AusCERT - Security Bulletins

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0637 VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854) 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workstation Publisher: VMWare Operating System: Windows Resolution: Patch/Upgrade CVE Names: CVE-2023-20854 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2023-0003.html Comment: CVSS (Max): 7.8 CVE-2023-20854 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory ID: VMSA-2023-0003 CVSSv3 Range: 7.8 Issue Date: 2023-02-02 Updated On: 2023-02-02 (Initial Advisory) CVE(s): CVE-2023-20854 Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854) 1. Impacted Products o VMware Workstation 2. Introduction An arbitrary file deletion vulnerability in VMware Workstation was privately reported to VMware. Updates are available to remediate this vulnerability in the affected VMware product. 3. Arbitrary file deletion vulnerability (CVE-2023-20854) Description VMware Workstation contains an arbitrary file deletion vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Known Attack Vectors A malicious actor with local user privileges on the victim's machine may exploit this vulnerability to delete arbitrary files from the file system of the machine on which Workstation is installed. Resolution To remediate CVE-2023-20854 update to the version listed in the 'Fixed Version' column of the 'Response Matrix' found below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Frederik Reiter of cirosec GmbH for reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation VMware 17.x Windows CVE-2023-20854 7.8 important 17.0.1 None None Workstation 4. References Fixed Version(s) and Release Notes: VMware Workstation 17.0.1: Downloads and Documentation: https://customerconnect.vmware.com/en/downloads/info/slug/ desktop_end_user_computing/vmware_workstation_pro/17_0 https://docs.vmware.com/en/VMware-Workstation-Pro/17.0.1/rn/ vmware-workstation-1701-pro-release-notes/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20854 FIRST CVSSv3 Calculator: CVE-2023-20854: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:U/C:H/I:H/A:H 5. Change Log 2023-02-02 VMSA-2023-0003 Initial security advisory. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9yjO8kNZI30y1K9AQhfvg/8CDlkZ06xxwcuSen0H+xQc73wmWsEBjgh Tvwnio6xoWb7oM83/A1Ho2wZ4j/Oxf8FFQrcE9v6hm150uYpfsCPudRB6ij69DwE YuSzG6NnwZbUc0KrYkk3M0V8oLXLQyxOQHWV4RW1EpvGoaZyP1zum0dp0gDAGikC DES5PfGhPNGWaDWWpyAM/3HYfjkyOB+xyP6PBTAiUQJ7oefagbuxb36qx4t7Cz3j BmGGA6WK/hAvTZbD6+08tG/P/NY0JYBto9LlsBmZwAQTVC/i3uuvlxpjvsmiZ+xV 6MYRmCXyxzMWpanodnPWj83D/1teC0Rcmp6O6Kv9uZqrzg771M0XMYkizt+GAmNY 7yIe5BbYoqePlKdSEDiWo0P3hBGNMsKEZLOWAwBoALt+eSJJqxwIYrwe4W030Dnu 16GX89OezCntDh+C6YzA0rmEMrg1gw7yY+hMcXDkGiFJSoNAgR22wqniqexhNY+k D1zJOz/I0m4QRxdkrMAfcgZ3dwcFhAwGsRdQRn6pA2PJGpW2FymZDZUBauU8NvSG uE7//ub7q5jn/filYNMSxYw8k30JM05lDsWNcQlx84dlF1EBbZTM0BYbFud8ny5L X5Nxw3Yg2nVm6tjodgymulFZStbCtHwmDFvA9H0DdoPjVP/R+0QVJGcYRZUGyrJT OJpyY8XJUxU= =t19V -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0636 Security update for the Linux Kernel (Live Patch 29 for SLE 15 SP1) 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux Kernel Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-3424 Original Bulletin: https://www.suse.com/support/update/announcement/2023/suse-su-20230231-1 Comment: CVSS (Max): 7.0 CVE-2022-3424 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel (Live Patch 29 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2023:0231-1 Rating: important References: #1204167 Cross-References: CVE-2022-3424 Affected Products: SUSE Linux Enterprise High Performance Computing 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Server 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-197_108 fixes one issue. The following security issue was fixed: o CVE-2022-3424: Fixed use-after-free in gru_set_context_option(), gru_fault () and gru_handle_user_call_os() that could lead to kernel panic (bsc# 1204167). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2023-231=1 SUSE-SLE-Module-Live-Patching-15-SP1-2023-232=1 Package List: o SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_105-default-13-150100.2.2 kernel-livepatch-4_12_14-197_108-default-12-150100.2.2 References: o https://www.suse.com/security/cve/CVE-2022-3424.html o https://bugzilla.suse.com/1204167 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9x/nckNZI30y1K9AQhhXw//YZeiuyqFICi5hJgueofmYdWLZ4d//emX 2K4c23AttwZFURFRZ5YeXCxySwwPuMP2QtxxHYX7aUQAfY4Hw67SqHEyYJUtMYuM 0vmJ6ewp1CLcePFR52ogX73LqLuyTYSZePjTokWfJ+R2MpIh/Njq1N6IYCrdxO7k lrQnZbJq9G6KnLNIKgWA3hcPcdSn/ztG3+z3KeihKD8SRKdD2lp2+Fp9L4EyRshT bmtNKdbl8X3x8s9s+Cnwlc6Oq+ooHjm+uFCMEot9kV3E0yH6rG+jFd6eIsLz4VuJ szutJFedz0tSQ5FnX2Zc9Yv5cA5NOr7fwS31XQGYjqo/Is5637ymwW8HvAtvsymq RI49W2MUfW+r+rT61Dl4Z/6wkjHtV4j44qRUcJDUh/OJL1jpiCSNYoWwRr9YQCrc 990dbILRlYjGGrlzjMiPCG7p8CXPBHM5h7U/htAj9hdDJv042J4CUNnhNbT4pAwi h4egTDqiJG+f+sjOQ1iu+z8ZPasGWUkM+sYVr2UELQqKsTVy3BPsIaFrqIPvmn0x VhaYvkmLK4N4Cx4gNot/owM146oXxZKNoVdSupC1LzymzOqWwZ/i+NJcKBSIMj/X quV/zCYqN4w+d+eYn1UQFwPVKyJ3q6npp8zVjvmbjtepWFhYXsigsQF72zYnDZFK IGQlM89lAFc= =cxir -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0635 Security update for the Linux Kernel (Live Patch 29 for SLE 15 SP2) 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux Kernel Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-3424 CVE-2022-2602 Original Bulletin: https://www.suse.com/support/update/announcement/2023/suse-su-20230229-1 Comment: CVSS (Max): 7.8 CVE-2022-2602 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel (Live Patch 29 for SLE 15 SP2) ______________________________________________________________________________ Announcement ID: SUSE-SU-2023:0229-1 Rating: important References: #1204167 #1205186 Cross-References: CVE-2022-2602 CVE-2022-3424 Affected Products: SUSE Linux Enterprise High Performance Computing 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Server 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15-SP2 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 5.3.18-150200_24_126 fixes several issues. The following security issues were fixed: o CVE-2022-3424: Fixed use-after-free in gru_set_context_option(), gru_fault () and gru_handle_user_call_os() that could lead to kernel panic (bsc# 1204167). o CVE-2022-2602: Fixed a local privilege escalation vulnerability involving Unix socket Garbage Collection and io_uring (bsc#1205186). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2023-228=1 SUSE-SLE-Module-Live-Patching-15-SP2-2023-229=1 SUSE-SLE-Module-Live-Patching-15-SP2-2023-230=1 Package List: o SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-150200_24_115-default-10-150200.2.1 kernel-livepatch-5_3_18-150200_24_115-default-debuginfo-10-150200.2.1 kernel-livepatch-5_3_18-150200_24_126-default-7-150200.2.1 kernel-livepatch-5_3_18-150200_24_126-default-debuginfo-7-150200.2.1 kernel-livepatch-5_3_18-150200_24_129-default-4-150200.2.1 kernel-livepatch-5_3_18-150200_24_129-default-debuginfo-4-150200.2.1 kernel-livepatch-SLE15-SP2_Update_27-debugsource-10-150200.2.1 kernel-livepatch-SLE15-SP2_Update_29-debugsource-7-150200.2.1 kernel-livepatch-SLE15-SP2_Update_30-debugsource-4-150200.2.1 References: o https://www.suse.com/security/cve/CVE-2022-2602.html o https://www.suse.com/security/cve/CVE-2022-3424.html o https://bugzilla.suse.com/1204167 o https://bugzilla.suse.com/1205186 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9x/lckNZI30y1K9AQi1zA//XD3jQBbkJPubeugUK1U0LLlUYdtDpAo1 r1in7Lpo46cqnu8FFGieioXP2Yc7BE6ERNGEXJ9iiu8bU0e7KmWsBO9K3k1lzpPk X67ex3Q+EVNVOyGG8cIOwdMP85fGg6fOdH2HH+tx5wWMmrYNRvWgdBubxFZpWDdE 19u8fJ71OOuIanrQeWLwZFWqsvxtQDikfwS1vCSncjO4LAaxEjzvKnF6ff5/iUhk zEfaiQHC7NXVgCWAT2yosbvL2YuYHEVWA9YI2GgOUUgjxs2SZhYpW58TpX6pAZTO COq6h4CVIWJRbvcwcI2Z/xfeG2quW3CSmYRk57eFgEdoHHml2ACIt8RcqGRiFR8D JCLab7YdTk4Kb/OSzt67eBH8+UWugfca1mhLgqh3nilmxCyagjjUZaLUAFEK6ogh jd6R8sdqL2DmAMmh6veLc2NrpSZctoounclV2Bt5nw6K9Rfuou62H2Q5wVozf1HB HUyumB9WTuvzbu5jqsnj+n73xTT0kJDD6zSLDFo6NXzfs75MhMm5waSmt9tJ3HYO WLcy/wov/GPQv05vriYtD+FPnWa7r4D1fpZZeCK2Fb5DxIga1VoKmYSL10J8WXst BeDWE70IxNXAVsmDfoHMrQOdX6sIOFBz3KKP7jeqHD5IX8qTqEvszPWQaIhgYwIl Fhzow2yhlqc= =Mnfd -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0634 Security update for the Linux Kernel (Live Patch 34 for SLE 15 SP1) 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux Kernel Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-3424 Original Bulletin: https://www.suse.com/support/update/announcement/2023/suse-su-20230227-1 Comment: CVSS (Max): 7.0 CVE-2022-3424 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel (Live Patch 34 for SLE 15 SP1) ______________________________________________________________________________ Announcement ID: SUSE-SU-2023:0227-1 Rating: important References: #1204167 Cross-References: CVE-2022-3424 Affected Products: SUSE Linux Enterprise High Performance Computing 15-SP1 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Server 15-SP1 SUSE Linux Enterprise Server for SAP Applications 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for the Linux Kernel 4.12.14-150100_197_123 fixes one issue. The following security issue was fixed: o CVE-2022-3424: Fixed use-after-free in gru_set_context_option(), gru_fault () and gru_handle_user_call_os() that could lead to kernel panic (bsc# 1204167). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2023-227=1 Package List: o SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-150100_197_123-default-3-150100.2.1 References: o https://www.suse.com/security/cve/CVE-2022-3424.html o https://bugzilla.suse.com/1204167 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9x/jskNZI30y1K9AQi1wg/+NGfroajZwnRpUALdHv+FeZFeFYOHyZbz LqbAPWM5Lx1YkHOyj83hn6MvaNi4il3yPJmeRgoAZyqf7Bjji6GvmC7pCOJ6dRMQ uaAd9jSW8t8+jdiIm7/Lna10/XIzhw2rCvze/CITTONGIsGQEqHhl8qWv9PnvIjJ udE10j0X8VjxqrXVLr4qnJm4+EY+yRgy0h/uH01De6OEDE3sD43LWY1+RhdkRVGo 127jXFS0rbNlM6lciGd+JGf+lORA5zNCNUTkehH+/7+xhoww1PQz/0S6qMZKLien lggMllsXFM+BaH0fYeRrZorjt93HKskNYQM854t+egZTX5y7VEISVj1JNhtz6i6+ pYzDt5cP0hExPkxBd9j5fe+z2AX9zll4dPkrnzqBcRcbH/UKH8Lk91nCZU40Dxt8 jd4ATN24oGSPcaNjRj9oIlqNMHEtLfRqK0qxACzCKM5hX8pzKOhcKeUoEdggKXM5 p8UMCEnf6e2VOVtb2LVdDSgd5EusboNJEFfp1n5c4Vm+MYDGlPz00s22wScThAo+ szkB9J+bxwnZep5Va2H1ic2LJT93+sAxqm8xcpAmDalEKFKjd1m2+mP2B5HPQBjb 9OKstLA0ypqj032qHeEQ9Te8VTPUZ4zLQAqpySnT3KUYRxxiO/+a+ZmVJnWitBkg YhRTu2I2+K8= =8BUi -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0169.3 Cisco Network Services Orchestrator Path Traversal Vulnerability 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Network Services Orchestrator (NSO) Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2023-20040 Original Bulletin: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-path-trvsl-zjBeMkZg Comment: CVSS (Max): 5.5 CVE-2023-20040 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Revision History: February 3 2023: Formatting issue February 3 2023: Vendor confirmed products that are not vulnerable January 12 2023: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Network Services Orchestrator Path Traversal Vulnerability Priority: Medium Advisory ID: cisco-sa-nso-path-trvsl-zjBeMkZg First Published: 2023 January 11 16:00 GMT Last Updated: 2023 February 2 20:22 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCwb11065 CVE Names: CVE-2023-20040 Summary o A vulnerability in the RESTCONF service of Cisco Network Services Orchestrator (NSO) could allow an authenticated, remote attacker to cause a denial of service (DoS) on an affected system that is running as the root user. To exploit this vulnerability, the attacker must be a member of the admin group. This vulnerability exists because user-supplied input is not properly validated when RESTCONF is used to upload packages to an affected device. An attacker could exploit this vulnerability by uploading a specially crafted package file. A successful exploit could allow the attacker to write crafted files to arbitrary locations on the filesystem or delete arbitrary files from the filesystem of an affected device, resulting in a DoS condition. Note: By default, during install, Cisco NSO will be set up to run as the root user unless the --run-as-user option is used. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-path-trvsl-zjBeMkZg Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco NSO. For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco NSO installations that are not running RESTCONF. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following table was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability that is described in this advisory and which release included the fix for this vulnerability. Cisco NSO Release First Fixed Release 3.3 through 5.3 Migrate to a fixed release. 5.4 5.4.7 5.5 5.5.6 5.6 5.6.7 5.7 5.7.4 5.8 5.8.1 6.0 Not vulnerable. The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing by Arthur Vidineyev of the Cisco Advanced Security Initiatives Group (ASIG). Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe Related to This Advisory o URL o https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-path-trvsl-zjBeMkZg Revision History o +---------+---------------+------------------------+--------+-------------+ | Version | Description | Section | Status | Date | +---------+---------------+------------------------+--------+-------------+ | | Changed | Summary and Products | | | | 1.1 | NETCONF to | Confirmed Not | Final | 2023-FEB-02 | | | RESTCONF. | Vulnerable | | | +---------+---------------+------------------------+--------+-------------+ | | Initial | | | | | 1.0 | public | - | Final | 2023-JAN-11 | | | release. | | | | +---------+---------------+------------------------+--------+-------------+ Legal Disclaimer o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9x66ckNZI30y1K9AQiIdg//cRtphxvi4+0I4LEkvQRW0u4n8KfwAxd8 4LD//2ZIbMhO3YrifZKZ0+afycSOjVks38c9dXK5A69Ir0GG0VBThIS2F9LbfpQC 38ksYtxzEHpj7AXmsliIUEG4BYWMWRM8mo0w/YFPIakJpf6c98YS6oLpS6fyt33E 6BwbKpEJDsjoMJyDcKv2F9JqJWquXLPBx4FDdi/ZYhYNUAIqo6KQ46Gx6BaRo4sf 2QBmy0MMM8DHZIr77bqvKezb5hdBZ6Q5aOgV1Df0RN5e6idM+Qf5JaMZYdXS11hX M11wGkR8V9KfuIoyxky2xx3DO7Lq/ugMPSjhmFL8r3DVfIm1KMvmQGI/y8BaFk6x qG3Y4Ten4Z9rMIIic+JnWqjV3bAWFjMnjNmpBlxTo0GmJlXqZSvTxgjFbFcUeFeZ H0MRsiutGupzHOtjoAAqov/b2D2wIlnZzCh9Jv23rRmihcgKNGQdQhUCSpSzI1n+ 4fq8LHgfk9X/L6rt9eVDNTXnvn4fNn7ydk9RsNF3j6xndzLA7v9NwY8Kmee8g4yW AGBv9EHDn3YXFrwne4OZbBNbEpoPXsU0ngAqZz5+pXoRTivDd/1rw6c3RLL9Ym+V a3tzsoFQNrWBxgyMNK4HR798/U/jEQgt+sTSeiL/4NFSVnBXhrYHrJaudfKd83k9 L1b1WciR45M= =CnNJ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0633 Jira Service Management Server and Data Center Advisory (CVE-2023-22501) 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jira Service Management Server Jira Service Data Center Publisher: Atlassian Operating System: Windows Linux variants Resolution: Patch/Upgrade CVE Names: CVE-2023-22501 Original Bulletin: https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-2023-02-01-1188786458.html Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- +----------------+------------------------------------------------------------+ | Summary |CVE-2023-22501 - Broken Authentication vulnerability in Jira| | |Service Management | +----------------+------------------------------------------------------------+ |Advisory Release|01 February 2023 10:00 AM PDT (Pacific Time, -7 hours) | | Date | | +----------------+------------------------------------------------------------+ | | o Jira Service Management Server | | Product | | | | o Jira Service Management Data Center | +----------------+------------------------------------------------------------+ | CVE ID(s) |CVE-2023-22501 | +----------------+------------------------------------------------------------+ Summary of Vulnerability This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: o 5.3.0 o 5.3.1 o 5.3.2 o 5.4.0 o 5.4.1 o 5.5.0 An authentication vulnerability was discovered in Jira Service Management Server and Data Center which allows an attacker to impersonate another user and gain access to a Jira Service Management instance under certain circumstances. With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into. Access to these tokens can be obtained in two cases: o If the attacker is included on Jira issues or requests with these users, or o If the attacker is forwarded or otherwise gains access to emails containing a "View Request" link from these users. Bot accounts are particularly susceptible to this scenario. On instances with single sign-on, external customer accounts can be affected in projects where anyone can create their own account. The issue can be tracked here: JSDSERVER-12312 - Getting issue details... STATUS +-----------------------------------------------------------------------------+ |Atlassian Cloud sites are not affected. | | | |If your Jira site is accessed via an atlassian.net domain, it is hosted by | |Atlassian and you are not affected by the vulnerability. | +-----------------------------------------------------------------------------+ Severity Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Affected Versions Jira Service Management Server and Data Center versions 5.3.0 to 5.3.1 and 5.4.0 to 5.5.0 are affected by this vulnerability. +----------------------------------------------+-----------------+ | Product |Affected Versions| +----------------------------------------------+-----------------+ | | o 5.3.0 | | | | | | o 5.3.1 | | | | | | o 5.3.2 | |Jira Service Management Server and Data Center| | | | o 5.4.0 | | | | | | o 5.4.1 | | | | | | o 5.5.0 | +----------------------------------------------+-----------------+ Fixed Versions +----------------------------------------------+------------------+ | Product | Fixed Versions | +----------------------------------------------+------------------+ | | o 5.3.3 | | | | | | o 5.4.2 | |Jira Service Management Server and Data Center| | | | o 5.5.1 | | | | | | o 5.6.0 or later| +----------------------------------------------+------------------+ What You Need to Do Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) above (see the "Fixed Versions" section of this page for details). For a full description of the latest version of Jira Service Management Server and Data Center, see the release notes. You can download the latest version of Jira Service Management and Data Center from the download center. For Frequently Asked Questions (FAQ), click here. Mitigation Installing a fixed version of Jira Service Management is the recommended way to remediate this vulnerability. If you are unable to immediately upgrade Jira Service Management, you can manually upgrade the version-specific servicedesk-variable-substitution-plugin JAR file as a temporary workaround. +-----------------+-----------------------------------------------------------+ | Jira Service | | | Management | JAR File | | Versions | | +-----------------+-----------------------------------------------------------+ |5.5.0 |[placeholde] | | |servicedesk-variable-substitution-plugin-5.5.1-REL-0005.jar| +-----------------+-----------------------------------------------------------+ |5.4.0, 5.4.1 |[placeholde] | | |servicedesk-variable-substitution-plugin-5.4.2-REL-0005.jar| +-----------------+-----------------------------------------------------------+ |5.3.0, 5.3.1, |[placeholde] | |5.3.2 |servicedesk-variable-substitution-plugin-5.3.3-REL-0001.jar| +-----------------+-----------------------------------------------------------+ To update the servicedesk-variable-substitution-plugin JAR file: 1. Download the version-specific JAR file from the table above. 2. Stop Jira. 3. Copy the JAR file into your Jira home directory. 1. For Server: /plugins/installed-plugins 2. For Data Center: /plugins/installed-plugins 4. Start Jira. Detection Atlassian cannot confirm if your instance has been affected by this vulnerability, but there are some steps you can follow to investigate your instances for potential unauthorized access. You can see the detailed steps outlined on the Frequently Asked Questions (FAQ) page here. Last modified on Feb 1, 2023 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xh/MkNZI30y1K9AQjP3w//dUIW42s2vNhxiV1evheGviXOwcPlAVPl J4Ocq6YRjs1x5DnnskO0dBAsUJ4/kdLds4ClbUNRlw2ffo6poZK8Q6pK5fTLMlaH Swm+bMza8Qg3RSE7ATEsWL3b0TCtaDYnFAGiCyWUhioZS598C5+lECEdbGmgKA0O xdzIiYK0Gqo16d0PNBwVUvYphXj06DbLh338mPJNIhdV4oIxFpKLHJNy+k0Bwqxp LGmtEotZvTjbblwBmVWztfrc35/uXV1WkSRJoWWGRuz+lmjuOWkzZxdJBFN0QVil M6JBHEqG3xEtiGmSGYSvBHS8NpI+QuwGQzw1cCiPThq28HTKFGdjCaT5fqZX3MT5 6TzEQ+CeEaHEjsu3E7Hr961zUJtUDl+2iBNsjyZSUIKs9/Ay9sQ8o3SnB6Ib2SYM E0X/rtCVettfU7liKJ6k6f1UNjuRKO8VrcNLFbBjS4LEFiMzBJ/AuD9fpUQErkVw M+ZgbzWUTTd4EQ6nwZt9pKBj17Yzz5lTheSpng1SbTcJ/GgO8ukTyyROsNRasWB0 SOnwgex+9ZZvuPEMT+x34Q15DdJqdJVvt/n6TZFORV0pg/f494HGDCKtrpYLwJQh EuXl9ENwhSNz+sNj9+Ah5S9cJmaiXYIXQxANo+nu/BUqTERQmTahHqqPp2N9o/tz +17a2ZlDygo= =/e5O -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0632 Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebSphere Application Server Patterns Publisher: IBM Operating System: Linux variants AIX Resolution: Patch/Upgrade CVE Names: CVE-2022-21628 CVE-2022-21626 CVE-2022-21624 CVE-2022-21619 CVE-2022-3676 Original Bulletin: https://www.ibm.com/support/pages/node/6912697 Comment: CVSS (Max): 6.5 CVE-2022-3676 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns Document Information Document number : 6912697 Modified date : 01 February 2023 Product : WebSphere Application Server Patterns Component : - Software version : Version Independent Operating system(s): Linux AIX Security Bulletin Summary IBM WebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. There are multiple vulnerabilities in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in October 2022. Information about security vulnerabilities affecting IBM WebSphere Application Server Patterns has been published and is referenced in this security bulletin. Vulnerability Details CVEID: CVE-2022-21628 DESCRIPTION: Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 238623 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2022-21626 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 238689 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2022-21624 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 238699 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2022-21619 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 238698 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2022-3676 DESCRIPTION: Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by improper runtime type check by the interface calls. By sending a specially-crafted request using bytecode, an attacker could exploit this vulnerability to access or modify memory. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 239608 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Affected Products and Versions IBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 through 2.3.3.5. Remediation/Fixes Please see the Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU to determine which IBM WebSphere Application Server versions are affected and to obtain the JDK fixes. The interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2210 can be used to apply the April and July 2022 SDK iFixes in a PureApplication or Cloud Pak System Environment. Download and apply the interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2210 . Workarounds and Mitigations None IBM Java SDK Security Bulletin Change History 1 Feb 2023: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xh6MkNZI30y1K9AQjUDg/8DrAyoUW9zWM7jbIq0d0xR/yycs71gRCJ aTyqxfoOQd1yFDVSjAnvUe08jgQ/vQkUet1gACPUD15TTTYKPTIHlv0/S3TWi6fL km+Scsx1nyf5KHkBbN6SfdkH11Q8zETpkb9nSi+aYvuJQBQ+fFOm2/vA5fuZA7iC TA2o76Nv4dRyaYT30EG9BffFrmN/fG7GRXIQwzSvYWAQsSGu+px6ZPMuGlO3+C3k b3L9vCXEERs4JM7RtWRSZUCKvpEbaR0ZrESheApGkr8bUu6LD/4W5YHd1lFjmt7u VEsr3Fzi/aUlp3lGdqp6JX+6gCnRjWeX9rz4K3egHU+Z2YI1h2auk/X0Z6Y5x06X W6uC9Mo8YuarbUQWdApnJo1KIZORUHZbD3l6iSJzMrAnKb6Wp/s8WZXXGYp7b89u WEe7X3oetFwnHRlv5T/n75ZTusFvO5nzdvKgA24xCDqERk3z8Jq9b+RVa97bMHvQ AlCq16hszot6L4whZukHVn5+5u6+Xw+s3B7jywdkP5bBgDnTG6JkEn86/IaTHE5B BxDAbNkPUrrcUNU8Kl2EUb3IUuwCcInMvN4Nz9WUk0nO9uClgFxXGgMcSxmqP8HB xWx6v1UuXf70pje7e9dhGMPdMfoqa72+u1tdq/6MZxOwE7WYLk+MAtUUxsG5pXdh l3tsQXYW+QE= =YFo4 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0631 IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM MQ Publisher: IBM Operating System: AIX Linux variants Linux on IBM Z Systems IBM i Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-42004 CVE-2022-42003 Original Bulletin: https://www.ibm.com/support/pages/node/6952181 Comment: CVSS (Max): 6.2 CVE-2022-42004 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) Document Information Document number : 6952181 Modified date : 02 February 2023 Product : IBM MQ Component : - Software version : 9.2.0, 9.3.0 Operating system(s): AIX Linux Linux on IBM Z Systems IBM i Windows Security Bulletin Summary Multiple issues were identified with the Jackson library that is used within the IBM MQ Console to provide REST API functionality. Vulnerability Details CVEID: CVE-2022-42003 DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources. CVSS Base score: 6.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 237662 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-42004 DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer._deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources. CVSS Base score: 6.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 237660 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM MQ |9.2 CD | +--------------------+----------+ |IBM MQ |9.3 CD | +--------------------+----------+ |IBM MQ |9.3 LTS | +--------------------+----------+ The following installable MQ components are affected by the vulnerability: o REST API and Console If you are running any of these listed components, please apply the remediation /fixes as described below. For more information on the definitions of components used in this list see https://www.ibm.com/support/pages/ installable-component-names-used-ibm-mq-security-bulletins Remediation/Fixes This issue was resolved under APAR IT42344 IBM MQ Version 9.3 LTS Apply fix pack 9.3.0.2 IBM MQ version 9.2 CD and 9.3 CD Upgrade to IBM MQ 9.3.1 and apply cumulative security update 9.3.1.1 Workarounds and Mitigations None Change History 02 Feb 2023: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xh28kNZI30y1K9AQjPLw/+Kn6uAVUKVgYPafZaYzmdqnD2+m0fJN+w +3UlzKzxKLrbbY6ly8h+EZQwCm3vd9p5ZqTN0XrVXmqoHF79qCt3eQzhltO3Tm4g mG+UL5GFoZ8xvH7qmxDr/ByiMSyflV3RfR5Q69xzEzN+8eG2LdmggrHOnv8IMMpE 8Ros8HMIBcQisX5qS4qlyb4uYP/SZmqEOt0cdszEgip4t7KoW7XocmNRC4KLtEW/ RQPprqoweMFyhn+7H7sBZNygSiKy0CkVFa8DxHBDEpcAem+nzj6TXX9IO+yzWQMR ffyu2oVSYeD93pt8HnYVdF7livvrkeld0TdnTTYQI7cklV2s3NjFwPW2hlPT2VJL U+UDE/hmOTGDC18sWe5cQlM43rv+trA//dAc2Viis4meYgXy68fEmtQhSop6xl25 LCbrRa8Ug/n4roZWa+FNy2XjfQCtLsE13gpoasMzQnTddz/EgdxYQvizdSttV2KI 0+SAJcEeQjyvEyEaQXb5qJ2fqoiXZ5afmYuHkTcC1LmQ1K7VqFFAxGKb8psB4DcE JmkDfQpiZ04KYZkjg/wOTQU+oxJWkuQeyR1Ps3wUYhoa5v2R7pfRUTfE60Fzat2Q TZ3Z5Vzduddpqe0kCEJ5Di6pNV55mZyZKzLcJBU5ZiSXxeXpJqOmZuxmhW2KntqN /KuG4EAxFz8= =Jhf8 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0630 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM MQ Publisher: IBM Operating System: Linux variants Solaris IBM i Windows Linux on IBM Z Systems Resolution: Patch/Upgrade CVE Names: CVE-2022-42436 Original Bulletin: https://www.ibm.com/support/pages/node/6909467 Comment: CVSS (Max): 4.0 CVE-2022-42436 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) Document Information Document number : 6909467 Modified date : 02 February 2023 Product : IBM MQ Component : Managed File Transfer Software version : 8.0.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0 Operating system(s): Linux Solaris IBM i AIX Windows Linux on IBM Z Systems Security Bulletin Summary An issue was identified with IBM MQ Managed File Transfer where sensitive information was printed within diagnostics files. Vulnerability Details CVEID: CVE-2022-42436 DESCRIPTION: IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. CVSS Base score: 4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 238206 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------+----------+ |Affected Product(s) |Version(s)| +--------------------+----------+ |IBM MQ |8.0 | +--------------------+----------+ |IBM MQ |9.0 LTS | +--------------------+----------+ |IBM MQ |9.1 CD | +--------------------+----------+ |IBM MQ |9.1 LTS | +--------------------+----------+ |IBM MQ |9.2 CD | +--------------------+----------+ |IBM MQ |9.2 LTS | +--------------------+----------+ |IBM MQ |9.3 CD | +--------------------+----------+ |IBM MQ |9.3 LTS | +--------------------+----------+ The following installable MQ components are affected by the vulnerability: o Managed File Transfer If you are running any of these listed components, please apply the remediation /fixes as described below. For more information on the definitions of components used in this list see https://www.ibm.com/support/pages/ installable-component-names-used-ibm-mq-security-bulletins Remediation/Fixes This issue was resolved under APAR IT42204. IBM MQ version 8.0 Apply iFix for APAR IT42204 IBM MQ Version 9.0 LTS Apply CSU 9.0.0.14 IBM MQ Version 9.1 LTS Apply CSU 9.1.0.13 IBM MQ Version 9.2 LTS Apply FixPack 9.2.0.7 IBM MQ Version 9.3 LTS Apply FixPack 9.3.0.2 IBM MQ 9.1 CD and IBM MQ 9.2 CD and IBM MQ 9.3 CD Upgrade to IBM MQ 9.3.1.1 Workarounds and Mitigations None Change History 01 Feb 2023: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xh0skNZI30y1K9AQhYYg/+K9OunnY7wSV0uMSxi+gebxgh3dUD7oKv wfmh5PdoLC94FCmwxQZFy0jpQ2aFeO0FaDJKaTvOasSzHxyyIVm5intVgD8vid+z lceQnQ82sO/Y67KSMD6TWsI0dDEtGQqZUNjd0x2A/bE5xDwoigTSJYschW5gVgwB y6+RoCsotlaMQotM6Q7g4mClfi6DUrRSmUqzhcIQa322bZc3vD6TYBOdIC0sMgX4 EtN/Iu6BfoC4ZlmVN1hYdiij7PaAIdao0pBCv99Y163v2a7ewA5i9Nxa8Y7PStdk t4GYf+Q+6Haq2lFK5j/OvDNUgj69suk1IuCQakYcAZE3g9S9vFl40Ybh9iP/8FKU NCrxlgQQnSaZX08CG7ujz0uxL4wEs5RBAjPsA2zBp1UEz5CRrM3gLXmf/pvNVlNn PhWm970Hs7+l9lGfE1yUVsTzsukxkBJ8L3DXv4ajCZg792kXJBBQRTDpUjMeZVPZ iNYhmbvledJHq8GWbuPVt4FEME9tPEjzNoS9zOfMGi0j+bDCqhyz12cWNZo3keUe //f9N7ivroFiBKsNmUpqgsSsRrQLVQvm+HHuEKo0NOFqt4SfzBwqZRCcRAkOaoSR PSoeas1Gqnzy0C90wx0dJ2qfGqlrjCS98gCcDCVgqwFco52rPITljTPkjDD6MLac xlTt7cPVGug= =Z9oy -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0629 USN-5840-1: Long Range ZIP vulnerabilities 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Long Range ZIP Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-28044 CVE-2022-26291 CVE-2021-27347 CVE-2021-27345 CVE-2020-25467 CVE-2018-5786 Original Bulletin: https://ubuntu.com/security/notices/USN-5840-1 Comment: CVSS (Max): 9.8 CVE-2022-28044 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5840-1: Long Range ZIP vulnerabilities 2 February 2023 Several security issues were fixed in Long Range ZIP. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Releases o Ubuntu 22.10 o Ubuntu 22.04 LTS o Ubuntu 20.04 LTS o Ubuntu 18.04 LTS o Ubuntu 16.04 ESM o Ubuntu 14.04 ESM Packages o lrzip - compression program with a very high compression ratio Details It was discovered that Long Range ZIP incorrectly handled pointers. If a user or an automated system were tricked into opening a certain specially crafted ZIP file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. ( CVE-2020-25467 ) It was discovered that Long Range ZIP incorrectly handled pointers. If a user or an automated system were tricked into opening a certain specially crafted ZIP file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. ( CVE-2021-27345 , CVE-2021-27347 ) It was discovered that Long Range ZIP incorrectly handled pointers. If a user or an automated system were tricked into opening a certain specially crafted ZIP file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. ( CVE-2022-26291 ) It was discovered that Long Range ZIP incorrectly handled memory allocation, which could lead to a heap memory corruption. An attacker could possibly use this issue to cause denial of service. This issue affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 22.10. ( CVE-2022-28044 ) Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10 o lrzip - 0.651-2ubuntu0.22.10.1 Ubuntu 22.04 o lrzip - 0.651-2ubuntu0.22.04.1 Ubuntu 20.04 o lrzip - 0.631+git180528-1+deb10u1build0.20.04.1 Ubuntu 18.04 o lrzip - 0.631-1+deb9u3build0.18.04.1 Ubuntu 16.04 o lrzip - 0.621-1ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 14.04 o lrzip - 0.616-1ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References o CVE-2021-27347 o CVE-2021-27345 o CVE-2020-25467 o CVE-2022-28044 o CVE-2022-26291 o CVE-2018-5786 Related notices o USN-5171-1 : lrzip o USN-5171-2 : lrzip - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhyckNZI30y1K9AQj0OA/8ChENcDE0a/LhQj5hHMoj957KRGRC0STL Rjq615RfIvWefQqmNh6wgS3e/wnUqNmxYMHchS3DuCyiIscJcfTk/EpHBMwSN1bp isg/NA3BDStiEo8xa2RBuPtgDKmnfs1nNWYh5RIoxv61HV7UgN/IZALTRNcAgNgH N+WmuYFMnx33WhB0KvNYRYHRengA4fyDaiHgGbnxsx/WifukBqIvSr9JRFJIJ0kL pvvupd3Ob+aQlSeOj5ePQEkRKqkgUrBSh1EY7rL68zm9jJoSUlTmoE/3MovYt7Oi Dvbmf/qdn0x49jc+CUdSoui8zUJdels9yTuOghOXVipl/V7Q+wlQXpMEGhzyxMCm D44l+bNZ5gbJ96Eix7y0I1LyNabnpT5OSwwvLbuwsjqTln1/pUTDKQix9puMZyU5 awcXizxZwKmxzq+8jhTCRGJOL6VnBf/Majbceshg0MTTCLXIMZX2PIcC7OzCGPR7 RyN6vofp9PjypANVFf2T/Ky+RIaT4SsSAheg+pZm+vSyCtkn1VVtrPIilXLUyO9L rFoj7CKwuH1lk/gt3ykfcPRxrCvsI7ryFsjIWwL1isgbTKU9aRwdUDLMd9XnWUuZ uGUWGApN7x/V9xEta+2RKtly7pPKeR6gjCYPOCuEBKEFlgVV2z9yvCNNbevRuF/E twSxMtlzKP4= =ry0p -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0628 USN-5841-1: LibTIFF vulnerabilities 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: LibTIFF Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-48281 CVE-2022-3970 CVE-2020-35524 CVE-2020-35523 CVE-2019-17546 CVE-2019-14973 Original Bulletin: https://ubuntu.com/security/notices/USN-5841-1 Comment: CVSS (Max): 8.8 CVE-2022-3970 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5841-1: LibTIFF vulnerabilities 2 February 2023 Several security issues were fixed in LibTIFF. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Releases o Ubuntu 16.04 ESM o Ubuntu 14.04 ESM Packages o tiff - Tag Image File Format (TIFF) library Details It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. This issue was only fixed in Ubuntu 14.04 ESM. ( CVE-2019-14973 , CVE-2019-17546 , CVE-2020-35523 , CVE-2020-35524 , CVE-2022-3970 ) It was discovered that LibTIFF was incorrectly acessing a data structure when processing data with the tiffcrop tool, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. ( CVE-2022-48281 ) Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 o libtiff5 - 4.0.6-1ubuntu0.8+esm9 Available with Ubuntu Pro o libtiff-tools - 4.0.6-1ubuntu0.8+esm9 Available with Ubuntu Pro Ubuntu 14.04 o libtiff5 - 4.0.3-7ubuntu0.11+esm6 Available with Ubuntu Pro o libtiff-tools - 4.0.3-7ubuntu0.11+esm6 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References o CVE-2019-14973 o CVE-2020-35524 o CVE-2019-17546 o CVE-2022-48281 o CVE-2020-35523 o CVE-2022-3970 Related notices o USN-4158-1 : libtiff-tools, libtiff5-dev, libtiffxx5, libtiff-dev, libtiff-opengl, tiff, libtiff-doc, libtiff5 o USN-4755-1 : libtiff-tools, libtiff5-dev, libtiffxx5, libtiff-dev, libtiff-opengl, tiff, libtiff-doc, libtiff5 o USN-5743-1 : libtiff-tools, libtiff5-dev, libtiffxx5, libtiff-opengl, tiff, libtiff-doc, libtiff5 o USN-5743-2 : libtiff-tools, libtiff5-dev, libtiffxx5, libtiff-dev, libtiff-opengl, tiff, libtiff-doc, libtiff5 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhw8kNZI30y1K9AQjBMBAAjb0fvRSW6f239CPz/iQA2kz8q8D2yyW+ ZuUddAKAPJ3EfYEfglQYPlHZW0BY4Z6wxJg0hHXl1HUYQzEaaJGilWDP+GwkNe8m q+xeaa3rsw8DZyLTlXf7QLXWWk4C1iEdJEOQQvZCiSZzIPdBnfoznZmO8+BAqmzZ Zz80IOKUcelSB2vdth2h54rGj4WNkP2rCzsPhVTFaEWyHnzFt05BwROnIu8h2Sjl PRkwJMnRG56wwA8btENGek8jGIC3V8Woiz3mOwPVcrv99ug0wcws6A/LOxSI/9+m bTQ7ewIZnCDOg3fQaNtA95mYlxJIdrzMigKHULwVAviscEJ3rexkR58/EZXWGuRR 06RNn5qSA1pevNg+46BLSvOfmZzgKbxf1tWuQ23pVGo2QoM2MVSrJ/zVDpxcUFC7 6wYDh3dv0xopEsA1HgVYGgy2j5LM9imrsSXhxJeL7/nQXhn9/WeHUzqov9f1+j7l XIeP8OdxSV3l4YpjaaQEOJBhE9OWTefxsagFubal4F+yP2kwnQf9NJ5gUGr79fEe n3HHei0w4jfvxyM7KhEQ/UpRu1Zh5ZzZjAAa4oWq/ZvddVrhavVf7jnlTQqx5Ibi B31Z3QuRLf4+yb675XaETw1B7C2lORlpvMBL13u/bN9p8RW/jHQnjGr2t9PBZWjz vWQfjAF8ZSQ= =pU8D -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0627 Advisory (icsa-23-033-05) Delta Electronics DX-2100-L1-CN 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Delta Electronics DX-2100-L1-CN Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2023-0432 CVE-2022-42140 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-23-033-05 Comment: CVSS (Max): 9.0 CVE-2023-0432 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-033-05) Delta Electronics DX-2100-L1-CN Original release date: February 02, 2023 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.0 o ATTENTION: Public exploits available/exploitable remotely/low attack complexity o Vendor: Delta Electronics o Equipment: DX-2100-L1-CN o Vulnerabilities: OS Command Injection, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker with low privileges to gain root access or allow an unauthenticated attacker to perform remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of DX-2100-L1-CN, an industrial ethernet router, are affected: o DX-2100-L1-CN: Version 1.5.0.10 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 The web configuration service of the affected device contains an authenticated command injection vulnerability. It can be used to execute system commands on the operating system (OS) from the device in the context of the user "root." If the attacker has credentials for the web service, then the device could be fully compromised. CVE-2022-42140 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/ C:H/I:H/A:H ). 3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 The affected device contains a stored cross-site scripting vulnerability in the "net diagnosis" function in the web configuration service. This can be exploited in the context of a victim's session. An attacker could deliver a large variety of payloads that could lead to possibilities, such as remote code execution. CVE-2023-0432 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:R/S:C/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Taiwan 3.4 RESEARCHER CISA discovered a public Proof of Concept (PoC) as authored by T. Weber of CyberDanube Security Research, who reported it to Delta Electronics. 4. MITIGATIONS Delta Electronics patched this vulnerability in Version 1.5.0.12 and recommends all users update device firmware to that version or later. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhvckNZI30y1K9AQiUghAArThhVZbl7RQ8hwr5v6cNAyjQEHpIBBF6 QZjxjVJieRjEsUo0oqkOhoLLr8enZQmdbu0mB9zmHXmJV5Yvvkjro74N7mVEztJo mLK/rd6kFlcJHIaPqghWheM7671TkcFJtrLL7sBTQXbrXqlO3TQsbHKlZaH1hSwV X/XvlGVX57EI/b5UuQpB/hHbI0mAZngDweLHemr7tO1Pr3jNhFFYh6Kjg4Rv27Vc MQUzQvod53ZMA5w5ExhtmUJL1oTvc6jaA8UGgqw3J6riNDQiN6y9cB68msyX0P8c 8SABZ95sVI5l5IM52CKCaHDBA8wjy1zT6wbcKPKkARr5cunNC3og0yJEbzdjwtv2 bhRKIVwwGhE5GyToAp0ar9dypMAlsRk2EUOMVJWe84cPFewy/I2t2ocddaMclHYa VqSvGkwXsD/ZZ/Lj8QNkNo2QwD1DEnIZrgnb3/VmWdU7jjLxMSOfuhiF2VZJy6Ml HruuUecQDkHKi54EeWSTrT3GTKlgtSW8B20YZc6J2HRFkNdC/rvNKUP8T/okM5XT rvjGqonTD3QIO7eHfij/9h/1C21NaRpHoxkxhSFQXAsX+y5d7SgUBh2iBOTK2REb g0kl0prB/WO2WavwwT9yaKEiZjvCik+OOkSJh3ITJhkJosd8KFdmskXzQQtXXtXM Y3+tOrvLy4o= =zW13 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0626 Advisory (icsa-23-033-04) Delta Electronics DVW-W02W2-E2 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Delta Electronics DVW-W02W2-E2 Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-42139 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-23-033-04 Comment: CVSS (Max): 9.9 CVE-2022-42139 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-033-04) Delta Electronics DVW-W02W2-E2 Original release date: February 02, 2023 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.9 o ATTENTION: Public exploit available/exploitable remotely/low attack complexity o Vendor: Delta Electronics o Equipment: DVW-W02W2-E2 o Vulnerabilities: OS Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a threat actor with low privileges to gain root access to the device, which could then allow them to send malicious commands to managed devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of DVW-W02W2-E2, an industrial ethernet router, are affected: o DVW-W02W2-E2: Version 2.42 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 The web server of the affected device is vulnerable to authenticated command injection via POST parameters. A threat actor could gain full access to the underlying operating system (OS) of the device. If the device is acting as a key device in an industrial network, or controls various critical equipment via serial ports, the threat actor could cause extensive damage in the corresponding network. CVE-2022-42139 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:C/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Taiwan 3.4 RESEARCHER CISA discovered a public Proof of Concept (PoC) as authored by T. Weber of CyberDanube Security Research, who reported it to Delta Electronics. 4. MITIGATIONS Delta Electronics patched this vulnerability in Version 2.5.2 and recommends all users update affected device firmware to that version or later. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xht8kNZI30y1K9AQh/Eg/+ImrdNom9ycn5O9LSEYoZ3yr/S6gwGKNW Jgow142c3X98tOP9yHWO6zxuGgR7JCeDMTl+k36azXiqanXHql8MPryRF1mvatHu ZRVy5OHoICOTldaA6sr5wiIOPeRo8A1oW9lvAAV9Fv+T2R0V3elz2TL25plcpIIH s+yygBikYBvzt3c9MYX4i9k7YR5ob5r2nm4KEtMI/jasg0iFysbXL+5FihdimCjy gYOFKkkrwOzw85UX1k7s6wwmp5iS2OURBVN3MLTa1W9YbxK6n97/LBZSaCwzIAuf K6HpvBbufR1zTrZpdWuclXeBXaEi3brvjQvg2i7yGDJRVnbiTitlWVothvPIfV0T vD5Hutyg0BCDOe1KnYeOE0TQNmx23+MpIGAa9OM99mSW2UHQ8zsFP8ctAOgTYsYq DuGAUX2eLpJsWfiFLMJh92gArmkOy2AWDUYU+WWalq95iVHoqAEG7xYNgUNpMpnH eCguGoph6h47ij2fFn9tx7py1NVCojZgvQvDATMKrxFiBiUfRN7kbKoPSTrOqtha nHVgm7zSS1UrKKtXlycwucpRgPGPX7pthX4wpPzoKI8D6IK6o3LC9Rd32IT6DiFW DYUMJ1UIt4IDppS100GqScjGg9eMQjSKyshsJkoTCRisi0zJLQhPYMCcP/ji/jXr l9g1bsl0CBo= =DTh5 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0625 Advisory (icsa-23-033-01) Delta Electronics DIAScreen 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Delta Electronics DIAScreen Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2023-0251 CVE-2023-0250 CVE-2023-0249 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-23-033-01 Comment: CVSS (Max): 7.8 CVE-2023-0251 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-033-01) Delta Electronics DIAScreen Original release date: February 02, 2023 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.8 o ATTENTION: Low attack complexity o Vendor: Delta Electronics o Equipment: DIAScreen o Vulnerabilities: Stack-based Buffer Overflow, Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of DIAScreen, a software configuration tool for Delta devices, are affected: o DIAScreen: versions 1.2.1.23 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121 Delta Electronics DIAScreen versions 1.2.1.23 and prior are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code. CVE-2023-0250 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ). 3.2.2 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119 Delta Electronics DIAScreen versions 1.2.1.23 and prior are vulnerable to a buffer overflow through improper restrictions of operations within memory, which could allow an attacker to remotely execute arbitrary code. CVE-2023-0251 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ). 3.2.3 OUT-OF-BOUNDS WRITE CWE-787 Delta Electronics DIAScreen versions 1.2.1.23 and prior are vulnerable to an out-of-bounds write, which could allow an attacker to remotely execute arbitrary code. CVE-2023-0249 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Energy o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Taiwan 3.4 RESEARCHER Natnael Samson (@NattiSamson), working with Trend Micro's Zero Day Initiative, reported these vulnerabilities to CISA. 4. MITIGATIONS Delta Electronics released version 1.3.0 of DIAScreen (login required) and recommends users install this update on all affected systems. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhsckNZI30y1K9AQjwmw/+LN5yTFzzwQNLd+8XPAdq5ccihqngOs+W LpffPIHYrPUXMLHSujZAPf5itGUdz41cNCcu6ztjKsP27CWWikdBcMpNo0PLAaNv ms6HlHNiH5Rp2v6py+XSA46k4VAF89DV/p2rGjc/ib4aqJKdIy28NtDBt7ffLQ70 mfgdtSa5sWUZvk7Y7V6vwymYK6uo0pjIpyryYA1V+JNl5B3c4hjIjn5y3/8ydnAH LtxrrP3vzyjWgBHBA8dA8i5HMQf2wGYjTPCdIdEd8osowtYrfjXZ+WQ5tpo+6R/j BE2q2QjCCgGhMZPJPWwse5qg8DpaA/kEiiA69VH0FfQCfLRY2NxQNp9kWlTE83il NiTe4I1kVZiGPZE65J812rjtcdO+1ofMpwbPFXju6A6i27gW9EOg9Ozn43GJpnYX BPhjriUk6MxOL+pEO2esRKO88QAhC00Gc5Ipug7YYVyfNJAtAuKTYD1ps5hAY7tW uMhWkKgX9qHZCb7qdEopyB41QnOXjeZNKAVKadRMi/jOxxeP0JC+swtgh64MKiNr JWd8naTiTcboPDutW33ZIglwAlzjhs+xcFYCq4USF4kBeDt+62AqCyHJtws9bNxT diV0NBRXfgYM/q3haYp/uaAA2zFj0bzi2jS/gTaJJ6FQ4K2zvqHXyShsEWHJ3Xjt +H4VVpiIEcs= =Gq5w -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0624 Advisory (icsa-23-033-03) Baicells Nova 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Baicells Nova Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2023-24508 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-23-033-03 Comment: CVSS (Max): 9.8 CVE-2023-24508 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-033-03) Baicells Nova Original release date: February 02, 2023 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Baicells Technologies o Equipment: Nova o Vulnerability: Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Baicells reports this vulnerability affects the following Nova LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6: o Nova 227 o Nova 233 o Nova 243 o Nova 246 3.2 VULNERABILITY OVERVIEW 3.2.1 COMMAND INJECTION CWE-77 Baicells Nova 227, Nova 233, Nova 243 LTE TDD eNodeB devices and Nova 246 with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. CVE-2023-24508 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Communications o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Rustam Amin reported this vulnerability to CISA through VINCE . 4. MITIGATIONS Baicells resolved this vulnerability in firmware version 3.7.11.3 and later. Baicells recommends all users currently running an earlier version of RTS/RTD upgrade their devices to the 3.7.11.6 firmware. Firmware can be downloaded from the Baicells community page or upgraded via OMC. Baicells published a security vulnerability notice for this issue CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is exploitable remotely. This vulnerability has a low attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhq8kNZI30y1K9AQhd3A/8C705Tl/WFHe3MFVGNs4b/ybZWlWE5qY5 bWn58zrJVZH8sbmoKiPYW7TKINm1O5u0Ux0flttxQC/TsjLktGEyunedzS/nrX1a +onNjPC+7UtZqp7tA7SASWuXOKnglqi6t6F3VOZ8CBK5+48p0qPlj9fQHPBG04lG 2AY4SNR2+4pOkUqIW1R74FPdj7DA5tYY8gpsy0LReLz3q6c87hQGXNDmXL8Yn871 PjwH3OtoFua8o7kfi0T6w1ouQwdIbgPvt06wnYwAN8Jj0qhqs8wn+uFa3+loWaEO Cfk6wcTnr3+35fW9MaGQEh90Tuoh6oI5X3wGL7hCIHPdx/PgLMhfg48D/n/Q7YWk +3IYcDQUF7IPMIn45JT3asJ77u3oR65gyzffAj0wrn826HgxK7Ro4goev4mp+tg2 9xvNC6Hm5A9N8TpHCT83WbmTctUiWgUrG1XNaLojROrKDKLV4CDhrFgcZQnoO8uB GUjOVdwp0C9E2fQ93nmUHx3Jrrlnh/NuX9Euu69sdamVgDUWuERXwWRlVZ71b6Nm 0cDpduISNfDseFumJV7rCgStczABqtPHzsgMBCAG1MbNzzTFFspA6uCU/X0bb9y8 HxrCkrzNLy1bT/VVlkjYYMY2k7yHFQN6QQNlYvKk7awcJJHUrK0Eyos3v5toR4bG CzETAAcYtPQ= =Vcsa -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0623 USN-5839-2: Apache HTTP Server vulnerability 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache HTTP Server Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-37436 Original Bulletin: https://ubuntu.com/security/notices/USN-5839-2 Comment: CVSS (Max): 5.3 CVE-2022-37436 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5839-2: Apache HTTP Server vulnerability 2 February 2023 Several security issues were fixed in Apache HTTP Server. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Releases o Ubuntu 16.04 ESM Packages o apache2 - Apache HTTP server Details USN-5839-1 fixed a vulnerability in Apache. This update provides the corresponding update for Ubuntu 16.04 ESM. Original advisory details: Dimas Fariski Setyawan Putra discovered that the Apache HTTP Server mod_proxy module incorrectly truncated certain response headers. This may result in later headers not being interpreted by the client. ( CVE-2022-37436 ) Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Learn more about Ubuntu Pro Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 o apache2 - 2.4.18-2ubuntu3.17+esm9 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References o CVE-2022-37436 Related notices o USN-5839-1 : libapache2-mod-md, apache2, apache2-suexec-custom, apache2-utils, apache2-data, libapache2-mod-proxy-uwsgi, apache2-bin, apache2-ssl-dev, apache2-suexec-pristine, apache2-doc, apache2-dev - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhpMkNZI30y1K9AQgBMw//RK95NRKIDk64uHoI5Ifelp2US0PfpgqX qve0ah0Qj462fl5VbGJ7qcfwt5T79wZFJIK6dIlZ/xwvsFOCFTYI42MDwPyglSLZ NrgrSKip2kBEFYhE9VeWCFTaxU8xzhKgk4XSbntnBuahEIgPCNnmynBfvC+V8ufp QrVbJV/kqWQt9I5VqEGq0aIf9D/55ytQ437n5ruUOgNuUs8c3DpEYGMUZsR+j8yN Hs8ErdpGpK2Q3laVp1oAkYDIY6Pw33eF5vDFPYYEXbntET+ko+p0QnkGm1DqbPWJ 1YnM1qutSKteE/rowmbXHJxPcfEY5lmMWgO0UOc6ES9srcZPJ1LWTlH+/saw7OdS qWwLOXQcvj3rbKLC+4fIo/IG5wifDrkHkoQJhRRjU7m5Si19qz4rMcKnimN9LhRL R+wbNI8zkBewv9oZqDNwArZ8VHmDksE+gvXa4wiYGVedlOFsZSwshQRggAaLWDrc Tsp7ZUxvWa8WlmlbN72bo//avOYAR3R3+TUtY3zkfOlysvyJ/n6XyiiFdu8P9378 DoHhe7s+ZIBzSH3uw5uFAhKxbljIZuQ8GclWjBrPbpGJ70us/h1LJOKrqi+pVkUO wug566BLXmFKfukpuWxHP1ltUUSrrIsg9nb7DYuEG/QYwj9uJRuQxMKpbH75ASUD /YRsVcWZRYY= =2DI0 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0622 Advisory (icsa-23-033-02) Mitsubishi Electric GOT2000 Series and GT SoftGOT2000 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mitsubishi Electric GOT2000 Series GT SoftGOT2000 Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-40269 CVE-2022-40268 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-23-033-02 Comment: CVSS (Max): 7.4 CVE-2022-40269 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-23-033-02) Mitsubishi Electric GOT2000 Series and GT SoftGOT2000 Original release date: February 02, 2023 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.8 o ATTENTION: Exploitable remotely o Vendor: Mitsubishi Electric Corporation o Equipment: GOT Mobile Function on GOT2000 Series and GT SoftGOT2000 o Vulnerabilities: Authentication Bypass by Spoofing, Improper Restriction of Rendered UI Layers or Frames 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow attackers to perform unintended operations through clickjacking (an attack that tricks users into clicking an invisible or disguised webpage element) or allow attackers to disclose sensitive information from their browsers or impersonate legitimate users by abusing inappropriate HTML attributes. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric reports these vulnerabilities affect the GOT Mobile Function on the following products: o GOT2000 Series: GT27 model: GOT Mobile versions 01.14.000-01.47.000 GT25 model: GOT Mobile versions 01.14.000-01.47.000 o GT SoftGOT2000: software versions 1.265B-1.285X 3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHENTICATION BYPASS BY SPOOFING CWE-290 This vulnerability could allow an attacker to impersonate legitimate users by abusing inappropriate HTML attributes or cause users' browsers to disclose sensitive information. CVE-2022-40269 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:U/ C:H/I:H/A:N ). 3.2.2 IMPROPER RESTRICTION OF RENDERED UI LAYERS OR FRAMES CWE-1021 This vulnerability could allow an attacker to lead legitimate users to perform unintended operations through clickjacking. CVE-2022-40268 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ( AV:N/AC:H/PR:N/UI:R/S:C/ C:N/I:H/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Mitsubishi Electric reported these vulnerabilities to CISA. 4. MITIGATIONS Mitsubishi Electric recommends users update to the latest software versions. Mitsubishi Electric's security advisory contains step-by-step update instructions : o GOT2000 Series GT27 model: Update to GOT Mobile version 01.48.000 or later. GT25 model: Update to GOT Mobile version 01.48.000 or later. o GT SoftGOT2000: Update to software version 1.290C or later. Mitsubishi Electric recommends users take the following mitigations to minimize the exploitation risk of these vulnerabilities: o When internet access is required, use a firewall, virtual private network (VPN), etc. to prevent unauthorized access. o Use devices within a local area network (LAN) and block access from untrusted networks and hosts. o Install antivirus software on hosts running affected software/firmware. o Use the IP filter function to control access via IP address. GT Designer3 (GOT2000) Screen Design Manual (SH-081220ENG). "5.4.3 Setting the IP filter" o Disable GOT Mobile Function. Users should refer to Mitsubishi Electric's security advisory for further information. CISA recommends users take defensive measures to minimize the risk of exploitation these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: o Do not click web links or open attachments in unsolicited email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a high attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhbskNZI30y1K9AQgYcBAAlo0f571Pj4/iWEIbwM4c/sN5uIgda5np fo1QdapFPdLwgOGt1KxonfoheKA506BRTSp/26kJJLPqwilEQWkf7EU4xyrA89wN LGME3ASaDqtEJnAF+nk1437bS/h4jUQVqXVBS84ErGO1UCAceshcOXEfIJsc/ion 60m//bEPoCr01LXsxcdT6ux848UceoS6p8KzYi864Qyo7psS46tKEbrEq/ZdPwH7 4x+0qeBLFHYjRvA24ca5IpVoJ+2IcExGVDIm7xOx7E0+iOtWk5Z0GmV1OTXSVoeP 8SIZuheXpf3elbmYjpDDzUbOIYRu0XNn/wlNCaN33R8olUBeJwlxSdxwt1BPMxV+ hYQZWMOVxEMHa6T1GfMc3gufUPwdOtf2b63Y3a0LgjeeD8//jq0Ze8mtmhM5b8QX NUARBeoXFvQCTyD2iaZmcC5u7Cyqd5QGjkfw0MgQAk26jPNG2YeUpt3sjATLVFbr x9r4/Hs6KEnq90rUMsJzpBV0hVMCopbZIcvCcWNV9iRstl8fDDz4cEXtS1B3tv/7 EJzlgvN4LUPhEN12VnDcQoXPTnK1hQbDSGBM3EDxfJuE2xraY5PWy0QkC66S3Abw DiDxD9Onq2KF8KY/J5ig/j6nlFgD0BvBBs9eJ8qIb7PsCv2NIMIbBmkHara+HcMs svPiNJwzQkQ= =pp9T -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3930.2 Advisory (icsa-22-221-01) Mitsubishi Electric Multiple Factory Automation Products 3 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mitsubishi Electric Multiple Factory Automation Products Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-1292 CVE-2022-0778 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-221-01 Comment: CVSS (Max): 9.8 CVE-2022-1292 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Revision History: February 3 2023: Vendor updated the advisory August 10 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-221-01) Mitsubishi Electric Multiple Factory Automation Products (Update D) Original release date: February 02, 2023 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Mitsubishi Electric o Equipment: GOT2000 compatible HMI software, CC-Link IE TSN Industrial Managed Switch, MELSEC iQ-R Series OPC UA Server Module o Vulnerabilities: Infinite Loop, OS Command Injection 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-22-221-01 Mitsubishi Electric Multiple Factory Automation Products (Update C) that was published November 01, 2022, to the ICS webpage on cisa.gov/ics. 3. RISK EVALUATION Successful exploitation of these vulnerabilities could create a denial-of-service condition or enable arbitrary code execution. 4. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTS The following version of GT SoftGOT2000 is affected: o GOT2000 compatible HMI software (GT SoftGOT2000): Version 1.275M o CC-Link IE TSN Industrial Managed Switch (NZ2MHG-TSNT8F2, NZ2MHG-TSNT4): Version 03 and prior [affected by CVE-2022-0778 only] o MELSEC iQ-R Series OPC UA Server Module (RD81OPC96): Version 08 and prior [affected by CVE-2022-0778 only] 4.2 VULNERABILITY OVERVIEW 4.2.1 LOOP WITH UNREACHABLE EXIT CONDITION ('INFINITE LOOP') CWE-835 A vulnerability in OpenSSL creates the potential for an infinite loop in the affected product, which could lead to a denial-of-service condition. CVE-2022-0778 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:H ). 4.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78 A vulnerability in OpenSSL creates the potential for OS command injection in the affected product, which could lead to arbitrary code execution. CVE-2022-1292 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/ I:H/A:H ). 4.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 4.4 RESEARCHER Mitsubishi Electric reported these vulnerabilities to CISA. 5. MITIGATIONS Mitsubishi Electric recommends the following mitigations for the affected products: o GOT2000 compatible HMI software: Mitsubishi Electric has released a patch for these issues and recommends users update affected products to Version 1.280S or later. Users should contact Mitsubishi Electric to obtain the patch. o CC-Link IE TSN Industrial Managed Switch: Mitsubishi Electric has released fixed firmware for these issues and recommends users update affected products to Version 04 or later. Users should contact Mitsubishi Electric to obtain the fixed firmware version. To update affected CC-Link IE TSN Industrial Managed Switch products, log into the product with the web interface and go to [System] -> [System Management] -> [Firmware Upgrade] from the Function menu after obtaining the updated firmware file. o CC-Link IE TSN Industrial Managed Switch: Mitsubishi Electric recommends users to log into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 with the web interface and change the username and password from their default setting in [Account Management] on the function menu. They are also recommended to set proper access permissions for different users. - --------- Begin Update D part 1 of 1 --------- o MELSEC iQ-R Series OPC UA Server Module: Mitsubishi Electric has released the fixed firmware for these issues and recommends users update affected products to Version 09 or later. Users should contact Mitsubishi Electric to obtain the fixed firmware version. Mitsubishi Electric recommends users ensure the OPC UA Client is updated to the latest version and to use legitimate certificates on the OPC UA Client side. To update the firmware of the affected device, use an SD card and refer to the "MELSEC iQ-R Module Configuration Manual (SH-081262ENG)". - --------- End Update D part 1 of 1 --------- For instructions on how to check the product version and more information regarding contacting Mitsubishi Electric, refer to Mitsubishi Electric's security advisory . Mitsubishi Electric recommends users take the following precautions to minimize the risk of these vulnerabilities being exploited: o When internet access is required, use a virtual private network (VPN) to prevent unauthorized access. o Use the products within a LAN and block access from untrusted networks and hosts. o For GOT2000 compatible HMI software: Update the OPC UA server to the latest version available. o For GOT2000 compatible HMI software: Install antivirus software on computers running the affected software. o Restrict physical access to computers running the affected software. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9xhnskNZI30y1K9AQjarw/8CJXq0AxM++nkkzhC8doLc4ktnZOabzQo AoNJtL+Hn76GKhskqvBJIBCr2F+vmDupIqsZcwMGdaumtG9BB/+XVRrDKRd+qUa/ Vi8FjZ4RUaTRM0Lj2mU2JrJ5boYUx40e2ZLuVrBqHbuO16ekATsO2RUeLd5NY9uL pjirxoZN3hnburNl6RnoE/uqUeVLk5Qw5V8FFrtNhqWJaE/TWGDUR3S0gu62/EK1 hdkUmAbpZJNS77SaIGHgGJTsCU42Q7Ha17t48Vrc82NnBzEAGKTZ1W6wwwY83e9I cPAVlHBZOClZYjhH/DuIflhpci/Gsyo2Pj0wV8+OqwJwYp1iVU7nr0QQhsrVL89U aaQh4Yd0l8tmRv8Rru7j2rqh1DtOMfc0AzuPZatkNJ+idklNAZx9TRlHf4JyHhQY fon17X30WhywDcyhOsWas+DjauBslYCRpuAAcfkNN6pU9jC54Q4W4FnTS0ofTLUQ iuXApo1RgfD+g9vo4By5Vke+BMawW+zuf++bf/L8XXIjlfV1h1ETYkPuM1GFpGhg kjwRRj61cl9TLMyGyn6g2v0PKOyzCtbI3a+yC/wKG2ZAn1F/DVE7efNxTFYeQsLR yFoS0Cf36900c22ysBneQMhJH99HSj/f1f4ANEZFxPb0X6Dp5SO9lZGq/PHuftxV RtMTrGCR+v8= =9CTq -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0621 Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP4) 2 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Linux Kernel Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-3565 CVE-2022-3424 Original Bulletin: https://www.suse.com/support/update/announcement/2023/suse-su-20230226-1 Comment: CVSS (Max): 7.4 CVE-2022-3565 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP4) ______________________________________________________________________________ Announcement ID: SUSE-SU-2023:0226-1 Rating: important References: #1204167 #1204432 Cross-References: CVE-2022-3424 CVE-2022-3565 Affected Products: SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for the Linux Kernel 4.12.14-95_105 fixes several issues. The following security issues were fixed: o CVE-2022-3424: Fixed use-after-free in gru_set_context_option(), gru_fault () and gru_handle_user_call_os() that could lead to kernel panic (bsc# 1204167). o CVE-2022-3565: Fixed use-after-free in del_timer() in drivers/isdn/mISDN/ l1oip_core.c (bsc#1204432). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2023-226=1 Package List: o SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_105-default-6-2.1 References: o https://www.suse.com/security/cve/CVE-2022-3424.html o https://www.suse.com/security/cve/CVE-2022-3565.html o https://bugzilla.suse.com/1204167 o https://bugzilla.suse.com/1204432 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9tpbckNZI30y1K9AQi5aw/8C+/QDgqpuxqYiRuArPCQjrs1euJM16Ny DJ5qzQThxAJhGc41tRVk1aodY1bKfyIby4FLpEKwsg/RPPMvJ1GPNhjxB279DerB JVNFkk8NN4IAGSW//qjjlfe7JDO7fChF83kjXH/PqxnChCcBRs81A4vYLxYp/CJm srTdgy2JJwxZTU9wjxmBG69hFzv3bCwWhw4BqDnHPVsPSIdSb+cHChTXOuOCYmnN YPziJ4hdOwfTstmDiR86xhHWXLFydpmwOE8mMWs5Jd/vgXojxXN9xcG82vAMDhPp NOUV/SEzvF5TVgIhlBeZQJiPVCLVMQu0IGvXQvrwmJIghqEnHJWvTYiT0C/MmQy9 oJlMCgTMscRljNjUE1MQ74TX+s6A6yDVm1jcFF5W3EhE7aa4MvfwU0b7MdWWBsOr PKGHeH80nP0IwkO6Kajgul/SQCSSU6a+nOGGe5gGJG5ZwmdAMQt9uCacwuv9HM1E NZl4+rLmVPKeoU5+13OU1JrztKtQaZ0Gmn83rsLFVQ0rWwwlxbTy+1ZUp9+e4SkY lrfz6zGFbD5YfSIx42+KXweVMsdD7zwuAGuQilIgEhhkavvtO7XtlxY91dGKLnD3 C8o8SxOxxOcXkGa5hYAQzuJiub1ElgkkCSCowFD0W828FVP/W8NUzMLcHHUg4ZcH hMpwfyygsY0= =2VDy -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.0620 Security update for python-setuptools 2 February 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-setuptools Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-40897 Original Bulletin: https://www.suse.com/support/update/announcement/2023/suse-su-20230223-1 Comment: CVSS (Max): 4.3 CVE-2022-40897 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for python-setuptools ______________________________________________________________________________ Announcement ID: SUSE-SU-2023:0223-1 Rating: moderate References: #1206667 Cross-References: CVE-2022-40897 Affected Products: SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Realtime Extension 15-SP3 openSUSE Leap Micro 5.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for python-setuptools fixes the following issues: o CVE-2022-40897: Fixed an excessive CPU usage that could be triggered by fetching a malicious HTML document (bsc#1206667). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o openSUSE Leap Micro 5.2: zypper in -t patch openSUSE-Leap-Micro-5.2-2023-223=1 o SUSE Linux Enterprise Realtime Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-223=1 o SUSE Linux Enterprise Micro 5.2: zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-223=1 o SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-223=1 Package List: o openSUSE Leap Micro 5.2 (noarch): python3-setuptools-40.5.0-150100.6.6.1 o SUSE Linux Enterprise Realtime Extension 15-SP3 (noarch): python3-setuptools-40.5.0-150100.6.6.1 python3-setuptools-test-40.5.0-150100.6.6.1 python3-setuptools-wheel-40.5.0-150100.6.6.1 o SUSE Linux Enterprise Micro 5.2 (noarch): python3-setuptools-40.5.0-150100.6.6.1 o SUSE Linux Enterprise Micro 5.1 (noarch): python3-setuptools-40.5.0-150100.6.6.1 References: o https://www.suse.com/security/cve/CVE-2022-40897.html o https://bugzilla.suse.com/1206667 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY9tpCMkNZI30y1K9AQjIZQ//Q5TJ1jOGdk3jGYWf6XSmu0HR+3gnmJMT XOpUrWS9x/kwAP1ith//WgghewpjJCMXS9s/f95RyeBdOIGtnaq+8Aw20qgGAW84 uWGT2A8jHPY3FXq0G7xzHXAqYH5OM6x273LIUC47uFSJ7zAwlwC6NptQVDZqEj2f sOG6P7sI2eHH2r8PqCDoSJ/MWIrQcbE+zHDNvJcFCiAaAeJ24qIhj8hMjFwEWa3M BpPtvzvHBIQH6ZMPQBaJ9eCBVRJDSHI4kT/45i0SE8oaDaJnThT01+mbzcMkxX1L Uqqmcq0rjoNAayGNOOwujDhTqNuRe88cEKI1wj/S8LxzVarUdGQLACz3RNG0ICo/ WpuQSg5i+EHtlVkxtod0pfSOKfGdQOcFUUNXFvBpYIZsqFO2LZjcEBR184hwKblQ WnOkK/AEyLN0xKZ2VeTDV0p/R8kOfHIObyOCgQY48pXIXrWk7QS2JHe6uBb7ns8f /M0haPtXtp0uM7+BJU7oH6LVkVkQETI26lq0vblYwD/ld2PVqI2n6rUd2H2PfXBy 9P7w7I0pS+Y4iXLA6OgNR+YlkHkSYfrJthEt1nGz8uqQ47lpV0BAe+xAU12s3MBL ncg8zTf5FUHBHG9Gxxr8EqKBAlzYPQcgqqmjKTesedNGnZ6qd3DUMqP9ObgGrTdk dIYd6s+wSK0= =yTWI -----END PGP SIGNATURE-----