AusCERT - Security Bulletins

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3086 Citrix Hypervisor Security Update 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Hypervisor Publisher: Citrix Operating System: Virtualisation Resolution: Patch/Upgrade CVE Names: CVE-2022-26362 CVE-2022-21166 CVE-2022-21127 CVE-2022-21125 CVE-2022-21123 Original Bulletin: https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-update Comment: CVSS (Max): 6.4 CVE-2022-26362 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSS Source: [NVD], Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Hypervisor Security Update Reference: CTX460064 Category : Medium Created : 23 June 2022 Modified : 23 June 2022 Description of Problem A security issue has been identified in Citrix Hypervisor 7.1 LTSR CU2 that may allow privileged code in a PV guest VM to compromise the host. Citrix believes that there would be significant complexity in performing this attack in Citrix Hypervisor. This has been rated as a medium severity disclosure; the full text of the public bulletin can be found in Appendix A of this document. The issue has the following CVE identifier: o CVE-2022-26362 In addition Intel has disclosed several issues that affect CPU hardware and may allow code inside a guest VM to access very small sections of memory data that are actively being used elsewhere on the system. Although this is not an issue in the Citrix Hypervisor product itself, Citrix is releasing hotfixes that include product changes to mitigate these CPU issues. These issues have the the following CVE identifiers: o CVE-2022-21123 o CVE-2022-21125 o CVE-2022-21127 o CVE-2022-21166 Customers who are not running PV guest VMs are not affected by the Citrix Hypervisor issue. Customers who are not using Intel CPUs are not affected by the Intel CPU issues. What Customers Should Do Citrix has released hotfixes to address this issue. Citrix recommends that affected customers install these hotfixes as their patching schedule allows. The hotfixes can be downloaded from the following locations: Citrix Hypervisor 8.2 CU1 LTSR: CTX459954- https://support.citrix.com/article/ CTX459954 Citrix XenServer 7.1 CU2 LTSR: CTX459953- https://support.citrix.com/article/ CTX459953 What Citrix is Doing Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins . Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case . Subscribe to Receive Alerts Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com /user/alerts . Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/ trust-center/vulnerability-process.html . Disclaimer This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center. Changelog Date Change 2022-06-23 Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUhc8kNZI30y1K9AQgc3w//ZT5YCp6Ivt1DyD63YIjnxazmqkLPccbh gKGeBrNcOgUAs4XmpllkVbpfpfEYgkDnqjsNm9y5x3nKhS5/yw6+HNPOQmMynjv7 UovqclbPQu31As/inaAGJpZCod13XulPxPxyGfTI/tN3nbLnvLwfhRG71sOXbkiv S8VzaRbvGJqLNAQcHifyoAYmV8E19dLjnkB47wyb67KZ7adKJgqVEQCmzJpnjWaz oJBfS/wuTPmHFVfU0HO1T2RmBME23rbIG3z+veQeTp6dKxAGFdjoKqfYMVFe+kdq FKnM22T6Xvcxb/3Ac9Gvi6agFZ7PsDd0pckoi8GNA3tt5aIjgb9aA8MiDgVEgCLv TnbWDOe0PrYztNJz6BcqvkLRpfw9HPu86AgAk4o+H+eMryFpt2/4rmLdqPukaihp VioQ6XvM5vzPB+TNCSHA5dkCZgk0Sw2bdyWToR4UwTOkQacTBlO2MJPraONZEnjv S0pXJUjTstEwUivRjfGNK/P0bAcffPjXKDyi+KXrH25BxLR3wRlQ9uJjyX/jtJU6 PioC0MFlg2x02L+SYmTZlvi9hwo3e8h/jLoXp5e0Xs7RJqfqvywc/zNJ20cRf53F HjgfzEADhmfZ6gfvI96+tf46NleRt9c0ID2o7m+UWfBVYm36gTDd2O6ytvuaPx7s 1cwdmhs8zjM= =+qee -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3085 USN-5487-3: Apache HTTP Server regression 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache HTTP Server Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2022-31813 CVE-2022-30556 CVE-2022-30522 CVE-2022-29404 CVE-2022-28615 CVE-2022-28614 CVE-2022-26377 Original Bulletin: https://ubuntu.com/security/notices/USN-5487-3 Comment: CVSS (Max): 9.8 CVE-2022-31813 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:I:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- USN-5487-3: Apache HTTP Server regression 23 June 2022 USN-5487-1 introduced a regression in Apache HTTP Server. Releases o Ubuntu 18.04 LTS o Ubuntu 16.04 ESM o Ubuntu 14.04 ESM Packages o apache2 - Apache HTTP server Details USN-5487-1 fixed several vulnerabilities in Apache HTTP Server. Unfortunately it caused regressions. USN-5487-2 reverted the patches that caused the regression in Ubuntu 14.04 ESM for further investigation. This update re-adds the security fixes for Ubuntu 14.04 ESM and fixes two different regressions: one affecting mod_proxy only in Ubuntu 14.04 ESM and another in mod_sed affecting also Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. We apologize for the inconvenience. Original advisory details: It was discovered that Apache HTTP Server mod_proxy_ajp incorrectly handled certain crafted request. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. ( CVE-2022-26377 ) It was discovered that Apache HTTP Server incorrectly handled certain request. An attacker could possibly use this issue to cause a denial of service. ( CVE-2022-28614 ) It was discovered that Apache HTTP Server incorrectly handled certain request. An attacker could possibly use this issue to cause a crash or expose sensitive information. ( CVE-2022-28615 ) It was discovered that Apache HTTP Server incorrectly handled certain request. An attacker could possibly use this issue to cause a denial of service. ( CVE-2022-29404 ) It was discovered that Apache HTTP Server incorrectly handled certain request. An attacker could possibly use this issue to cause a crash. ( CVE-2022-30522 ) It was discovered that Apache HTTP Server incorrectly handled certain request. An attacker could possibly use this issue to execute arbitrary code or cause a crash. ( CVE-2022-30556 ) It was discovered that Apache HTTP Server incorrectly handled certain request. An attacker could possibly use this issue to bypass IP based authentication. ( CVE-2022-31813 ) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 o apache2 - 2.4.29-1ubuntu4.25 o apache2-bin - 2.4.29-1ubuntu4.25 Ubuntu 16.04 o apache2 - 2.4.18-2ubuntu3.17+esm7 Available with UA Infra or UA Desktop o apache2-bin - 2.4.18-2ubuntu3.17+esm7 Available with UA Infra or UA Desktop Ubuntu 14.04 o apache2-bin - 2.4.7-1ubuntu4.22+esm8 Available with UA Infra or UA Desktop o apache2 - 2.4.7-1ubuntu4.22+esm8 Available with UA Infra or UA Desktop In general, a standard system update will make all the necessary changes. References o CVE-2022-26377 o CVE-2022-31813 o CVE-2022-28614 o CVE-2022-29404 o CVE-2022-28615 o CVE-2022-30522 o CVE-2022-30556 o https://launchpad.net/bugs/1979577 o https://launchpad.net/bugs/1979641 Related notices o USN-5487-1 : libapache2-mod-proxy-html, libapache2-mod-md, apache2-suexec, libapache2-mod-macro, apache2-mpm-prefork, apache2-ssl-dev, apache2-suexec-pristine, apache2-dev, apache2-utils, apache2.2-bin, apache2, apache2-mpm-itk, apache2-suexec-custom, libapache2-mod-proxy-uwsgi, apache2-bin, apache2-doc, apache2-mpm-worker, apache2-data, apache2-mpm-event - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUhMskNZI30y1K9AQgBbw//dmQXN36EaDNC37Ar3Tx+7AKMXPuz+p6i bfiYGzzdWfXGnalaZ+E96BvfXD2cBv4o5ndFA58Z/7IiQOGLOje9IU9/lQ/uySyI Tk3nEVRvVsQnVKhcPj69IpPWVwRGraYgK+A6qOlIqrVrb/r444Y58iRZo/qoOGon aZCRkIiQFwWV2IkIM+CJggN5u8kCmoCLZDYl5CtRTGXwieNr/w9BxLAPSD8BdyWJ h/+374jn3vF0tpFxUAUo4TwfUyMy79VijyKFbWFYEL6gNqBeMN6N/Pco31fWP+Vh XjDj+mibxueiswiX2GfxiKgMmWqpoGYA8aaUwr3H63vvGAZBBPyVXoCOJb88NIJ4 XL3T20k+NrhnmG3ikzFECGHIGBLZBYM6rNnMzP/CyYBAuJXaiRAwnO+mGi6MvCQz VLD5ncrn/wrvB0RZeTr1OYuthbQA+W7/79NAEWB48XdxKyhJR/WhVS0bQsie5i8B OXPz40FHyUCGXShiLfwfcUDNrxPauIVl21Z6ultEYYwaRA6DOZWQBEDUtBuFIjt/ 4n5Gq1En9Yqu2hLn+ghyVtd/S0pwxapGIw7GoLjykusykD7MG7ueF3xiVAX/fQbo hrsre6gUUpo6f50D/zMaTXWFjE8WpMHHYNMQiUBN/E3laUVvvOWBVFfBRbFfOriE NsWgUqL2V74= =q9x6 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3084 CVE-2022-34305 Apache Tomcat - XSS in examples web application 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Tomcat Publisher: Apache Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Mitigation CVE Names: CVE-2022-34305 Original Bulletin: https://tomcat.apache.org/security-10.html https://tomcat.apache.org/security-9.html https://tomcat.apache.org/security-8.html Comment: CVSS (Max): 5.4 CVE-2022-34305 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2022-34305 Apache Tomcat - XSS in examples web application Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M16 Apache Tomcat 10.0.0-M1 to 10.0.22 Apache Tomcat 9.0.30 to 9.0.64 Apache Tomcat 8.5.50 to 8.5.81 Description: The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Remove the examples web application as documented in the Tomcat security guide - - Upgrade to Apache Tomcat 10.1.0-M17 or later once released - - Upgrade to Apache Tomcat 10.0.23 or later once released - - Upgrade to Apache Tomcat 9.0.65 or later once released - - Upgrade to Apache Tomcat 8.5.82 or later once released History: 2022-06-23 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUgSckNZI30y1K9AQix7xAAtBauUfwlhtLB8gB+nTf83EILpfr/5CIS HArN77kLHz/QJEgwZB2SZpYZfuVRzufqJvjriDSzVCHL8WD6cbM056lp5Vp/Xdav CEz//yOcCXNnIDltVl9WxfL6ORzsN4P0gerzVWQKiTIBw5ijWvbd8zk9kBQQNkEX HcwSXHCb/qRG9sUASYnhpIgCtH/42/+P7cW+1JUjW7AOuyePORZETYAlScfztwZ3 Z8SD32rMnVT3edtsWSs/3JHUo2NXkyrkaiUPvoW3DIqhOC5Q95zIQIg8tx59LYIT oEhWoHA5oxjF+hCox6+8uPvnYqsqnlhKNoBymDjNu1LdyXEy8sQ+bTaQdtemAxVZ K8cleIdT+FDGH62HqNq2AjsyP/ll+2Q2EJgZhvYNU3oxD0BwmmgIOYGS+JTVCPhv p07eb34gufczMtglOzPd/wjLHcTzm4NWeEYPjM6mgWAjZNKFWkjj/OfCVpE0WIeV u9aFAMkfrHk2B24qFvbhUtzetf/P2HXTKHA2iNOHA2Zs/sbqDkqPJPdCAQbgS/QQ okX7kjjfR5avu1IgeQV9+T0PkeEeAKElrzLk9Mr8P3s3lt347NgvLi6C/lJacW9W 6hAl54hG1i0topW/ml7AEimpOrmcTDb4nmnGLd/U05jGTESDXDs/XiKC9aNRpxDA DbX7ouIxmWk= =YyfR -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3083 request-tracker4 security update 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: request-tracker4 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2021-38562 Original Bulletin: http://www.debian.org/lts/security/2022/dla-3057 Comment: CVSS (Max): 7.5 CVE-2021-38562 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3057-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Chris Lamb June 23, 2022 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : request-tracker4 Version : 4.4.1-3+deb9u4 CVE ID : CVE-2021-38562 Debian Bug : #995175 It was discovered that there was an issue in request-tracker4, a extensible ticket/issue tracking system. Sensitive information could have been revealed by way of a timing attack on the authentication system. For Debian 9 "Stretch", this problem has been fixed in version 4.4.1-3+deb9u4. We recommend that you upgrade your request-tracker4 packages. For the detailed security status of request-tracker4 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/request-tracker4 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmK0GKUACgkQHpU+J9Qx HlhjpRAApVpaKCROWd4npxAMtHulSc8E+0dgwQ6rugBPFhnDQwEnxa+0ub1SDhHu s48JRKBxPF4CxD4SnrMOGDeybe6udS/r0GJa2gDxD8Rj2Nep5T/vqRL8zUrhgxAn N8Bjchc2BnxdAuwNlwh0a92PsDaPsl1p6u5LEPQEmez/G61kL4YPxznfqGBOET5h 8x6bXSPDJydQdNhXKrN8S1mLIsn2TP0QddddEiT9SX0oKG51sf704GB+5pDn9zHT Q+Vxgh5K0YVMMezz8wL4NENOqjy5xbJy41QW3YLNagkQjdA+pA4r7JBPKUSCElll 0ahF/bbryFfx/oM+zWIQY/JqniCU5fMfdOXOYmvDz45DZcpcvlH2My/uKHKEjbFn 3iiiGtSDHGRABtY7M9yTmlwUd2dvdCPtUgO0pssDnqL7qzvKwfmi557z0v1F3re+ 7I0GJEBx7X2vXlT9P+AcK6dDV5W30jT1remMPXTV0S+GJnw186EFboX7QoRg1Ecr BsjFmYE8/AyvIA7deqloZivu6p4oCj0znCsC968dknXfLMIwsn5Oj25keT4rJqQZ N7J4eYI2b0L5VHHT44hREHk/K0Zy2tmTGQx5tYNfwUsp4fsbAgI/4uPWoJhit5vs 6XpKkHVrwxh8MpQR546mO6wvybs1a4j8h9aNhdCtpJCdVJsO2GU= =5Djv - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUWNMkNZI30y1K9AQhP3xAAvWIN3eMFSW50Wufq1OM40wnQDwm5adyK mkcstxCnAYG37S/y76oJsygdI3m8rbF0gttD3LK5vtXtnZUaglC/E0GcXIRktTUL 2l/tWfdQYhsOKjbSGgKtyW6w/mv2En8M/pVDkEF6T6plYo6GdnCKntYfxitkfcmn b2oTWIc2LEeneTnPoFvI79Jq7SLm2AYoMln/9FFRvEdU5E2nFWF77uBSxe4FqWHa X14phzoGLhAugdx/6AYZ3KPgjpckE2i4AOV+fG+NXAYRESbIqDFbDJOVFhmqxRuB VXlqj+gEeJNWXlUpka9IlO4zGd+gnejQZAsI0tC76M21kF3/R2Cy1bw3F17xwm3B MQktn4kjNGMgm3Xei3nXny2DQWVDYABsgs0XMHBnW8Y55HNmSi33emcsPlkJjHY8 eWub+k2Z+8ihe2jrdqpmRN12dexjQvXhS6urKQedsHumS83oORnixLBWejDe1QQK XlWPwioW5wSgrxBw3qaIepFiGenG1++FAR5bxW344T7etU/OOGfJBkFOq5EGwbxK Jl6kHgu4haay0RSQ3ppfpwo3VKH1a8LabzRgtQRuQ1XgJmLeRK4kU6FsXqyOKNCm pf6ppMMSH6QVKx9Qy2ZoP6BlRtez+ukF5e+M6Myj9eU3EwrI7J5Df+d6TbaZ+Qys l32oLTDlC4s= =C1Af -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3082 Red Hat build of Eclipse Vert.x 4.2.7 security update 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat build of Eclipse Vert.x 4.2.7 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2022-25647 CVE-2020-36518 Original Bulletin: https://access.redhat.com/errata/RHSA-2022:5029 Comment: CVSS (Max): 7.7 CVE-2022-25647 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Eclipse Vert.x 4.2.7 security update Advisory ID: RHSA-2022:5029-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2022:5029 Issue date: 2022-06-23 CVE Names: CVE-2020-36518 CVE-2022-25647 ===================================================================== 1. Summary: An update is now available for Red Hat build of Eclipse Vert.x. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE pages listed in the References section. 2. Description: This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security updates. For more information, see the release notes listed in the References section. Security Fix(es): * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson (CVE-2022-25647) For more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. 4. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson 5. References: https://access.redhat.com/security/cve/CVE-2020-36518 https://access.redhat.com/security/cve/CVE-2022-25647 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=4.2.7 https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.2/html/release_notes_for_eclipse_vert.x_4.2/index 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYrRWD9zjgjWX9erEAQhySBAAlXKnG1+57IQ9cKGQWzpLWKFWJVqsyrGb hI/qVXa3T2DnslKYD061oBjY6FEBYwVqOrZLkv+9bSuW5CqdworRqzW+ozpPUJw4 1IKqO//OXQ/2UAB9FSKjhcyIB/d6af3urm47rtbeplt8WBF3fh4+Zo+sVxpTRbhX Kmy+z7YIEKkstR5AQR05mt9KHjpKkj4p2xMwtz3p+VJ0sff0O6gSMdA3oPKoSbms b43OhcBeiO5eqXryTgtIauRC2tzOk1lGryfDoWI24x4RFPhgK9r67Vv8r6j6psFi 6mBcJvzCpynJSnVOR75KQl9E3t7yuIJR14M6p+PndlcrncMg7S7nlhVvRgdun+Dj JuL5Kd8QDqu/UQiqLYCpCoZUkyDpg3ztVgR84Y0AFWMH7Q4o+K/dlWBwE1ejrxx0 klurqysi86Ra0UKwk5zzfvNi/r/Cm/7xdMliNrx8pozuZiFK4nW4y9a6Uvu7AH8v nA4cC5zeM9DWFntZiCn3bfigSRcTdZlfhnvk6Csgzu/HhYR9p2QGnY76ZSgaVq45 ptqT37TDFHFhJSKhR7GLxwrVogT5HjrHV3OMpH2P7p/pO7MkKJovDY+YG5xk1TB8 gdBYMYiSGhlIRrdIeoLGIkqcOs0cEP86+UO1yeYjvIssG6dArotiSJt3LTN/mLzf LEg430ARk3s= =qurb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUUv8kNZI30y1K9AQi9fQ//d+r56ZzyWLKfGuxBoqHODGE21MlImu70 n6ZpaBlPmCt6QEBs+dMRfa/TJZeP45bUzK4esa6v/wqBs7JOfIDYJOwXkW1GPYKb UboKPtT8WM2dSoDUto0hmdjOgKdYV5TJzOCKzOgtX3tfj4P2zjv9sTj3yfP0qtJn lluXIWO7ym8hKF1z43Ga3V2hr60N1etXBxsi1oNK7RXq+t8QtGrluUs56zgdJR0l gvjBaEkQ6195fFutYPZ6w+2NWf1dXQkUXOJg36MWtlKLZO6v3TsXGmRh2Wf0OuMm xgfzeC7cqkEuOD1AFjm8GSZGOAS4XycTUgS3/B/mkkAvAmYYimMU7d6yC/GyIFtK Nhl9LuQuxctEJBlnFSgGEueeziSPFQL0ZVhWbQjgbzLGDKvAPNkaxoY33+C7syzH Xa84WS3BuUvGqewAlovULX0AGCPdUH8TOCE2W2jcUuY/AxwvbmnreBdxq1NhhuvE nNnsS4y8LuHv1ESCPb+ew/mqdfqVDALU8U2c/xAIlDrLcWXFI20VdUsHDOp7hSpP CSDOD3dejiOwkNMN/Wve6HJkvYIVKEHAXmoMjjyoFKnL1HWia5oy3WT8FMoSULYG YyuIIuB0GDBb8/56OXzDjkeVR+I3bRHVK5fPkgCG6n8i6mB6A/goNrNdmppkPreP /sZCHHESQSw= =A7C2 -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3081 Advisory (icsma-22-174-01) OFFIS DCMTK 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OFFIS DCMTK Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-2121 CVE-2022-2120 CVE-2022-2119 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01 Comment: CVSS (Max): 7.5 CVE-2022-2120 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Medical Advisory (ICSMA-22-174-01) OFFIS DCMTK Original release date: June 23, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 7.5 o ATTENTION: Exploitable from an adjacent network/low attack complexity o Vendor: OFFIS o Equipment: DCMTK o Vulnerabilities: Path Traversal, Relative Path Traversal, NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition, write malformed DICOM files into arbitrary directories, and gain remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of DCMTK, libraries and software that process DICOM image files, are affected: o DCMTK: All versions prior to 3.6.7 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22 The affected product's service class provider (SCP) is vulnerable to path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution. CVE-2022-2119 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.2 RELATIVE PATH TRAVERSAL CWE-23 The affected product's service class user (SCU) is vulnerable to relative path traversal, allowing an attacker to write DICOM files into arbitrary directories under controlled names. This could allow remote code execution. CVE-2022-2120 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/ C:H/I:H/A:H ). 3.2.3 NULL POINTER DEREFERENCE CWE-476 The affected product has a NULL pointer dereference vulnerability while processing DICOM files, which may result in a denial-of-service condition. CVE-2022-2121 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Germany 3.4 RESEARCHER Noam Moshe of Claroty reported these vulnerabilities to CISA. 4. MITIGATIONS OFFIS recommends all users update to Version 3.6.7 or later. For more information see Bug #1021 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrURoskNZI30y1K9AQj2Mw//RJWzJmFsZ15HA0O5/EbMPCBI8hR31+kK 80HXJuXWRKjImCSFx+Q+u/zxIq3iHX9/fPgjHoNEGJq3KKVwHxv9A8fOxRjk0q0k B1KcMDTWUJqW90oNe4qpyGMu9uCriKk+0I2V8p9hVwyaMYf9pmYv3sWUZM3fb4b9 FbeZ1Yso/S3+fAc9WeXLJAbvhtG2qc2z3S54J2mgiPek8DhnUwGxX7OwWrfE/i1J 7SErKqLqvKK30HO1gSa2SPbydfDQwsUk69yBEuMFOS0FB490gtkmY8YWXpzPvCIO UbmOg39yva7c/JE6W5CIA6lkryUagB1YBGu+2XSxdiYPK05xQ2XVZp0eEuaproxH mJStuzHL4GhPAHGigI3hUZ0TXWJLWUsNDcBiFUUpICfhb/sZtZidTvuMZ7Z9V8ro E6x4kTRJkHB+uHC+CnlaGcyLd7k2Yths3KOfkgyfjJNqU3rk4DaXXZbsJSHgbcZs cwUxOzSBe6yKc0L27GvRrrPBkVmdqPHpHi+8B52L84LPY+R3bJz84aZdbfXfCyl2 WX+cAs7pg2Cwt1dvg9+TaRat2DxOMQHokhZnce7kEhHoJ4xtbkSyzrwV72tXfScI hhTYCuEL27xQsS01ECh4KP74dzHSyqQiSEH4Va1WO/0kQWLpZd31G1I2GtcFKhk1 7BITpiRMoLM= =Egsq -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3080 Advisory (icsa-22-174-05) Elcomplus SmartICS 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Elcomplus SmartICS Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-2140 CVE-2022-2106 CVE-2022-2088 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05 Comment: CVSS (Max): 8.8 CVE-2022-2140 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-174-05) Elcomplus SmartICS Original release date: June 23, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 8.8 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Elcomplus LLC o Equipment: SmartICS o Vulnerabilities: Improper Access Control, Relative Path Traversal, Cross-site Scripting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to view files on the system or terminate processes on the system. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Elcomplus reports these vulnerabilities affect the following SmartICS web-based HMI: o SmartICS v2.3.4.0 3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE SCRIPTING CWE-79 The software does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters. CVE-2022-2140 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/ C:H/I:H/A:H ). 3.2.2 RELATIVE PATH TRAVERSAL CWE-23 The software does not validate the filenames sufficiently, which enables authenticated administrator-level users to perform path traversal attacks and specify arbitrary files. CVE-2022-2106 has been assigned to this vulnerability. A CVSS v3 base score of 3.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:U/ C:L/I:L/A:N ). 3.2.3 IMPROPER ACCESS CONTROL CWE-284 An authenticated user with admin privileges may be able to terminate any process on the system running SmartICS. CVE-2022-2088 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ( AV:N/AC:L/PR:H/UI:N/S:C/ C:N/I:N/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Communications, Commercial Facilities, Energy, Water and Wastewater Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Russia 3.4 RESEARCHER Michael Heinzl reported these vulnerabilities to CISA. 4. MITIGATIONS Elcomplus has released Version 2.4 to address these vulnerabilities and recommends users update to the newest version. Users can obtain the new version from Elcomplus . CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: o Do not click web links or open unsolicited attachments in email messages. o Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. o Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploits specifically target these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrURlMkNZI30y1K9AQgIIg//Z3KFevxtOLSK34V45v7k8D7N40bzkggf 7ckB3k0ceBw1rdk/bRowJi7M5XMhMNrG91YvXKpaLJ97U9+fRedjppSQWe58s/f6 wSzZ0ywJZ56nxdzwG//ViBpmIVeVND1O6sT3awDIt4oyTqlqgi2QYStwdW0hL1bD gSI0YGoIBX6ErRbGQCarVHksQurKD2hpwuruFBepmrjV0UDf8FmmbYlyZVzr5yH2 KAzK38rUnFKBq1EFciZoNAAeFd3KvxBsRSPrIH+yqUXQEWTKEoCUAzq2GEsc+U4x HM+brfJPuXZHCrQZ5H3ceLY5NoxIwdMR2iozCGq1eO5gzvpHtPs9BFjPmX9D3cyF 2J6J6S704kbteq+S++ay+e++3tBiyELscDf1RmPYAoVNkRctswGV453nirs8kcR6 D8JlOTegroZIkCnwyWJydIrvW5cC0/EWL2Vkeh27RqPKTzifl7iuMK73Owzp+T6x b0lXlqQBOpPO0uscbZnSFsCknpqHb9LCueH7ZjEopRndNCHCOAehBew/uhK7uBhQ pbJMl9CdxYqzr3L/TAEzPQhf7/cBgJRzoPvciIjwMl49FM6VDANmOZ8d/apnd8CE mGVEDK4oBRElKbXK7KTdVw9BOcHZW2ormP6kODoWFBQ+i4DXTEnKv6XnbRwdp3Ei M9wEmds1QJ8= =GbaW -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3079 Security update for xen 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: xen Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-26364 CVE-2022-26363 CVE-2022-26362 CVE-2022-26361 CVE-2022-26360 CVE-2022-26359 CVE-2022-26358 CVE-2022-26357 CVE-2022-26356 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20222158-1 Comment: CVSS (Max): 8.1 CVE-2022-26364 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for xen ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2158-1 Rating: important References: #1197423 #1197425 #1197426 #1199965 #1199966 Cross-References: CVE-2022-26356 CVE-2022-26357 CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361 CVE-2022-26362 CVE-2022-26363 CVE-2022-26364 Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server for SAP 15-SP1 ______________________________________________________________________________ An update that fixes 9 vulnerabilities is now available. Description: This update for xen fixes the following issues: o CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that could cause a denial of service in the host (bsc#1197423). o CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts using VT-d IOMMU hardware, which could lead to a denial of service in the host (bsc#1197425). o CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be leveraged by an attacker to cause a denial of service in the host (bsc#1197426). o CVE-2022-26362: Fixed race condition in typeref acquisition (bsc#1199965) o CVE-2022-26363, CVE-2022-26364: Fixed insufficient care with non-coherent mappings (bsc#1199966) Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-2158=1 o SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-2158=1 o SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-2158=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-2158=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-2158=1 o SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-2158=1 o SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. I will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: o SUSE Linux Enterprise Server for SAP 15-SP1 (x86_64): xen-4.12.4_24-150100.3.72.1 xen-debugsource-4.12.4_24-150100.3.72.1 xen-devel-4.12.4_24-150100.3.72.1 xen-libs-4.12.4_24-150100.3.72.1 xen-libs-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-4.12.4_24-150100.3.72.1 xen-tools-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-domU-4.12.4_24-150100.3.72.1 xen-tools-domU-debuginfo-4.12.4_24-150100.3.72.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (x86_64): xen-4.12.4_24-150100.3.72.1 xen-debugsource-4.12.4_24-150100.3.72.1 xen-devel-4.12.4_24-150100.3.72.1 xen-libs-4.12.4_24-150100.3.72.1 xen-libs-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-4.12.4_24-150100.3.72.1 xen-tools-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-domU-4.12.4_24-150100.3.72.1 xen-tools-domU-debuginfo-4.12.4_24-150100.3.72.1 o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): xen-4.12.4_24-150100.3.72.1 xen-debugsource-4.12.4_24-150100.3.72.1 xen-devel-4.12.4_24-150100.3.72.1 xen-libs-4.12.4_24-150100.3.72.1 xen-libs-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-4.12.4_24-150100.3.72.1 xen-tools-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-domU-4.12.4_24-150100.3.72.1 xen-tools-domU-debuginfo-4.12.4_24-150100.3.72.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (x86_64): xen-4.12.4_24-150100.3.72.1 xen-debugsource-4.12.4_24-150100.3.72.1 xen-devel-4.12.4_24-150100.3.72.1 xen-libs-4.12.4_24-150100.3.72.1 xen-libs-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-4.12.4_24-150100.3.72.1 xen-tools-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-domU-4.12.4_24-150100.3.72.1 xen-tools-domU-debuginfo-4.12.4_24-150100.3.72.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (x86_64): xen-4.12.4_24-150100.3.72.1 xen-debugsource-4.12.4_24-150100.3.72.1 xen-devel-4.12.4_24-150100.3.72.1 xen-libs-4.12.4_24-150100.3.72.1 xen-libs-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-4.12.4_24-150100.3.72.1 xen-tools-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-domU-4.12.4_24-150100.3.72.1 xen-tools-domU-debuginfo-4.12.4_24-150100.3.72.1 o SUSE Enterprise Storage 6 (x86_64): xen-4.12.4_24-150100.3.72.1 xen-debugsource-4.12.4_24-150100.3.72.1 xen-devel-4.12.4_24-150100.3.72.1 xen-libs-4.12.4_24-150100.3.72.1 xen-libs-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-4.12.4_24-150100.3.72.1 xen-tools-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-domU-4.12.4_24-150100.3.72.1 xen-tools-domU-debuginfo-4.12.4_24-150100.3.72.1 o SUSE CaaS Platform 4.0 (x86_64): xen-4.12.4_24-150100.3.72.1 xen-debugsource-4.12.4_24-150100.3.72.1 xen-devel-4.12.4_24-150100.3.72.1 xen-libs-4.12.4_24-150100.3.72.1 xen-libs-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-4.12.4_24-150100.3.72.1 xen-tools-debuginfo-4.12.4_24-150100.3.72.1 xen-tools-domU-4.12.4_24-150100.3.72.1 xen-tools-domU-debuginfo-4.12.4_24-150100.3.72.1 References: o https://www.suse.com/security/cve/CVE-2022-26356.html o https://www.suse.com/security/cve/CVE-2022-26357.html o https://www.suse.com/security/cve/CVE-2022-26358.html o https://www.suse.com/security/cve/CVE-2022-26359.html o https://www.suse.com/security/cve/CVE-2022-26360.html o https://www.suse.com/security/cve/CVE-2022-26361.html o https://www.suse.com/security/cve/CVE-2022-26362.html o https://www.suse.com/security/cve/CVE-2022-26363.html o https://www.suse.com/security/cve/CVE-2022-26364.html o https://bugzilla.suse.com/1197423 o https://bugzilla.suse.com/1197425 o https://bugzilla.suse.com/1197426 o https://bugzilla.suse.com/1199965 o https://bugzilla.suse.com/1199966 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUQTskNZI30y1K9AQg8OxAAn2kHnEP4KIg76NQOpoj8EfJdVKtA7soU C6LC4OvBHTBegbMAOGthJf9Q0H5dKd7IMXnZBTIzENE1wYLDyKOd2NrFMEeIfLma /Mfx9RZxIuLY0bDAgfe0Ot6Gy2C/zsCVaTZy69AGQ0ExOo+TXXRmkNZQMj9/bqgO X9uBO4mV67zNR7VCGw2urTPBrF+toXa3EwVhuLBU0yvyemXc+qNQ/jAW5LcfZdyH STm9e9tcHniVRrvCFtiWc/jwm9ovruXvaLbNlW3oEImO2jRHxTkEWQLoxxpIWOlF SzGwqV54BybH6ph1t4awGOpb1fdHS+8jHY5H2t/XUTOTuBn756uDA8pY3Fe1qSbw UtVaKMxCasVEc1fROwF0HLl8ymyx3PRDGN9ACbUTchQNRh/gS9oGa6Jxnn3Ot5Mf Bwts4L03c8YJrtJWb69X9R/Qw8WPiaI77/XzaqqsNGN2Y+JIMTZ2f1JdYW4pGj3P +bXXC33xhrvj0268wxH0wS/bt6HYlHltmF7ZmxCxfUbsZKrNGgiEWJ+ON3+Z7qbH OqrtVnXdMNup+04z9A1JKjIhRuS1JI6ui9i1qzA4G8BmIaPzPX6C+cNrGRF0llWl XfmCVj4pa2AqqGk8vV8R9JxDHf0jCbzExhck2Rcq01GBLHvAkC87LFLsnAM3JEh/ 5nS1AsAplVc= =AEbJ -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3078 Security update for salt 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: salt Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-22967 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20222154-1 Comment: CVSS (Max): 7.5 CVE-2022-22967 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2154-1 Rating: important References: #1200566 Cross-References: CVE-2022-22967 Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Module for Advanced Systems Management 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Manager Tools 12 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for salt fixes the following issues: o CVE-2022-22967: Fixed missing check for PAM_ACCT_MGM return value that could lead to authentication bypass when using PAM (bsc#1200566) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-2154=1 o SUSE Linux Enterprise Module for Advanced Systems Management 12: zypper in -t patch SUSE-SLE-Module-Adv-Systems-Management-12-2022-2154=1 Package List: o SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): python2-salt-3000-65.1 python3-salt-3000-65.1 salt-3000-65.1 salt-doc-3000-65.1 salt-minion-3000-65.1 o SUSE Linux Enterprise Module for Advanced Systems Management 12 (ppc64le s390x x86_64): python2-salt-3000-65.1 salt-3000-65.1 salt-api-3000-65.1 salt-cloud-3000-65.1 salt-doc-3000-65.1 salt-master-3000-65.1 salt-minion-3000-65.1 salt-proxy-3000-65.1 salt-ssh-3000-65.1 salt-standalone-formulas-configuration-3000-65.1 salt-syndic-3000-65.1 o SUSE Linux Enterprise Module for Advanced Systems Management 12 (noarch): salt-bash-completion-3000-65.1 salt-zsh-completion-3000-65.1 References: o https://www.suse.com/security/cve/CVE-2022-22967.html o https://bugzilla.suse.com/1200566 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUQNMkNZI30y1K9AQhiyA//UF3oBe4xoIw9ATSdLOCzEVsV/rF+FlI6 jN+Dx33mku4WxBnxG2CyyLQ2y/dnUwEm1cX7yp43FhDvXSJ39Ga9YQ8npNWsH+iO MiwzRpXEIIFTbB7e2QEfRBIOzHIvAHiJR1q7mc5HRkPPftIJzxY4b40ZYEAtAaCh wLesUHiUltOXzmLBj/xoy0igWhXXd7+JdhnOXe2KoT01ZD3PPKUx0q8EHaVFHse/ CyhIrY2YD+umm3ZTggdXEfGoKzlh9cEQqebVIy8960RHzr4nGYacpMPU63xLEUGr tHel7jjcDjbIUAD9Io22MuBfco4jFBYPBVMy+QGhEuf4MKfdiK0Lysts70fDn+m3 qz1E1I+JbxbaJ0iik2HmY3G8xDVAv6k/BpGvDkazMFVl3LhfY2XcO1YtpQHU49jv 7YmHuvpf42usfGhe9goltsnKvKIwtbzL+s5lSpJiksQP/qF8ndxzxQxaTLQxWtbc tsrFF/kgae/hNpKSZpENaeKvNfN2oJ6ULXJSjAq5uqU0GB9z97mNmMzBepy1blT7 XwjFNCnbuy5s8DZScECcRHnalne0nLFzm7w0vdJ1j8erPLJavyAyMyXndT8Sgxt6 Y2qp87uENlCGMHMt2XhmYZTFbp7UZvG2DOGD1lscrNaWYeMppJAFUGjrRHTAvSWs wiL4tJbLamI= =IlmE -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3077 Security update for salt 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: salt Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-22967 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20222159-1 Comment: CVSS (Max): 7.5 CVE-2022-22967 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for salt ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2159-1 Rating: important References: #1200566 Cross-References: CVE-2022-22967 Affected Products: SUSE CaaS Platform 4.0 SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS SUSE Linux Enterprise Server 15-SP1-BCL SUSE Linux Enterprise Server 15-SP1-LTSS SUSE Linux Enterprise Server for SAP 15-SP1 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for salt fixes the following issues: o CVE-2022-22967: Fixed missing check for PAM_ACCT_MGM return value that could be used to bypass authentication when using PAM (bsc#1200566) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server for SAP 15-SP1: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-2159=1 o SUSE Linux Enterprise Server 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-2159=1 o SUSE Linux Enterprise Server 15-SP1-BCL: zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-2159=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-2159=1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-2159=1 o SUSE Enterprise Storage 6: zypper in -t patch SUSE-Storage-6-2022-2159=1 o SUSE CaaS Platform 4.0: To install this update, use the SUSE CaaS Platform 'skuba' tool. I will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way. Package List: o SUSE Linux Enterprise Server for SAP 15-SP1 (ppc64le x86_64): python3-salt-3004-150100.71.1 salt-3004-150100.71.1 salt-api-3004-150100.71.1 salt-cloud-3004-150100.71.1 salt-doc-3004-150100.71.1 salt-master-3004-150100.71.1 salt-minion-3004-150100.71.1 salt-proxy-3004-150100.71.1 salt-ssh-3004-150100.71.1 salt-standalone-formulas-configuration-3004-150100.71.1 salt-syndic-3004-150100.71.1 salt-transactional-update-3004-150100.71.1 o SUSE Linux Enterprise Server for SAP 15-SP1 (noarch): salt-bash-completion-3004-150100.71.1 salt-fish-completion-3004-150100.71.1 salt-zsh-completion-3004-150100.71.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (aarch64 ppc64le s390x x86_64): python3-salt-3004-150100.71.1 salt-3004-150100.71.1 salt-api-3004-150100.71.1 salt-cloud-3004-150100.71.1 salt-doc-3004-150100.71.1 salt-master-3004-150100.71.1 salt-minion-3004-150100.71.1 salt-proxy-3004-150100.71.1 salt-ssh-3004-150100.71.1 salt-standalone-formulas-configuration-3004-150100.71.1 salt-syndic-3004-150100.71.1 salt-transactional-update-3004-150100.71.1 o SUSE Linux Enterprise Server 15-SP1-LTSS (noarch): salt-bash-completion-3004-150100.71.1 salt-fish-completion-3004-150100.71.1 salt-zsh-completion-3004-150100.71.1 o SUSE Linux Enterprise Server 15-SP1-BCL (noarch): salt-bash-completion-3004-150100.71.1 salt-fish-completion-3004-150100.71.1 salt-zsh-completion-3004-150100.71.1 o SUSE Linux Enterprise Server 15-SP1-BCL (x86_64): python3-salt-3004-150100.71.1 salt-3004-150100.71.1 salt-api-3004-150100.71.1 salt-cloud-3004-150100.71.1 salt-doc-3004-150100.71.1 salt-master-3004-150100.71.1 salt-minion-3004-150100.71.1 salt-proxy-3004-150100.71.1 salt-ssh-3004-150100.71.1 salt-standalone-formulas-configuration-3004-150100.71.1 salt-syndic-3004-150100.71.1 salt-transactional-update-3004-150100.71.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (aarch64 x86_64): python3-salt-3004-150100.71.1 salt-3004-150100.71.1 salt-api-3004-150100.71.1 salt-cloud-3004-150100.71.1 salt-doc-3004-150100.71.1 salt-master-3004-150100.71.1 salt-minion-3004-150100.71.1 salt-proxy-3004-150100.71.1 salt-ssh-3004-150100.71.1 salt-standalone-formulas-configuration-3004-150100.71.1 salt-syndic-3004-150100.71.1 salt-transactional-update-3004-150100.71.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (noarch): salt-bash-completion-3004-150100.71.1 salt-fish-completion-3004-150100.71.1 salt-zsh-completion-3004-150100.71.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (aarch64 x86_64): python3-salt-3004-150100.71.1 salt-3004-150100.71.1 salt-api-3004-150100.71.1 salt-cloud-3004-150100.71.1 salt-doc-3004-150100.71.1 salt-master-3004-150100.71.1 salt-minion-3004-150100.71.1 salt-proxy-3004-150100.71.1 salt-ssh-3004-150100.71.1 salt-standalone-formulas-configuration-3004-150100.71.1 salt-syndic-3004-150100.71.1 salt-transactional-update-3004-150100.71.1 o SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (noarch): salt-bash-completion-3004-150100.71.1 salt-fish-completion-3004-150100.71.1 salt-zsh-completion-3004-150100.71.1 o SUSE Enterprise Storage 6 (aarch64 x86_64): python3-salt-3004-150100.71.1 salt-3004-150100.71.1 salt-api-3004-150100.71.1 salt-cloud-3004-150100.71.1 salt-doc-3004-150100.71.1 salt-master-3004-150100.71.1 salt-minion-3004-150100.71.1 salt-proxy-3004-150100.71.1 salt-ssh-3004-150100.71.1 salt-standalone-formulas-configuration-3004-150100.71.1 salt-syndic-3004-150100.71.1 salt-transactional-update-3004-150100.71.1 o SUSE Enterprise Storage 6 (noarch): salt-bash-completion-3004-150100.71.1 salt-fish-completion-3004-150100.71.1 salt-zsh-completion-3004-150100.71.1 o SUSE CaaS Platform 4.0 (noarch): salt-bash-completion-3004-150100.71.1 salt-fish-completion-3004-150100.71.1 salt-zsh-completion-3004-150100.71.1 o SUSE CaaS Platform 4.0 (x86_64): python3-salt-3004-150100.71.1 salt-3004-150100.71.1 salt-api-3004-150100.71.1 salt-cloud-3004-150100.71.1 salt-doc-3004-150100.71.1 salt-master-3004-150100.71.1 salt-minion-3004-150100.71.1 salt-proxy-3004-150100.71.1 salt-ssh-3004-150100.71.1 salt-standalone-formulas-configuration-3004-150100.71.1 salt-syndic-3004-150100.71.1 salt-transactional-update-3004-150100.71.1 References: o https://www.suse.com/security/cve/CVE-2022-22967.html o https://bugzilla.suse.com/1200566 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUQEckNZI30y1K9AQgBVg/+L0je1OwkY1Vm7rCL3a+QKZ488lsxGcW9 JWymW7kYZEYwzwBDp55ba/CfnW9CECJWJdq0NGbksu4q23guESdNfPdBXV6ZtKgM PHeUmAs3lFSv5B7RvB4Kpu2rjfs1xJX8Q5vMW2KC9m4nzBfMkoUFtNqmPHDKeFsh hezJ6P9I/02UwBv3vWmatQRdbFSRmXKVjpkf2ngaFsLnF4jSbHX6lwlynIOFBhTI znhmbv8HMEONErTuHdqJA/SFopScYoiSpLmj4xEvi6nlTBkJF1yoJzQELr/AHkx9 v3ylNRsJ/KFf/CImVkSbs53WX6yf1d5hjPKNLrx3WqBWNf7asy4y4pigFt/JzX42 70r4xdzBUnkVVlVna0ZFzEfkaPExBFpUa+hPTJEhhQX6l3DTnKicDR9HrOETwj5X IM3YjunmaAid1waAa1ZKnzK+w6fSm009nNWCpZkwsZcgrXp09VbhSXsyUEbqnZc8 yj7LRFj8X/eyQTk9bkHj7lYlx3WD0HgoC1ZDQCC7f3xWTvJD51uotFo2TezK+ndN AR/inQplmH82mtNe9u4NSJW7JMhSKWym6RHJc9CRlYyc4VBP+9lLXSW77Y40FaRU VL/x9l6kMvXExPwXuenASwPHCA7Zf3DVTTYPTuMbOjF9ucidgWgs/Ug5DsgGfeBL A+gxPEdtKZQ= =WqoV -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3076 Security update for php74 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: php74 Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-31626 CVE-2022-31625 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20222161-1 Comment: CVSS (Max): 7.8 CVE-2022-31625 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: SUSE Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for php74 ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2161-1 Rating: important References: #1200628 #1200645 Cross-References: CVE-2022-31625 CVE-2022-31626 Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Module for Web Scripting 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for php74 fixes the following issues: o CVE-2022-31625: Fixed uninitialized pointers free in Postgres extension. (bsc#1200645) o CVE-2022-31626: Fixed buffer overflow via user-supplied password when using pdo_mysql extension with mysqlnd driver. (bsc#1200628). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-2161=1 o SUSE Linux Enterprise Module for Web Scripting 12: zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2022-2161=1 Package List: o SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): php74-debuginfo-7.4.6-1.42.1 php74-debugsource-7.4.6-1.42.1 php74-devel-7.4.6-1.42.1 o SUSE Linux Enterprise Module for Web Scripting 12 (aarch64 ppc64le s390x x86_64): apache2-mod_php74-7.4.6-1.42.1 apache2-mod_php74-debuginfo-7.4.6-1.42.1 php74-7.4.6-1.42.1 php74-bcmath-7.4.6-1.42.1 php74-bcmath-debuginfo-7.4.6-1.42.1 php74-bz2-7.4.6-1.42.1 php74-bz2-debuginfo-7.4.6-1.42.1 php74-calendar-7.4.6-1.42.1 php74-calendar-debuginfo-7.4.6-1.42.1 php74-ctype-7.4.6-1.42.1 php74-ctype-debuginfo-7.4.6-1.42.1 php74-curl-7.4.6-1.42.1 php74-curl-debuginfo-7.4.6-1.42.1 php74-dba-7.4.6-1.42.1 php74-dba-debuginfo-7.4.6-1.42.1 php74-debuginfo-7.4.6-1.42.1 php74-debugsource-7.4.6-1.42.1 php74-dom-7.4.6-1.42.1 php74-dom-debuginfo-7.4.6-1.42.1 php74-enchant-7.4.6-1.42.1 php74-enchant-debuginfo-7.4.6-1.42.1 php74-exif-7.4.6-1.42.1 php74-exif-debuginfo-7.4.6-1.42.1 php74-fastcgi-7.4.6-1.42.1 php74-fastcgi-debuginfo-7.4.6-1.42.1 php74-fileinfo-7.4.6-1.42.1 php74-fileinfo-debuginfo-7.4.6-1.42.1 php74-fpm-7.4.6-1.42.1 php74-fpm-debuginfo-7.4.6-1.42.1 php74-ftp-7.4.6-1.42.1 php74-ftp-debuginfo-7.4.6-1.42.1 php74-gd-7.4.6-1.42.1 php74-gd-debuginfo-7.4.6-1.42.1 php74-gettext-7.4.6-1.42.1 php74-gettext-debuginfo-7.4.6-1.42.1 php74-gmp-7.4.6-1.42.1 php74-gmp-debuginfo-7.4.6-1.42.1 php74-iconv-7.4.6-1.42.1 php74-iconv-debuginfo-7.4.6-1.42.1 php74-intl-7.4.6-1.42.1 php74-intl-debuginfo-7.4.6-1.42.1 php74-json-7.4.6-1.42.1 php74-json-debuginfo-7.4.6-1.42.1 php74-ldap-7.4.6-1.42.1 php74-ldap-debuginfo-7.4.6-1.42.1 php74-mbstring-7.4.6-1.42.1 php74-mbstring-debuginfo-7.4.6-1.42.1 php74-mysql-7.4.6-1.42.1 php74-mysql-debuginfo-7.4.6-1.42.1 php74-odbc-7.4.6-1.42.1 php74-odbc-debuginfo-7.4.6-1.42.1 php74-opcache-7.4.6-1.42.1 php74-opcache-debuginfo-7.4.6-1.42.1 php74-openssl-7.4.6-1.42.1 php74-openssl-debuginfo-7.4.6-1.42.1 php74-pcntl-7.4.6-1.42.1 php74-pcntl-debuginfo-7.4.6-1.42.1 php74-pdo-7.4.6-1.42.1 php74-pdo-debuginfo-7.4.6-1.42.1 php74-pgsql-7.4.6-1.42.1 php74-pgsql-debuginfo-7.4.6-1.42.1 php74-phar-7.4.6-1.42.1 php74-phar-debuginfo-7.4.6-1.42.1 php74-posix-7.4.6-1.42.1 php74-posix-debuginfo-7.4.6-1.42.1 php74-readline-7.4.6-1.42.1 php74-readline-debuginfo-7.4.6-1.42.1 php74-shmop-7.4.6-1.42.1 php74-shmop-debuginfo-7.4.6-1.42.1 php74-snmp-7.4.6-1.42.1 php74-snmp-debuginfo-7.4.6-1.42.1 php74-soap-7.4.6-1.42.1 php74-soap-debuginfo-7.4.6-1.42.1 php74-sockets-7.4.6-1.42.1 php74-sockets-debuginfo-7.4.6-1.42.1 php74-sodium-7.4.6-1.42.1 php74-sodium-debuginfo-7.4.6-1.42.1 php74-sqlite-7.4.6-1.42.1 php74-sqlite-debuginfo-7.4.6-1.42.1 php74-sysvmsg-7.4.6-1.42.1 php74-sysvmsg-debuginfo-7.4.6-1.42.1 php74-sysvsem-7.4.6-1.42.1 php74-sysvsem-debuginfo-7.4.6-1.42.1 php74-sysvshm-7.4.6-1.42.1 php74-sysvshm-debuginfo-7.4.6-1.42.1 php74-tidy-7.4.6-1.42.1 php74-tidy-debuginfo-7.4.6-1.42.1 php74-tokenizer-7.4.6-1.42.1 php74-tokenizer-debuginfo-7.4.6-1.42.1 php74-xmlreader-7.4.6-1.42.1 php74-xmlreader-debuginfo-7.4.6-1.42.1 php74-xmlrpc-7.4.6-1.42.1 php74-xmlrpc-debuginfo-7.4.6-1.42.1 php74-xmlwriter-7.4.6-1.42.1 php74-xmlwriter-debuginfo-7.4.6-1.42.1 php74-xsl-7.4.6-1.42.1 php74-xsl-debuginfo-7.4.6-1.42.1 php74-zip-7.4.6-1.42.1 php74-zip-debuginfo-7.4.6-1.42.1 php74-zlib-7.4.6-1.42.1 php74-zlib-debuginfo-7.4.6-1.42.1 References: o https://www.suse.com/security/cve/CVE-2022-31625.html o https://www.suse.com/security/cve/CVE-2022-31626.html o https://bugzilla.suse.com/1200628 o https://bugzilla.suse.com/1200645 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUP8ckNZI30y1K9AQiaQw//Vo76gmB+pIA2DdbIf1IrIrQkoSrxdgsK aVr0EdX2pmbx+XrJTHBbaxITDWSd2iHpvAK6G2I8rMpDQU8ehT4ramVmHxbVmxVr M80viJDtbSUZ0ki+X7BjCwl/NmaMPxsznriU9mj+lH3J2YLHTc2zpGMj0uEjd1X5 ss6iNKGQi7o6ccYaWxtdVfvZyHwbOUr61gbWy69Bef1HvNw60rnTHUIsIynn/8me WOEF9h3MQP+QYyty7WURwQc3Y/PnVHhdlTXW+rPpKRsuCuQ7yKUz8axDpKpPpkao FF9Er6wHE6jAlG30cVlFHVIX0RNpI9SVa6WiIdfF5y8/8Iv+/kLWfYd9W+h0ScTw y1EGjelsNUfsxpf9nA9o2EXNcGIczGvLjGlmNTFiqwJoR78opXSmXgxDeLd6sQ3M mes6nPdXtdkMbzod7gxRPurP5p0ezP5EIYR/j5fwkp7jTn0rSVumU3udRgwW1MYr YTSuwXQPzMRB/dJoGOLk2eWwi+DOOjaiXZGnGpKp7gvrvy3o4t4prPLdnpOYYTeH L6fWshNUfK0AJptL2MX0qtcvJVqUPC8BF54pytpiOG82I+h4eVT9r5LMbrVH70Up limVpZKRPl20E+keV7NjMTrPp9Du+eSNiQyWKk3ubrJndypA8jHAuwChVbuTGNFc Msxv6YlQ3Lc= =Y5WU -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3075 Security update for mariadb 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mariadb Publisher: SUSE Operating System: SUSE Resolution: Patch/Upgrade CVE Names: CVE-2022-27445 CVE-2022-27387 CVE-2022-27386 CVE-2022-27384 CVE-2022-27383 CVE-2022-27381 CVE-2022-27380 CVE-2022-27378 CVE-2022-27377 CVE-2022-21427 CVE-2021-46669 Original Bulletin: https://www.suse.com/support/update/announcement/2022/suse-su-20222160-1 Comment: CVSS (Max): 7.8 CVE-2021-46669 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: SUSE, [Red Hat] Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for mariadb ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2160-1 Rating: important References: #1198603 #1198604 #1198606 #1198607 #1198610 #1198611 #1198612 #1198613 #1198629 #1199928 Cross-References: CVE-2021-46669 CVE-2022-21427 CVE-2022-27377 CVE-2022-27378 CVE-2022-27380 CVE-2022-27381 CVE-2022-27383 CVE-2022-27384 CVE-2022-27386 CVE-2022-27387 CVE-2022-27445 Affected Products: SUSE Linux Enterprise Server 12-SP4-LTSS SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP 12-SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for mariadb fixes the following issues: o CVE-2021-46669 (bsc#1199928) o CVE-2022-21427 (bsc#1199928) o CVE-2022-27377 (bsc#1198603) o CVE-2022-27378 (bsc#1198604) o CVE-2022-27380 (bsc#1198606) o CVE-2022-27381 (bsc#1198607) o CVE-2022-27383 (bsc#1198610) o CVE-2022-27384 (bsc#1198611) o CVE-2022-27386 (bsc#1198612) o CVE-2022-27387 (bsc#1198613) o CVE-2022-27445 (bsc#1198629) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-2160=1 o SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2022-2160=1 o SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-2160=1 o SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-2160=1 o SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-2160=1 Package List: o SUSE OpenStack Cloud Crowbar 9 (noarch): mariadb-errormessages-10.2.44-3.50.1 o SUSE OpenStack Cloud Crowbar 9 (x86_64): mariadb-10.2.44-3.50.1 mariadb-client-10.2.44-3.50.1 mariadb-client-debuginfo-10.2.44-3.50.1 mariadb-debuginfo-10.2.44-3.50.1 mariadb-debugsource-10.2.44-3.50.1 mariadb-galera-10.2.44-3.50.1 mariadb-tools-10.2.44-3.50.1 mariadb-tools-debuginfo-10.2.44-3.50.1 o SUSE OpenStack Cloud 9 (x86_64): mariadb-10.2.44-3.50.1 mariadb-client-10.2.44-3.50.1 mariadb-client-debuginfo-10.2.44-3.50.1 mariadb-debuginfo-10.2.44-3.50.1 mariadb-debugsource-10.2.44-3.50.1 mariadb-galera-10.2.44-3.50.1 mariadb-tools-10.2.44-3.50.1 mariadb-tools-debuginfo-10.2.44-3.50.1 o SUSE OpenStack Cloud 9 (noarch): mariadb-errormessages-10.2.44-3.50.1 o SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): mariadb-10.2.44-3.50.1 mariadb-client-10.2.44-3.50.1 mariadb-client-debuginfo-10.2.44-3.50.1 mariadb-debuginfo-10.2.44-3.50.1 mariadb-debugsource-10.2.44-3.50.1 mariadb-tools-10.2.44-3.50.1 mariadb-tools-debuginfo-10.2.44-3.50.1 o SUSE Linux Enterprise Server for SAP 12-SP4 (noarch): mariadb-errormessages-10.2.44-3.50.1 o SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): mariadb-10.2.44-3.50.1 mariadb-client-10.2.44-3.50.1 mariadb-client-debuginfo-10.2.44-3.50.1 mariadb-debuginfo-10.2.44-3.50.1 mariadb-debugsource-10.2.44-3.50.1 mariadb-tools-10.2.44-3.50.1 mariadb-tools-debuginfo-10.2.44-3.50.1 o SUSE Linux Enterprise Server 12-SP5 (noarch): mariadb-errormessages-10.2.44-3.50.1 o SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): mariadb-10.2.44-3.50.1 mariadb-client-10.2.44-3.50.1 mariadb-client-debuginfo-10.2.44-3.50.1 mariadb-debuginfo-10.2.44-3.50.1 mariadb-debugsource-10.2.44-3.50.1 mariadb-tools-10.2.44-3.50.1 mariadb-tools-debuginfo-10.2.44-3.50.1 o SUSE Linux Enterprise Server 12-SP4-LTSS (noarch): mariadb-errormessages-10.2.44-3.50.1 References: o https://www.suse.com/security/cve/CVE-2021-46669.html o https://www.suse.com/security/cve/CVE-2022-21427.html o https://www.suse.com/security/cve/CVE-2022-27377.html o https://www.suse.com/security/cve/CVE-2022-27378.html o https://www.suse.com/security/cve/CVE-2022-27380.html o https://www.suse.com/security/cve/CVE-2022-27381.html o https://www.suse.com/security/cve/CVE-2022-27383.html o https://www.suse.com/security/cve/CVE-2022-27384.html o https://www.suse.com/security/cve/CVE-2022-27386.html o https://www.suse.com/security/cve/CVE-2022-27387.html o https://www.suse.com/security/cve/CVE-2022-27445.html o https://bugzilla.suse.com/1198603 o https://bugzilla.suse.com/1198604 o https://bugzilla.suse.com/1198606 o https://bugzilla.suse.com/1198607 o https://bugzilla.suse.com/1198610 o https://bugzilla.suse.com/1198611 o https://bugzilla.suse.com/1198612 o https://bugzilla.suse.com/1198613 o https://bugzilla.suse.com/1198629 o https://bugzilla.suse.com/1199928 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUPvskNZI30y1K9AQh2iQ//cORzpzNJG/StSwgFTroX7czBmDbiaMLE m99DdFYLUZ2MD7aBq5gq9PgBxNT5TF6xAtEc8MLyygnIhmwnLAXm1C5WA0bMRBFx mZnPEAcb+fZefaeoHmt8q2laL9Ti8TrcUYr/kiYtmmmBv6CJxIbi/jebf3a7DHQ0 UpBEtl0rp7WQVG3BOz6tQd4bIw2d0HceoDGMAEg+OrJTyWbhXjemfzY15qKwoO61 ga5XU4KCIhrEu184El9/vYKDVx+N5WkLtrF5VZ5LaUMu3rinbQELaAXshDflfe3F xVWQ02UboCdUk8CQI6leD+RvBODmCVcTAgQpzcyeSDZMQZw+qyoOSfAJLP1zbW+G 39i2JFGSfexRGBMJMDF0LYzoSBoHQdKQFfyvIiCzgYP6CA4x75v+XM4zeTfmrXWr gKYz9RfswOb+/BYTHukPzg1clJz1Avfxx1cEhV4xtTC65WrYa5xT6+kSrIw2gbPY sSAIzfqwQSPI8cBiavoOV6WPdGlnHNjIBp5xn5P/qk0y0JKwwcTZe0f9cQMrp500 E/lcW104QdxNz8OshOxSgvSRCuYMFgEG/3vLruUbuSJYrsvhHiaY3p4yPnBkfmsA C2Zo7WEYttpmWVh0YDtwKH2RxhF7ECAQrQzumdE7R1PjyVVscZhNGml7c+spPB6u a9e5aXBYOmo= =+I8x -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3074 Advisory (icsa-22-174-04) Pyramid Solutions EtherNet/IP Adapter Development Kit 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Pyramid Solutions EtherNet/IP Adapter Development Kit Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-1737 Comment: CVSS (Max): 9.8 CVE-2022-1737 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-174-04) Pyramid Solutions EtherNet/IP Adapter Development Kit Original release date: June 23, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.8 o ATTENTION: Exploitable remotely, low attack complexity o Vendor: Pyramid Solutions, Inc. o Equipment: EtherNet/IP Adapter Development Kit o Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with access to the EtherNet/IP network to send a specially crafted packet that may result in a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Pyramid Solutions' products are affected: o EtherNet/IP Adapter Development Kit (EADK): Versions 4.4.0 and prior o EtherNet/IP Adapter DLL Kit (EIPA): Versions 4.4.0 and prior o EtherNet/IP Scanner Development Kit (EDKS): Versions 4.4.0 and prior o EtherNet/IP Scanner DLL Kit (EIPS): Versions 4.4.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 The affected products are vulnerable to an out-of-bounds write, which may allow an unauthorized attacker to send a specially crafted packet that may result in a denial-of-service condition. CVE-2022-1737 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/ I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Financial Services o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Weidmueller reported this vulnerability to CERT@VDE 4. MITIGATIONS Pyramid Solutions recommends upgrading any products using the affected versions of EADK, EIPA, EIPS, and ESDK to the latest product revision. Information on the latest version is available at Pyramid Solutions' website . The following additional vendor affected by the reported vulnerability has also released security advisories related to this vulnerability: o Weidmuller Interface GmbH & Co. KG CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUKVckNZI30y1K9AQjaRRAAmlmxT+e+MfDHknk4TdwhePx7Q9r81TVy W2RDjx8SZwbP5u/y8GOdVqZ4RArcLqDtuoBr2gIo7ESbJa/VRSxNxjdD4X+aT0ow fOol9fI8X2aGWuOWaY0wYdfFFb0qQw9e8SymLjvYGVkcznvpTlS/4QqOKj3Dli18 L7dtfM4UdjctvRujwPX3lf8+/hAoSytzwu8xzdhyNwUFTm8k/F71plC8/o5Oq4El S9rbxx53txv3u2MunbFozN9n5xiGrQRHXGsbrEHjVtZJlHOHFgaNlo4V9/Tb8FD+ PKztetQfQTfi4/LMrCX5KgUel52huWWZg4J8a/EK+7PkmB7SGc2yY45VbYrVGlGD HLp9YHIxRAyEXcGGusHC9z5wRFqapbNfks7LkWG2u/JPVDd/gB1t0nVq83bnkjOj yxxjKkHxL2etM5rrCzMd6MO++zsjc+2Rq+Tqlgtn9SyshXcZBme8cLtY4Xwx/CUq dHM+nPMuUzi+KnRMyN79vidNhrpUuX1mTwKZHzn6ytjM/iGJlDwqY7FqpoteoJLH V47YPfWWcn0kaxzRHTa37Ft2OwZ6DLnq18pxaQMRtotHEFVSqvQt9FfOE6cmSFMS rRGEa+LsDpww34zrZ26zKSsatpwlxjiMRs3RJsq6CIppV0aFywmU9AZxbYIOgkuf ets9h/4ZgGQ= =RkfV -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3073 Advisory (icsa-22-174-03) Secheron SEPCOS Control and Protection Relay 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Secheron SEPCOS Control and Protection Relay Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2022-2105 CVE-2022-2104 CVE-2022-2103 CVE-2022-2102 CVE-2022-1668 CVE-2022-1667 CVE-2022-1666 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03 Comment: CVSS (Max): 9.9 CVE-2022-2104 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-174-03) Secheron SEPCOS Control and Protection Relay Original release date: June 23, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 9.9 o ATTENTION: Exploitable remotely/low attack complexity o Vendor: Secheron o Equipment: SEPCOS Control and Protection Relay o Vulnerabilities: Improper Enforcement of Behavioral Workflow, Lack of Administrator Control over Security, Improper Privilege Management, Insufficiently Protected Credentials, Improper Access Control 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to obtain full, root access over the device in multiple ways. Initial footholds through S-Web interface software vulnerabilities could allow an attacker to obtain a level of control over the PLC's functions only the vendor typically has access to. This includes the ability to reset the PLC, upload arbitrary files / execute code, and change parameters for protective functions that can pose a range of availability and safety risks to the power system the PLC is configured to control (based on the specific implementation). Further exploitation of the underlying PLC misconfigurations can allow an attacker to trivially escalate privileges to OS root through either the S-Web vulnerabilities or FTP and SSH misconfigurations. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following firmware versions of the Secheron SEPCOS Control and Protection Relay are affected: o SEPCOS Single Package firmware (1.23.xx feature level): All versions prior to 1.23.21 o SEPCOS Single Package firmware (1.24.xx feature level): All versions prior to 1.24.8 o SEPCOS Single Package firmware (1.25.xx feature level): All versions prior to 1.25.3 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW CWE-841 Client-side JavaScript controls may be bypassed to change user credentials and permissions without authentication, including a "root" user level meant only for the vendor. Web server root level access allows for changing of safety critical parameters. CVE-2022-2105 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/ I:H/A:H ). 3.2.2 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW CWE-841 Client-side JavaScript controls may be bypassed by directly running a JS function to reboot the PLC (e.g., from the browser console) or by loading the corresponding, browser accessible PHP script. CVE-2022-1667 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/ I:N/A:H ). 3.2.3 IMPROPER ENFORCEMENT OF BEHAVIORAL WORKFLOW CWE-841 Controls limiting uploads to certain file extensions may be bypassed. This could allow an attacker to intercept the initial file upload page response and modify the associated code. This modified code can be forwarded and used by a script loaded later in the sequence, allowing for arbitrary file upload into a location where PHP scripts may be executed. CVE-2022-2102 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:L/ I:H/A:H ). 3.2.4 WEAK PASSWORD REQUIREMENTS CWE-521 Weak default root user credentials allow remote attackers to easily obtain OS superuser privileges over the open TCP port for SSH. CVE-2022-1668 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/ I:H/A:H ). 3.2.5 IMPROPER ACCESS CONTROL CWE-284 An attacker with weak credentials could access the TCP port via an open FTP port, allowing an attacker to read sensitive files and write to remotely executable directories. CVE-2022-2103 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:N/UI:N/S:U/C:H/ I:H/A:H ). 3.2.6 IMPROPER PRIVILEGE MANAGEMENT CWE-269 The www-data (Apache web server) account is configured to run sudo with no password for many commands (including /bin/sh and /bin/bash). CVE-2022-2104 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:C/C:H/ I:H/A:H ). 3.2.7 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522 The default password for the web application's root user (the vendor's private account) was weak and the MD5 hash was used to crack the password using a widely available open-source tool. CVE-2022-1666 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ( AV:N/AC:L/PR:L/UI:N/S:U/C:H/ I:N/A:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Switzerland 3.4 RESEARCHER Anthony Candarini of AECOM, Clark Bradley of Elliott Davis, Mike Curnow of AECOM, and Balakrishna Subramoney of SAM Analytic Solutions reported these vulnerabilities to CISA. 4. MITIGATIONS Secheron recommends updating its software to the latest version: o SEPCOS Single Package firmware (1.23.xx feature level): Update to 1.23.22 or higher version o SEPCOS Single Package firmware (1.24.xx feature level): Update to 1.24.8 or higher version o SEPCOS Single Package firmware (1.25.xx feature level): Update to 1.25.3 or higher version This version contains updates that resolve the discovered vulnerabilities for each feature level (SP1.23.xx, SP1.24.xx, and SP1.25.xx). System integrators and asset owners should contact a Secheron representative for further information on how to obtain updates. Additional workarounds are suggested to help reduce the risk: o Configure the network such that PLC communications are strictly limited to only the devices required to perform its functions. o Limit remote access and close Ports 80 and 443 at the switch level. o Only use approved devices to connect to the PLCs. Do not connect personal peripherals (USB sticks, hotspots) to approved devices. o Check device logs during periodic maintenance for unauthorized changes or access. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this these vulnerabilities. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUKP8kNZI30y1K9AQgwRw//QF+INAN8+N1Q09HYMII9C0kQX71jVRE/ 5NK+pMj3G4nsnRPf3qL+2qdvDixDU3aa2IGUPpwGj5AmODx3VY2WqDf1affL7Cjr 9gmJfgusfw757Yfs7SSir+p4ZrYfXnPbnI5ZRWA0aA744FIE/k0rCU/hSnIVHYd8 HtxDlKQObsqI72d9lkhLq1nkX6Q4qi6OxdJlA4gjMIMyPUefLgzJe4ITqmS+H+wc jXoscaMdSnus+UaQrAn00e5FmlImb7PDHaFIepd7xl7yQg0ecsRRCDoR83ypPRmj +4Q1LHhBLRt30UnttlUuLLaVPudlUggHFnLz2Ogzr4wo5AV9bQ5rd/iJrmCHALGP vvJFfFG6L6bsAAM90bC8K54SF1H5sHYr9w+46vrNNOwKqpCXtPpKRTCTFD3e3Qbj 64NLJq3nqgkpFKfXw+BLoXhogep/KOSBRlE19QPPvTqI6wa4uTX3mcIESrVSfinx /unLjkMPn5tkhggElQiV3na9A7oE2jRriJdRbeS24tuj7AWBGnk13f720sGu08zk OOhnzsqQaYPB0f2Cyi4cFTracpL4p3UXYHkEOLbAfa03ebitBb3R6H4FDK/EZLCR z8nMPDwrAUHgJFzbzuAnoEtBB/22qlHOQovL2cpHBdMFXchVt61IYfjbV89Z7ryB UtUWt7yMm54= =0hMh -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3072 Advisory (icsa-22-174-02) Yokogawa CAMS for HIS 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Yokogawa CAMS for HIS Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-30707 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02 Comment: CVSS (Max): 6.4 CVE-2022-30707 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-174-02) Yokogawa CAMS for HIS Original release date: June 23, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.4 o ATTENTION: High attack complexity o Vendor: Yokogawa o Equipment: Consolidation Alarm Management Software for Human Interface Station (CAMS for HIS) o Vulnerability: Violation of Secure Design Principles 2. RISK EVALUATION If a computer using CAMS for HIS software is compromised, it can be used to compromise any number of other computers using CAMS for HIS software with the potential to crash any affected software. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products that use CAMS for HIS, are affected: o CENTUM CS 3000 (including CENTUM CS 3000 Entry Class): Versions R3.08.10 through R3.09.00. These vulnerabilities affect this product if LHS4800 (CAMS for HIS) is installed. o CENTUM VP (including CENTUM VP Entry Class): Versions R4.01.00 through R4.03.00 (these product versions are affected only if CAMS function is used), Versions R5.01.00 through R5.04.20, and R6.01.00 through R6.09.00 (these product versions are affected regardless of whether CAMS function is used or not). o Exaopc: Versions R3.72.00 through R3.80.00 (these product versions are affected if NTPF100-S6 "For CENTUM VP Support CAMS for HIS" is installed). o B/M9000CS: Versions R5.04.01 - R5.05.01 o B/M9000 VP: Versions R6.01.01 - R8.03.01 3.2VULNERABILITY OVERVIEW 3.2.1 VIOLATION OF SECURE DESIGN PRINCIPLES CWE-657 If an attacker successfully compromises a computer using CAMS for HIS software, they can use credentials from the compromised machine to access data from another machine using CAMS for HIS software. This can lead to a disabling of CAMS for HIS software functions on any affected machines. CVE-2022-30707 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/ C:L/I:L/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Jacob Baines from Dragos, Inc., reported this vulnerability to Yokogawa. 4. MITIGATIONS Yokogawa has produced the following mitigations for the affected products: o CENTUM CS 3000 (Including CENTUM CS 3000 Entry Class): No software patch will be made available as these products are end-of-life. Upgrade systems to the latest version of CENTUM VP. o CENTUM VP (Including CENTUM VP Entry Class): Versions R4.01.00 through R4.03.00, and R5.01.00 through R5.04.20 No software patch will be made available as these products are end-of-life. Consider upgrading systems to the latest version of CENTUM VP. Versions R6.01.00 through R6.09.00 Update systems to Version R6.09.00 and apply software patch R6.09.03 o Exaopc: Update systems to Version R3.80.00 and apply software patch R3.80.01 o B/M9000CS and B/M9000 VP: These products are not directly affected by the vulnerability. However, these products are affected if CENTUM is installed on the same PC. If CENTUM is installed, update as described above. Also update B/M9000 to the latest version. Please see Yokogawa Security Advisory Report YSAR-22-0006 at the following locations for more information: English Japanese For questions related to these mitigations, please contact Yokogawa . CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov/ics in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUKNckNZI30y1K9AQiqYA//TDDs0McjL3yUdKYJTaEu+oNOGgVKlp9g dmoDonWc6pV2+rTAgyR2NhT1DUNbqC2nXpGHDeK5Y1q1Xgf1YY1wCQcKScM6ua3B 5vm2lZC/63idXHIktyvZXVx6chxlc51qTEIbLLYRBhpvYxrLSTHfQcxLX1xUCULs gI75E/C4UWYkV7SvLmxrQ9DTL0vo0z0j0KyqajB4vMk36rQL6YKjrdJImXL1VFP6 c0jfmMe8CBXiC4dhVr9ebc7D05NSKeRHj+u7QvK0Nnwvm6bOBYKo+52sxEt4h+nw OUlJ0wfHoWya6ZaiKnTrzWw9mKfnn+1O2AJWH7CWf7RNpCoT9ZsCUTCFJ/zaDDNt Kq/7V7SSQpFMko/iwwlntmFwR0jfcDRZY512RvOSTBxL4RvFtVYLimUvUg+/ni2B L60eDrTo00+/wKDIlesmvlKfteZUEbkfT7X4gzddiSUAwqcVlophPoBRnAi/WuWz wB1X8+soBZJYRu4gqDRP8avvKRYRirDYxB+NMSJSMqkFU/kpOjha0g4cxU0x84uY 5s19u9zK4a5y1V8qgcZq8AbJgCtugZlsBV507PXsPgeboFXdkLLfqCFl3jXfRLxX I1a37IUpcs7Q3o4iEkwtS5dgrLU56gFBEdo0/ZQiDJufzQ9397p/DALM7EvsyIao MFC4KhobmEQ= =Ebrb -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3071 Advisory (icsa-22-174-01) Yokogawa STARDOM 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Yokogawa STARDOM Publisher: ICS-CERT Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-30997 CVE-2022-29519 Original Bulletin: https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01 Comment: CVSS (Max): 6.3 CVE-2022-30997 (CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) CVSS Source: ICS-CERT Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-22-174-01) Yokogawa STARDOM Original release date: June 23, 2022 Legal Notice All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/ . 1. EXECUTIVE SUMMARY o CVSS v3 6.3 o ATTENTION: Exploitable remotely o Vendor: Yokogawa o Equipment: STARDOM o Vulnerabilities: Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials CISA is aware of a public report known as, "OT:ICEFALL," which details vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and identify baseline mitigations for reducing risks to these and other cybersecurity attacks. 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow attackers to alter device configuration settings and tamper with device firmware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of STARDOM, a network control system, are affected: o STARDOM FCN/FCJ: Versions R1.01 through R4.31 o STARDOM FCN/FCJ: Versions R4.10 through R4.31, dual CPU modules only; only affected by CVE-2022-30997 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319 The affected product transmits sensitive information in cleartext, which may allow an attacker sniffing network traffic on the controller to read/change configuration settings or update the controller with tampered firmware. CVE-2022-29519 has been assigned to this vulnerability. A CVSS v3 base score of 4.8 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/ C:H/I:N/A:N ). 3.2.2 USE OF HARD-CODED CREDENTIALS CWE-798 The affected product uses hard-coded credentials, which could enable an attacker to read/change configuration settings or update the controller with tampered firmware. Note, single CPU modules of the FCN/FCJ controller are unaffected. CVE-2022-30997 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is ( AV:A/AC:H/PR:H/UI:R/S:U/ C:H/I:H/A:H ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Multiple o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Jos Wetzels of Forescout reported these vulnerabilities to Yokogawa. 4. MITIGATIONS Yokogawa recommends users apply the following mitigations for both vulnerabilities: o Enable the packet filtering functionality of the FCN/FCJ controller to only allow connections from trusted hosts. o Ensure network traffic cannot be captured by unauthorized users. Yokogawa strongly recommends users establish and maintain an operational security program, including regular patching, anti-virus, backup and recovery processes, network segmentation, hardened networks, whitelisting, firewalls, etc. Yokogawa can assist users in setting up and maintaining these security programs, including performing an initial security risk assessment. Yokogawa considers patching to be the best mitigation against these vulnerabilities. Users are encouraged to contact Yokogawa to discuss the best course of action for individual systems. See Yokogawa's security advisory report YSAR-22-007 for more information. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet . o Locate control system networks and remote devices behind firewalls and isolate them from the business network. o When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov . Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents. No known public exploits specifically target these vulnerabilities. These vulnerabilities have a high attack complexity. For any questions related to this report, please contact the CISA at: Email: CISAservicedesk@cisa.dhs.gov Toll Free: 1-888-282-0870 CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUKKckNZI30y1K9AQiQ2A/+IKccGs4eLHz+Rgzn2L2JJVSKvQux7JoD sQNIrzx6jtyPFomBtnrf4CDOp1FfHetEeO8bf1sJhjQt8HMGWupZ0olpU4YjSI9o xFBgRqmClhP2gGClZax/D8Q90iX5+aEgZqErDQOzzHaiCdaipcH7dFql4Z1/RAZ7 Kad7z7+OA9HxXfarghAVhFv27WiQDfd8nQv1bGSsvMj3ePRpbDHcTiaY8y8fZJ89 RK+0/fmw2Tg1gi9nUJhIRclbe3g3JfYsoZIjzjipzLIxVV7gejG7KghljgQfXBso 5WdPvI5Wf6/vcOtP8Mu1ecbvlf4B1vexO4UFnQPeeCMGudCKZAgnaBNDG+L5HUTP OG7/1BmUmO2GV6bgFu16thx9L2y7ryqEoDUZeO3FXcqU3sSAzjlviWKVwfhjhWj2 jPoMgnUIbBaNmj+aJ4AxAfnuYCj8Wh8er3O+4DRbPbLWVBOvZXJcUXYcXOa7HY2y NsPJvmvahla3nF7Id5JOrZ9jhn2VJxgZyoS/OPiXjQQpkt4/YOQ809lj8g2iD5QA lVYbhxqeM7OePvum8qEFKPDDPfLrSPq98g9sJ8sQrdyc6xT7Okj9mS0Ku9wbHYyL sVHR/cJKjoqZCNccs/24KA0dNUjBrEgKwUeXeO201UHqNOOi9cZpDmExr4POQdMq X8zGoLO2I2Y= =BNST -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3070 K26314875: Apache vulnerability CVE-2022-26377 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5OS Traffix SDC Publisher: F5 Networks Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2022-26377 Original Bulletin: https://support.f5.com/csp/article/K26314875 Comment: CVSS (Max): 6.5 CVE-2022-26377 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L) CVSS Source: F5 Networks Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- K26314875: Apache vulnerability CVE-2022-26377 Original Publication Date: 24 Jun, 2022 Security Advisory Description Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions. ( CVE-2022-26377) Impact An attacker may be able to inject a crafted HTTP request into the server, bypassing internal security controls. Security Advisory Status F5 Product Development has assigned ID 1113897 and 1113897-1 (F5OS) and SDC-1961 (Traffix SDC) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. Note: After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to K51812227: Understanding security advisory versioning. Additionally, software versions preceding those listed in the Applies to (see versions) box of this article have reached the End of Technical Support (EoTS) phase of their lifecycle and are no longer evaluated for security issues. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. +------------+------+--------------+----------+----------+------+-------------+ | | |Versions known|Fixes | |CVSSv3|Vulnerable | |Product |Branch|to be |introduced|Severity |score^|component or | | | |vulnerable^1 |in | |2 |feature | +------------+------+--------------+----------+----------+------+-------------+ | |17.x |None |Not | | | | | | | |applicable| | | | | +------+--------------+----------+ | | | | |16.x |None |Not | | | | | | | |applicable| | | | | +------+--------------+----------+ | | | |BIG-IP (all |15.x |None |Not |Not |None |None | |modules) | | |applicable|vulnerable| | | | +------+--------------+----------+ | | | | |14.x |None |Not | | | | | | | |applicable| | | | | +------+--------------+----------+ | | | | |13.x |None |Not | | | | | | | |applicable| | | | +------------+------+--------------+----------+----------+------+-------------+ |BIG-IP SPK |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +------------+------+--------------+----------+----------+------+-------------+ | |8.x |None |Not | | | | |BIG-IQ | | |applicable|Not | | | |Centralized +------+--------------+----------+vulnerable|None |None | |Management |7.x |None |Not | | | | | | | |applicable| | | | +------------+------+--------------+----------+----------+------+-------------+ |F5OS-A |1.x |1.0.0 - 1.1.0 |None |Medium |6.5 |httpd | +------------+------+--------------+----------+----------+------+-------------+ | | |1.3.0 - 1.3.2 | | | | | |F5OS-C |1.x |1.2.0 - 1.2.2 |None |Medium |6.5 |httpd | | | |1.1.0 - 1.1.4 | | | | | +------------+------+--------------+----------+----------+------+-------------+ |Traffix SDC |5.x |5.2.0 |None |Medium |6.5 |httpd | | | |5.1.0 | | | | | +------------+------+--------------+----------+----------+------+-------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table). If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix. Mitigation F5OS To mitigate this vulnerability for F5OS, restrict management access only to trusted users and a trusted set of IP addresses. Traffix SDC To mitigate this vulnerability for Traffix SDC, you can disable mod_proxy_ajp and restart httpd. Supplemental Information o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K8986: F5 software lifecycle policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 17.x) o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix and point release matrix o K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrUKHckNZI30y1K9AQif7A/9FB3ctSMj8q+yrrV8LDop472mhqxFIfgi N3h+mdPrrmox8f6HaV8omNaRHeSpuH1PnAfn7eSf3adbw+sU/nQYj6b7/+F/jPkU 0OYLZA06X+ypjD6rMtfyfn38RG5bUIIXJB6jXMU1cohibPHDFpNniedkM7MC/3q9 ffLIBkq4PGjtsv9CbIDBkRbKieEK/4L9vcgnmkZlWMxc+YbDsEna8wAxJMWnZtLo hMkzCXY+fNqksHxizDE5qcARM74AuUAY8JepnY/Y9blNGijYVOqVQZX6dWVY8MVR w2OEymwD5PiN1f4Rp0TGGe0MkLnUWe4AFNdMJ8g6olNf89Qp0ublylbaTSf0IR8c 1G0JnoXK35ZcXOVJuITcwShdJopY0ay6fXnNv+NKZKv6Zow5Jp4FUbVTW2CUziIj lBUIy/VZVaJSj24Lct5EK5xa3yiAd7OTFV+Xr+N+Ja2NGD4saY6Pw/fWBLHbiI1W IM8AM9jYkMPMaIAJjL8jGqhiheaW6EiRxxZ0NqGbwzYowhA2xkPo1cb/HQvb2M4B TLcDhk9fhmtFDY6XF8wGXQArE5QDHJAzSYczrhOJyESCJDvsX9mq/clsQLqOT0c/ e9tj1faiXhIZoVAEpPVMBU/s258WnvP1U1JNIwWYr/PaRET9T698xuPMxiBagf9x zSj2NJFZeLo= =dCdM -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3069 Jenkins Security Advisory 2022-06-22 24 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins (core) Jenkins Plugins Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-34213 CVE-2022-34212 CVE-2022-34211 CVE-2022-34210 CVE-2022-34209 CVE-2022-34208 CVE-2022-34207 CVE-2022-34206 CVE-2022-34205 CVE-2022-34204 CVE-2022-34203 CVE-2022-34202 CVE-2022-34201 CVE-2022-34200 CVE-2022-34199 CVE-2022-34198 CVE-2022-34197 CVE-2022-34196 CVE-2022-34195 CVE-2022-34194 CVE-2022-34193 CVE-2022-34192 CVE-2022-34191 CVE-2022-34190 CVE-2022-34189 CVE-2022-34188 CVE-2022-34187 CVE-2022-34186 CVE-2022-34185 CVE-2022-34184 CVE-2022-34183 CVE-2022-34182 CVE-2022-34181 CVE-2022-34180 CVE-2022-34179 CVE-2022-34178 CVE-2022-34177 CVE-2022-34176 CVE-2022-34175 CVE-2022-34174 CVE-2022-34173 CVE-2022-34172 CVE-2022-34171 CVE-2022-34170 CVE-2017-2601 Original Bulletin: https://www.jenkins.io/security/advisory/2022-06-22/ Comment: CVSS (Max): 8.8 CVE-2022-34178 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Jenkins Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2022-06-22 This advisory announces vulnerabilities in the following Jenkins deliverables: o Jenkins (core) o Agent Server Parameter Plugin o Beaker builder Plugin o Convertigo Mobile Platform Plugin o CRX Content Package Deployer Plugin o Date Parameter Plugin o Dynamic Extended Choice Parameter Plugin o EasyQA Plugin o Embeddable Build Status Plugin o Filesystem List Parameter Plugin o Hidden Parameter Plugin o Image Tag Parameter Plugin o Jianliao Notification Plugin o JUnit Plugin o Maven Metadata Plugin for Jenkins CI server Plugin o Nested View Plugin o NS-ND Integration Performance Publisher Plugin o ontrack Jenkins Plugin o Package Version Plugin o Pipeline: Input Step Plugin o Readonly Parameter Plugin o Repository Connector Plugin o REST List Parameter Plugin o Sauce OnDemand Plugin o Squash TM Publisher (Squash4Jenkins) Plugin o Stash Branch Parameter Plugin o ThreadFix Plugin o vRealize Orchestrator Plugin o xUnit Plugin Descriptions Multiple XSS vulnerabilities SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761), CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780) Multiple cross-site scripting (XSS) vulnerabilities in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier allow attackers to inject HTML and JavaScript into the Jenkins UI: o SECURITY-2779 (CVE-2022-34170): Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955. o SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping. o SECURITY-2776 (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip parameters. o SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name. These vulnerabilities are known to be exploitable by attackers with Job/ Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses these vulnerabilities: o SECURITY-2779: The feature name in help icon tooltips is now escaped. o SECURITY-2761: The title attribute of l:ionicon (Jenkins LTS 2.332.4) and alt attribute of l:icon (Jenkins 2.356 and LTS 2.346.1) are escaped in the generated HTML output. o SECURITY-2776: Symbol-based icons no longer unescape values of tooltip parameters. o SECURITY-2780: The tooltip of the build button in list views is now escaped. No Jenkins LTS release is affected by SECURITY-2776 or SECURITY-2780, as these were not present in Jenkins 2.332.x and fixed in the 2.346.x line before 2.346.1. Observable timing discrepancy allows determining username validity SECURITY-2566 / CVE-2022-34174 In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4. Unauthorized view fragment access SECURITY-2777 / CVE-2022-34175 Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. Before SECURITY-534 was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view. In Jenkins 2.335 through 2.355 (both inclusive), the protection added for SECURITY-534 is disabled for some views. As a result, attackers could in very limited cases directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view. As of publication, the Jenkins security team is unaware of any vulnerable view fragment across the Jenkins plugin ecosystem. Jenkins 2.356 restores the protection for affected views. Stored XSS vulnerability in JUnit Plugin SECURITY-2760 / CVE-2022-34176 JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. JUnit Plugin 1119.1121.vc43d0fc45561 applies the configured markup formatter to descriptions of test results. Arbitrary file write vulnerability in Pipeline: Input Step Plugin SECURITY-2705 / CVE-2022-34177 Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier allows Pipeline authors to specify file parameters for Pipeline input steps even though they are unsupported. Although the uploaded file is not copied to the workspace, Jenkins archives the file on the controller as part of build metadata using the parameter name without sanitization as a relative path inside a build-related directory. This allows attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. Pipeline: Input Step Plugin 449.v77f0e8b_845c4 prohibits use of file parameters for Pipeline input steps. Attempts to use them will fail Pipeline execution. Reflected XSS vulnerability in Embeddable Build Status Plugin SECURITY-2567 / CVE-2022-34178 Embeddable Build Status Plugin 2.0.3 allows specifying a link query parameter that build status badges will link to, without restricting possible values. This results in a reflected cross-site scripting (XSS) vulnerability. Embeddable Build Status Plugin 2.0.4 limits URLs to http and https protocols and correctly escapes the provided value. Path traversal vulnerability in Embeddable Build Status Plugin SECURITY-2792 / CVE-2022-34179 Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values. This results in a relative path traversal vulnerability, allowing attackers without Overall/Read permission to specify paths to other SVG images on the Jenkins controller file system. Embeddable Build Status Plugin 2.0.4 restricts the style query parameter to one of the three legal values. Improper authorization in Embeddable Build Status Plugin bypasses ViewStatus permission requirement SECURITY-2794 / CVE-2022-34180 Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the ViewStatus permission check in the HTTP endpoint it provides for "unprotected" status badge access. This allows attackers without any permissions to obtain the build status badge icon for any attacker-specified job and/or build. Embeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain the build status badge icon. Agent-to-controller security bypass in xUnit Plugin SECURITY-2549 / CVE-2022-34181 xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results. This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory. xUnit Plugin 3.1.0 changes the message type from agent-to-controller to controller-to-agent, preventing execution on the controller. Reflected XSS vulnerability in Nested View Plugin SECURITY-2768 / CVE-2022-34182 Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters. This results in a reflected cross-site scripting (XSS) vulnerability. Nested View Plugin 1.26 escapes search parameters. Stored XSS vulnerabilities in multiple plugins providing additional parameter types SECURITY-2784 / CVE-2022-34183 (Agent Server Parameter), CVE-2022-34184 (CRX Content Package Deployer), CVE-2022-34185 (Date Parameter), CVE-2022-34186 (Dynamic Extended Choice Parameter), CVE-2022-34187 (Filesystem List Parameter), CVE-2022-34188 (Hidden Parameter), CVE-2022-34189 (Image Tag Parameter), CVE-2022-34190 (Maven Metadata for CI server), CVE-2022-34191 (NS-ND Integration Performance Publisher), CVE-2022-34192 (ontrack Jenkins), CVE-2022-34193 (Package Version), CVE-2022-34194 (Readonly Parameter), CVE-2022-34195 (Repository Connector), CVE-2022-34196 (REST List Parameter), CVE-2022-34197 (Sauce OnDemand), CVE-2022-34198 (Stash Branch Parameter) Multiple plugins do not escape the name and description of the parameter types they provide: o Agent Server Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183) o CRX Content Package Deployer 1.9 and earlier (SECURITY-2727 / CVE-2022-34184) o Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185) o Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186) o Filesystem List Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187) o Hidden Parameter Plugin 0.0.4 and earlier (SECURITY-2755 / CVE-2022-34188) o Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189) o Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 / CVE-2022-34190) o NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 / CVE-2022-34191) o ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192) o Package Version 1.0.1 and earlier (SECURITY-2735 / CVE-2022-34193) o Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194) o Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195) o REST List Parameter Plugin 1.5.2 and earlier (SECURITY-2730 / CVE-2022-34196) o Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197) o Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198) This results in stored cross-site scripting (XSS) vulnerabilites exploitable by attackers with Item/Configure permission. Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list. The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified: o REST List Parameter Plugin 1.6.0 o Hidden Parameter Plugin 0.0.5 As of publication of this advisory, there is no fix available for the following plugins: o Agent Server Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183) o CRX Content Package Deployer 1.9 and earlier (SECURITY-2727 / CVE-2022-34184) o Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185) o Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186) o Filesystem List Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187) o Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189) o Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 / CVE-2022-34190) o NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 / CVE-2022-34191) o ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192) o Package Version 1.0.1 and earlier (SECURITY-2735 / CVE-2022-34193) o Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194) o Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195) o Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197) o Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198) Passwords stored in plain text by Convertigo Mobile Platform Plugin SECURITY-2064 / CVE-2022-34199 Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix. CSRF vulnerability and missing permission checks in Convertigo Mobile Platform Plugin SECURITY-2276 / CVE-2022-34200 (CSRF), CVE-2022-34201 (missing permission check) Convertigo Mobile Platform Plugin 1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. User passwords stored in plain text by EasyQA Plugin SECURITY-2066 / CVE-2022-34202 EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global configuration file EasyQAPluginProperties.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. CSRF vulnerability and missing permission checks in EasyQA Plugin SECURITY-2281 / CVE-2022-34203 (CSRF), CVE-2022-34204 (missing permission check) EasyQA Plugin 1.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. CSRF vulnerability and missing permission checks in Jianliao Notification Plugin SECURITY-2240 / CVE-2022-34205 (CSRF), CVE-2022-34206 (missing permission check) Jianliao Notification Plugin 1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. CSRF vulnerability and missing permission checks in Beaker builder Plugin SECURITY-2248 / CVE-2022-34207 (CSRF), CVE-2022-34208 (missing permission check) Beaker builder Plugin 1.10 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. CSRF vulnerability and missing permission check in ThreadFix Plugin SECURITY-2249 / CVE-2022-34209 (CSRF), CVE-2022-34210 (missing permission check) ThreadFix Plugin 1.5.4 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. CSRF vulnerability and missing permission check in vRealize Orchestrator Plugin SECURITY-2279 / CVE-2022-34211 (CSRF), CVE-2022-34212 (missing permission check) vRealize Orchestrator Plugin 3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. Passwords stored in plain text by Squash TM Publisher (Squash4Jenkins) Plugin SECURITY-2089 / CVE-2022-34213 Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords unencrypted in its global configuration file org.jenkinsci.squashtm.core.SquashTMPublisher.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Severity o SECURITY-2064: Medium o SECURITY-2066: Low o SECURITY-2089: Low o SECURITY-2240: Medium o SECURITY-2248: Medium o SECURITY-2249: Medium o SECURITY-2276: Medium o SECURITY-2279: Medium o SECURITY-2281: Medium o SECURITY-2549: Medium o SECURITY-2566: Medium o SECURITY-2567: High o SECURITY-2705: High o SECURITY-2760: High o SECURITY-2768: High o SECURITY-2777: Medium o SECURITY-2781: High o SECURITY-2784: High o SECURITY-2792: Medium o SECURITY-2794: Medium Affected Versions o Jenkins weekly up to and including 2.355 o Jenkins LTS up to and including 2.332.3 o Agent Server Parameter Plugin up to and including 1.1 o Beaker builder Plugin up to and including 1.10 o Convertigo Mobile Platform Plugin up to and including 1.1 o CRX Content Package Deployer Plugin up to and including 1.9 o Date Parameter Plugin up to and including 0.0.4 o Dynamic Extended Choice Parameter Plugin up to and including 1.0.1 o EasyQA Plugin up to and including 1.0 o Embeddable Build Status Plugin up to and including 2.0.3 o Filesystem List Parameter Plugin up to and including 0.0.7 o Hidden Parameter Plugin up to and including 0.0.4 o Image Tag Parameter Plugin up to and including 1.10 o Jianliao Notification Plugin up to and including 1.1 o JUnit Plugin up to and including 1119.va_a_5e9068da_d7 o Maven Metadata Plugin for Jenkins CI server Plugin up to and including 2.1 o Nested View Plugin up to and including 1.25 o NS-ND Integration Performance Publisher Plugin up to and including 4.8.0.77 o ontrack Jenkins Plugin up to and including 4.0.0 o Package Version Plugin up to and including 1.0.1 o Pipeline: Input Step Plugin up to and including 448.v37cea_9a_10a_70 o Readonly Parameter Plugin up to and including 1.0.0 o Repository Connector Plugin up to and including 2.2.0 o REST List Parameter Plugin up to and including 1.5.2 o Sauce OnDemand Plugin up to and including 1.204 o Squash TM Publisher (Squash4Jenkins) Plugin up to and including 1.0.0 o Stash Branch Parameter Plugin up to and including 0.3.0 o ThreadFix Plugin up to and including 1.5.4 o vRealize Orchestrator Plugin up to and including 3.0 o xUnit Plugin up to and including 3.0.8 Fix o Jenkins weekly should be updated to version 2.356 o Jenkins LTS should be updated to version 2.332.4 or 2.346.1 o Embeddable Build Status Plugin should be updated to version 2.0.4 o Hidden Parameter Plugin should be updated to version 0.0.5 o JUnit Plugin should be updated to version 1119.1121.vc43d0fc45561 o Nested View Plugin should be updated to version 1.26 o Pipeline: Input Step Plugin should be updated to version 449.v77f0e8b_845c4 o REST List Parameter Plugin should be updated to version 1.6.0 o xUnit Plugin should be updated to version 3.1.0 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: o Agent Server Parameter Plugin o Beaker builder Plugin o Convertigo Mobile Platform Plugin o CRX Content Package Deployer Plugin o Date Parameter Plugin o Dynamic Extended Choice Parameter Plugin o EasyQA Plugin o Filesystem List Parameter Plugin o Image Tag Parameter Plugin o Jianliao Notification Plugin o Maven Metadata Plugin for Jenkins CI server Plugin o NS-ND Integration Performance Publisher Plugin o ontrack Jenkins Plugin o Package Version Plugin o Readonly Parameter Plugin o Repository Connector Plugin o Sauce OnDemand Plugin o Squash TM Publisher (Squash4Jenkins) Plugin o Stash Branch Parameter Plugin o ThreadFix Plugin o vRealize Orchestrator Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: o Anders Lundman of WithSecure for SECURITY-2566 o Daniel Beck, CloudBees, Inc. for SECURITY-2549 o Justin Philip for SECURITY-2248, SECURITY-2249 o Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc. for SECURITY-2784 o Long Nguyen, Viettel Cyber Security for SECURITY-2089 o Long Nguyen, Viettel Cyber Security and, independently, Justin Philip for SECURITY-2066 o Long Nguyen, Viettel Cyber Security and, independently, Quentin Parra for SECURITY-2064 o Marc Heyries for SECURITY-2240 o Quentin Parra for SECURITY-2276 o Valdes Che Zogou, CloudBees, Inc. for SECURITY-2768, SECURITY-2781 o Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc. for SECURITY-2760 o Wadeck Follonier, CloudBees, Inc. for SECURITY-2279, SECURITY-2281 o Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for SECURITY-2777 o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2792 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrTxbskNZI30y1K9AQjxAQ/+Lh39ge8v0rROhKjYAOQ1Ypg8bB/9YeIi R+M3YdbQKNxWTk0EAiyDa9gVuw8/KpVq+Visra0dGISYe6L7jbAfjc0FF+FNCW3O rxwf5S8TVd9zs31Xn+b1o5YHPCye4e+RSLJvU+maUNpGLFkOsGuI4l85jV8jZt6y AIoa/oikj2W8wfVkpfRbH+JlpBLzLEa5gAIZvZY/jmMJLhXxre7LiO+t/ZEFWj/V mXk7hrBKz9WmekAyy2FYAX71M1OAxusqTyltTO5eMf8YRvtHCLBaA4IsMQ8xHpl3 yNxankBCSK2uqY0kBFDzXpX/GJYBvUMoENLXvCsKmWva4L9gx7ccj54mltXnGi0p 3lCH8xFcWdMDVr/fpJ0Y9wyVlmPGVmyOep2r0kwA2wQr2Atnoh1Y8lQH2S04xrGq PSHog00+v29DQunZ9/JFZb7URKtvBH13opRM/OeNv++KjP22QpVOWkuYlimQ1djs qnobAWa2J+q7P188sE+VFrcoLRF5VHcgKPbbOBj8fnVxMP+nuACEzsOM//W07nxZ CEtKPdR1+bclX6ICr+nVPgFH/irm3s+9eeUSHlSiJ8Af1RURu6hcpnnc2La4sbDW n3DNDZ7HABVqlvnizY0SmZkeb9+4V541RKq+TJFtFALFd/vDQV5QV9safzvoPl5G 3DtzFYB5n0E= =MjUb -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3068 K14454359: Intel BIOS vulnerability CVE-2021-0153 23 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP (all modules) Publisher: F5 Networks Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2021-0153 Original Bulletin: https://support.f5.com/csp/article/K14454359 Comment: CVSS (Max): 6.7 CVE-2021-0153 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSS Source: F5 Networks Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- K14454359: Intel BIOS vulnerability CVE-2021-0153 Original Publication Date: 22 Jun, 2022 Security Advisory Description Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable aescalation of privilege via local access. (CVE-2021-0153) Impact A local attacker logged in as a privileged user can exploit this vulnerability to gain access to restricted information on an affected system. The following F5 hardware platforms are vulnerable to CVE-2021-0153: o BIG-IP i5000 series o BIG-IP i7000 series o BIG-IP i10000 series o BIG-IP i11000 series o BIG-IP i15000 series o VIPRION B4450N For more information, refer to Hardware Knowledge Centers. All versions of Virtual Edition (VE) for the BIG-IP and BIG-IQ products are potentially impacted if the processors underlying the VE installations are affected. Microcode updates from Intel are available to address this issue but must be applied at the hardware level, which is outside the scope of the ability of F5 to support or patch. Security Advisory Status F5 Product Development has assigned ID 1108313, 1108321, and 1108325 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. Note: After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to K51812227: Understanding security advisory versioning. Additionally, software versions preceding those listed in the Applies to (see versions) box of this article have reached the End of Technical Support (EoTS) phase of their lifecycle and are no longer evaluated for security issues. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. +-----------+------+-------------+----------+----------+------+---------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to be |introduced|Severity |score^|component or | | | |vulnerable^1 |in | |2 |feature | +-----------+------+-------------+----------+----------+------+---------------+ | | | | | | | | | |17.x |17.0.0 |None | | |Intel BIOS on | | | | | | | |the following | | +------+-------------+----------+ | |platforms: | | | | | | | | | | |16.x |16.1.0 - |None | | | o BIG-IP | | | |16.1.3 | | | | i5000 | | | | | | | | series | | +------+-------------+----------+ | | o BIG-IP | | | | | | | | i7000 | |BIG-IP (all|15.x |15.1.0 - |None | | | series | |modules) | |15.1.6 | |Medium |6.7 | o BIG-IP | | | | | | | | i10000 | | +------+-------------+----------+ | | series | | | | | | | | o BIG-IP | | |14.x |14.1.0 - |None | | | i11000 | | | |14.1.5 | | | | series | | | | | | | | o BIG-IP | | +------+-------------+----------+ | | i15000 | | | | | | | | series | | |13.x |13.1.0 - |None | | | o VIPRIPON | | | |13.1.5 | | | | B4450N | | | | | | | | | +-----------+------+-------------+----------+----------+------+---------------+ |BIG-IP SPK |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ | |8.x |None |Not | | | | |BIG-IQ | | |applicable|Not | | | |Centralized+------+-------------+----------+vulnerable|None |None | |Management |7.x |None |Not | | | | | | | |applicable| | | | +-----------+------+-------------+----------+----------+------+---------------+ |F5OS-A |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ |F5OS-C |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ |Traffix SDC|5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table). If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix. Mitigation As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the BIG-IP system. The only mitigation is to remove access for users who are not completely trusted. Until you can install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to the BIG-IP command line through SSH to only trusted networks or devices, thereby limiting the attack surface. o Block SSH access through self IP addresses o Block SSH access through the management interface Block SSH access through self IP addresses You can block all access to the command line through SSH of your BIG-IP system using self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address on the system. If you must open any ports, you should use the Allow Custom option, taking care to block access to SSH. By default, the SSH service listens on TCP port 22. Note: Performing this action prevents all access to SSH using the self IP address. These changes may also impact other services. Before you make changes to the configuration of your self IP addresses, F5 strongly recommends that you refer to the following articles: o K17333: Overview of port lockdown behavior (12.x - 17.x) o K13092: Overview of securing access to the BIG-IP system If you must expose port 22 on your self IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system. For more information, refer to the following article: o K13383: Configuring CIDR Network Addresses for the BIG-IP packet filter Block SSH access through the management interface To mitigate this vulnerability for affected F5 products, you should restrict management access to F5 products to only trusted users and devices over a secure network. For more information about securing access to BIG-IP systems, refer to the following articles: o K13092: Overview of securing access to the BIG-IP system o K46122561: Restricting access to the BIG-IP management interface using network firewall rules Supplemental Information o Intel SA-00601 Note: The previous link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge. o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K8986: F5 software lifecycle policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 17.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrPlmckNZI30y1K9AQhPUQ//SA1kuH2cAiWl/6CR38mk+oiOYnYNkW8U dcFioF0sLHUWnylvxI7h7eQ2rcJybTYigvNZxf0W2mWxf5Uh9oNlslfoq2utQmgs VTduAe4n8EntFgNjfAtR/aX4nxYSaG2ZV5joA/7u2Ed+Olli6UkXGMt1Po6jjdg9 3quS7/W3JDR1I07ilSrU81awT9yCxWI5MwwmRc1YwtZFJ6tH/YmhBJjp73ji7JPX oRh8scvGr5hclORkX/LYWj04f8VeePpsMNphbQzrzD7a2vnYHFmAxHWHB45G3BQd B3mdcOyDvIay/N1be+GE7UZbEBeAbnApQ7TMgJthDeSeV2lEb/2DFBmjokSaIFHe KDOkGCW55gTdA2+jqU5tqKp5wA8/0ZxwOisOVrQ734lIPO8C8p/ghqUW8MT7j5Qw t6oaEIyVMT8H8HLldqPgidVelQBkhx4p2d7+XPYMBYcOwxsOuNJsocNurICXPJ5Z I7oTOi5F7ag442tQfRv+TLtjSiRBYZJVkSaMobxeDxR8hGqfCc/Y5BosTXupnN9j kprQfZab8MUjuTwCy5YmcIzde7RePz0HYzr22sKTS9LSPQL+j0QZpdTDu8mvtPdU wLEaF2DLflY7WPRpevvn/00wG7bZxCzzmjnPL86v4IhTiOY1ZdPAHO/d7LSXataL VWG5V31C+F4= =qPcY -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3067 K04303225: Intel BIOS vulnerability CVE-2021-0190 23 June 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP (all modules) Publisher: F5 Networks Operating System: Network Appliance Resolution: Mitigation CVE Names: CVE-2021-0190 Original Bulletin: https://support.f5.com/csp/article/K04303225 Comment: CVSS (Max): 6.7 CVE-2021-0190 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) CVSS Source: F5 Networks Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- K04303225: Intel BIOS vulnerability CVE-2021-0190 Original Publication Date: 22 Jun, 2022 Security Advisory Description Uncaught exception in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable aescalation of privilege via local access. (CVE-2021-0190) Impact A local attacker logged in as a privileged user can exploit the vulnerability to gain access to restricted information on an affected system. The following F5 hardware platforms are vulnerable to CVE-2021-0190: o BIG-IP i850 o BIG-IP i2000 series o BIG-IP i4000 series o BIG-IP i5000 series o BIG-IP i7000 series o BIG-IP i10000 series o BIG-IP i11000 series o BIG-IP i15000 series o VIPRION B4450N For more information, refer to Hardware Knowledge Centers. All versions of Virtual Edition (VE) for the BIG-IP and BIG-IQ products are potentially impacted if the processors underlying the VE installations are affected. Microcode updates from Intel are available to address this issue but must be applied at the hardware level, which is outside the scope of the ability of F5 to support or patch. Security Advisory Status F5 Product Development has assigned ID 1108313, 1108317, 1108321, and 1108325 (BIG-IP) to this vulnerability. To determine if your product and version have been evaluated for this vulnerability, refer to the Applies to (see versions) box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to K51812227: Understanding security advisory versioning. Note: After a fix is introduced for a given minor branch, that fix applies to all subsequent maintenance and point releases for that branch, and no additional fixes for that branch will be listed in the table. For example, when a fix is introduced in 14.1.2.3, the fix also applies to 14.1.2.4, and all later 14.1.x releases (14.1.3.x., 14.1.4.x). For more information, refer to K51812227: Understanding security advisory versioning. Additionally, software versions preceding those listed in the Applies to (see versions) box of this article have reached the End of Technical Support (EoTS) phase of their lifecycle and are no longer evaluated for security issues. For more information, refer to the Security hotfixes section of K4602: Overview of the F5 security vulnerability response policy. +-----------+------+-------------+----------+----------+------+---------------+ | | |Versions |Fixes | |CVSSv3|Vulnerable | |Product |Branch|known to be |introduced|Severity |score^|component or | | | |vulnerable^1 |in | |2 |feature | +-----------+------+-------------+----------+----------+------+---------------+ | | | | | | |Intel BIOS on | | |17.x |17.0.0 |None | | |the following | | | | | | | |platforms: | | | | | | | | | | +------+-------------+----------+ | | o BIG-IP i850| | | | | | | | o BIG-IP | | | |16.1.0 - | | | | i2000 | | |16.x |16.1.3 |None | | | series | | | | | | | | o BIG-IP | | | | | | | | i4000 | | +------+-------------+----------+ | | series | | | | | | | | o BIG-IP | | | |15.1.0 - | | | | i5000 | |BIG-IP (all|15.x |15.1.6 |None |Medium |6.7 | series | |modules) | | | | | | o BIG-IP | | | | | | | | i7000 | | +------+-------------+----------+ | | series | | | | | | | | o BIG-IP | | | |14.1.0 - | | | | i10000 | | |14.x |14.1.5 |None | | | series | | | | | | | | o BIG-IP | | | | | | | | i11000 | | +------+-------------+----------+ | | series | | | | | | | | o BIG-IP | | | |13.1.0 - | | | | i15000 | | |13.x |13.1.5 |None | | | series | | | | | | | | o VIPRION | | | | | | | | B4450N | +-----------+------+-------------+----------+----------+------+---------------+ |BIG-IP SPK |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ | |8.x |None |Not | | | | |BIG-IQ | | |applicable|Not | | | |Centralized+------+-------------+----------+vulnerable|None |None | |Management |7.x |None |Not | | | | | | | |applicable| | | | +-----------+------+-------------+----------+----------+------+---------------+ |F5OS-A |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ |F5OS-C |1.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ |Traffix SDC|5.x |None |Not |Not |None |None | | | | |applicable|vulnerable| | | +-----------+------+-------------+----------+----------+------+---------------+ ^1F5 evaluates only software versions that have not yet reached the End of Technical Support (EoTS) phase of their lifecycle. ^2The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by installing a version listed in the Fixes introduced in column. If the Fixes introduced in column does not list a version for your branch, then no update candidate currently exists for that branch and F5 recommends upgrading to a version with the fix (refer to the table). If the Fixes introduced in column lists a version prior to the one you are running, in the same branch, then your version should have the fix. Mitigation As this attack is conducted by legitimate, authenticated users, there is no viable mitigation that also allows users access to the BIG-IP system. The only mitigation is to remove access for users who are not completely trusted. Until you can install a fixed version, you can use the following sections as temporary mitigations. These mitigations restrict access to the BIG-IP command line through SSH to only trusted networks or devices, thereby limiting the attack surface. o Block SSH access through self IP addresses o Block SSH access through the management interface Block SSH access through self IP addresses You can block all access to the command line through SSH of your BIG-IP system using self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address on the system. If you must open any ports, you should use the Allow Custom option, taking care to block access to SSH. By default, the SSH service listens on TCP port 22. Note: Performing this action prevents all access to SSH using the self IP address. These changes may also impact other services. Before you make changes to the configuration of your self IP addresses, F5 strongly recommends that you refer to the following articles: o K17333: Overview of port lockdown behavior (12.x - 17.x) o K13092: Overview of securing access to the BIG-IP system If you must expose port 22 on your self IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system. For more information, refer to the following article: o K13383: Configuring CIDR Network Addresses for the BIG-IP packet filter Block SSH access through the management interface To mitigate this vulnerability for affected F5 products, you should restrict management access to F5 products to only trusted users and devices over a secure network. For more information about securing access to BIG-IP systems, refer to the following articles: o K13092: Overview of securing access to the BIG-IP system o K46122561: Restricting access to the BIG-IP management interface using network firewall rules Supplemental Information o Intel SA 00601 Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge. o K41942608: Overview of security advisory articles o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K8986: F5 software lifecycle policy o K9502: BIG-IP hotfix and point release matrix o K13123: Managing BIG-IP product hotfixes (11.x - 17.x) o K167: Downloading software and firmware from F5 o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYrPleckNZI30y1K9AQhfxQ//cn4ojluN71eycbYAud6ACHK76VoksfRr cia+Lj/Yzn5PwEAYlgqJOmkYalmgD2Zkd6ia+850592TTmPd1JflyV3yA8PywEVr LWDxUMmyFCIlZ7fnax93tUSkS+q6Ff0Riown4XgcTPsIWh4O4SBCP4njM1XFlsk6 n0789e8L3eaWYb4/kjVKxLgVisQUBzFXHU/icWE7mSsctDOXqzmnVTOwioiKf98a Rl4FMwU7oHBHIj2/pnxdawUZg2xix4ygrKWnxHnkVsK/VqZF5Wzywte947KsNKFQ wLTKvM0wsxiqe0dmYtSiGWW+Qb7E80jVNHuxfnvSW8M9oDPrqeduO5efU86rcNwx RmxOaFaG3Xg5OiuZf3n8Qh2kFLDhQ4JLq3jPTkaXIqMVJrb2DkKB4Lj4VIYMIT0h H43nrS76YRQH9uDTfI1+9ZG/IoAY6VnS6ilQ3kSOOJEwA1OfGPIiK8Eq+rofrWbU ely8DRvX4hoixBlDluaaUtYab1oNxDM2Hj9v7kyyqnqqe54OxzTsqD7n3SBdwVc6 fCqlwVYgNBz/+IO6s6Bum8wXmfsR18/LJE6vYhsgTnig3XkGenyU1V7G8qLFzWlx 8MflmABLiNgZvn2kSjR6UOVqeUxjJbxQ2AvTQQdYqdnxVH1t/FP7juJQuz7Wb3Dw InOv579I6yA= =i6wp -----END PGP SIGNATURE-----