat Security Advisory 2024-1411-03

Red Hat Security Advisory 2024-1368-03 - An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1368.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: kpatch-patch security updateAdvisory ID:        RHSA-2024:1368-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1368Issue date:         2024-03-19Revision:           03CVE Names:          CVE-2023-4921====================================================================Summary: An update for kpatch-patch is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel.Security Fix(es):* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)* kernel: use-after-free in sch_qfq network scheduler (CVE-2023-4921)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-4921References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2245514https://bugzilla.redhat.com/show_bug.cgi?id=2253908

Red Hat Security Advisory 2024-1368-03

Red Hat Security Advisory 2024-1367-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include null pointer, out of bounds write, and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1367.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: kernel security and bug fix update  
Advisory ID:        RHSA-2024:1367-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1367  
Issue date:         2024-03-19  
Revision:           03  
CVE Names:          CVE-2022-3545  
====================================================================

Summary: 

An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

* kernel: vmwgfx: NULL pointer dereference in vmw_cmd_dx_define_query (CVE-2022-38096)

* kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (CVE-2022-41858)

* kernel: nfp: use-after-free in area_cache_get() (CVE-2022-3545)

* kernel: NULL pointer dereference in can_rcv_filter (CVE-2023-2166)

* kernel: Slab-out-of-bound read in compare_netdev_and_ip (CVE-2023-2176)

* kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

* kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (CVE-2023-4459)

* kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (CVE-2024-0646)

* kernel: inactive elements in nft_pipapo_walk (CVE-2023-6817)

* kernel: refcount leak in ctnetlink_create_conntrack() (CVE-2023-7192)

Bug Fix(es):

* kernel: out-of-bounds write in qfq_change_class function (JIRA:RHEL-12696)

* kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup() (JIRA:RHEL-18194)

* kernel: refcount leak in ctnetlink_create_conntrack() (JIRA:RHEL-20296)

* kernel: inactive elements in nft_pipapo_walk (JIRA:RHEL-20695)

* kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination (JIRA:RHEL-22088)

* kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip (JIRA:RHEL-18580)

* ipoib mcast lockup fix (JIRA:RHEL-19696)

* dm multipath device suspend deadlocks waiting on a flush request (JIRA:RHEL-19108)

* kernel: Slab-out-of-bound read in compare_netdev_and_ip (JIRA:RHEL-19325)

* kernel: A flaw leading to a use-after-free in area_cache_get() (JIRA:RHEL-19449)

* kernel: vmxgfx: NULL pointer dereference in vmw_cmd_dx_define_query (JIRA:RHEL-22763)

* RHEL 8.5: Backport upstream memory cgroup commits up to v5.12 (JIRA:RHEL-9162)

* kernel: NULL pointer dereference in can_rcv_filter (JIRA:RHEL-19459)

* ceph: several cap and snap fixes (JIRA:RHEL-20906)

* kernel NULL pointer at RIP: 0010:kyber_has_work+0x1c/0x60 (JIRA:RHEL-21782)

* rbd: don't move requests to the running list on errors [8.x] (JIRA:RHEL-24201)

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-3545

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2133452  
https://bugzilla.redhat.com/show_bug.cgi?id=2144379  
https://bugzilla.redhat.com/show_bug.cgi?id=2161310  
https://bugzilla.redhat.com/show_bug.cgi?id=2187813  
https://bugzilla.redhat.com/show_bug.cgi?id=2187931  
https://bugzilla.redhat.com/show_bug.cgi?id=2192671  
https://bugzilla.redhat.com/show_bug.cgi?id=2219268  
https://bugzilla.redhat.com/show_bug.cgi?id=2225191  
https://bugzilla.redhat.com/show_bug.cgi?id=2253908  
https://bugzilla.redhat.com/show_bug.cgi?id=2255139  
https://bugzilla.redhat.com/show_bug.cgi?id=2256279

Red Hat Security Advisory 2024-1367-03

Red Hat Security Advisory 2024-1325-03 - Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server. Issues addressed include HTTP request smuggling, denial of service, and open redirection vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1325.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat JBoss Web Server 6.0.1 release and security updateAdvisory ID:        RHSA-2024:1325-03Product:            Red Hat JBoss Web ServerAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1325Issue date:         2024-03-18Revision:           03CVE Names:          CVE-2023-5678====================================================================Summary: Red Hat JBoss Web Server 6.0.1 zip release is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.This release of Red Hat JBoss Web Server 6.0.1 serves as a replacement for Red Hat JBoss Web Server 6.0.0. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes linked to in the References section.Security Fix(es):* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow (CVE-2023-5678)* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)* tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:CVEs:CVE-2023-5678References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=6.0https://bugzilla.redhat.com/show_bug.cgi?id=2235370https://bugzilla.redhat.com/show_bug.cgi?id=2248616https://bugzilla.redhat.com/show_bug.cgi?id=2252050https://bugzilla.redhat.com/show_bug.cgi?id=2269607

Tag

#ssl